home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CASIOCOL.ZIP
/
KRILE1.ZIP
/
KRILE.NFO
< prev
next >
Wrap
Text File
|
1997-11-20
|
5KB
|
102 lines
Virus Author: RAiD - [SLAM] Written on November 20, 1997
Virus Name : KRiLE v1.0
Virus Target: .EXE and .COM *multi-os* (see below)
Virus Size..: 4537 bytes exactly.
Target OS...: KRiLE is a multi-OS virus. Meaning, any .EXE or .COM file
on Win3.x/MsDos/Win95/WinNT/Os2Warp are capable of not
only being infected, but still operating as if nothing had
happened.
Virus Info..: KRiLE is an HLL virus, which makes use of some pure ASM
functions included for size and speed. Since KRiLE is an
HLL, it provides automatic shielding against hueristic
analysis, but does not in any way damage KRiLE's ability
to spread. KRiLE is system friendly in the sense it will
avoid the following files to prevent any possible system
lockups and/or program failures, which could lead to the
premature detection of this virus.
[command.com, start.exe, emm386.exe, mouse.com(exe),
mscdex.exe, setver.exe, dos4gw.exe, explorer.exe,
smartdrv.exe] KRiLE accesses files in a network or
multi-tasking friendly manner, so as not to cause failure
loading programs, which could tip the user to a possible
virus related problem.
Encryption..: KRiLE has a decryptor for various text and configuration
information (The decrypted data is NEVER written to disk!)
KRiLE maintaines compression via LZEXE and internal encryption
at all times. Using a search string for LZEXE files will cause
many false alarms. <G> KRiLE also contains an encryption/
decryption algorithm for the host data, although simple in
design, Those not familiar with asm or debugging exes will
have no luck disinfecting there files.
PayLoad.....: KRiLE has two payloads, one being a unique siren which can
go-off randomly, but will always go-off before control
is passed to the host, that is, if it does trigger. The other
payload is also random, which displays a short message:
"■KRiLE■ v1.0 It's time for revenge! coded by RAiD UsA [SLAM]97"
Each payload may go-off either before or after the original
program has executed. KRiLE has *no* destructive payloads of
any kind. I do not support intentional destruction, besides
formatting a hard-disk is not considered a new thing among
virus coders. Each payload has a 1:256 chance of going
off. This keeps the chance of virus discovery to a minimum
since either payload will rarely occur.
Stealth.....: Some stealth is performed to keep the executing file from
noticing any changes. As memory-image checking files are
rare, this method should be fine.
KRiLE infects its host via the following:
1. Search for files inside any directories found via the PATH variable.
2. Search for files in current directory
3. Pass control to host
4. Search current directory again - The infected host might have created
more .exe and/or .com files. pkunzip.exe is an example of a host
which might do this.
KRiLE also polls for checksum files created by Thunderbyte, CPAV, MSAV and
VSAFE. If these files are found, they are quickly destroyed. VSAFE if loaded
will be bypassed during the execution of KRiLE. The infected user will not
be aware of any of this.
Although a win 3.x series (NE) file can be infected by KRiLE, it will no longer
run properly unless it's run under Win95/NT. If you run an NE file on win3.x,
KRiLE will still spread, but shortly after executing windows will say this
file is not windows based. This problem does not occur on win95/nt or os/2
based operating systems.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. KRiLE has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, TBAV, NORTON, and Integrity Master.
Greetz:
[SLAM] - This one's for you! Enjoy it, and I'll be coding more of these
HLL viruses you have come to know me by. <G> Special thanks to
VDaemon, who told me not to give up my HLL viruses. <G>
#Virus - ReAll! This is yet another HLL creation of mine, except it's
alot faster at what it does. Speed is an issue, and since KRiLE
is 4k, the faster it can infect the better, eh? :)
To all VX related:
It's me again, and i've returned from my er, vacation from the scene
with KRiLE. This will certainly annoy AV. :) and, this one is fast if I
do say so myself. <G> Yea, i changed my name, Yet Again. RAiD sounds
better. :)
To all AV related:
I'm Back <EG> Miss me? <heh>
Anyone who wants to see how this virus works, heh, Debug it. KRiLE is
hard-coded for it's size, so don't expect it to work if you reverse the
exe compression. It'll *try* to replicate, but it won't make
working-offspring. <Shrug>
Also, this is a 1st generation sample. It will self-corrupt once its
executed, so be sure to set a bait file atleast as large as the virus to
infect. Otherwise, you won't have a sample of the virus to play with.
"If ignorance is bliss, Why aren't you smiling?"