home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CASIOCOL.ZIP
/
KRILE1A.ZIP
/
KRILE.NFO
< prev
next >
Wrap
Text File
|
1997-11-28
|
7KB
|
126 lines
Virus Author: RAiD - [SLAM] Written on November 27-28, 1997
Virus Name : KRiLE v1.0a -Thanksgiving Version- hehehe
Virus Target: .EXE and .COM *multi-os* (see below)
Virus Size..: 4592 bytes exactly. Yes, large for a virus, But this
is an HLL after all. :)
Target OS...: KRiLE is a multi-OS virus. Meaning, any .EXE or .COM file
on Win3.x/MsDos/Win95/WinNT/Os2Warp are capable of not
only being infected, but still operating as if nothing had
happened.
Virus Info..: KRiLE is an HLL virus, which makes use of some pure ASM
functions included for size and speed. Since KRiLE is an
HLL, it provides automatic shielding against hueristic
analysis, but does not in any way damage KRiLE's ability
to spread. KRiLE is system friendly in the sense it will
avoid the following files to prevent any possible system
lockups and/or program failures, which could lead to the
premature detection of this virus.
[command.com, start.exe, emm386.exe, mouse.com(exe),
mscdex.exe, setver.exe, dos4gw.exe, explorer.exe,
smartdrv.exe] KRiLE accesses files in a network or
multi-tasking friendly manner, so as not to cause failure
loading programs, which could tip the user to a possible
virus related problem. KRiLE also randomly selects between
1 and 4 files to infect per directory located via PATH per
run. This allows KRiLE to do its thing faster, and arrouse
less suspicion to program load times. On the other hand,
KRiLE will not massively infect a host system, atleast
not at first. Unlike all other viruses I have written,
KRiLE uses 10k *less* ram! Including KRiLE v1.0! This
version makes better use of ram it needs, no more wasting
space! :)
Encryption..: KRiLE now makes use of compression and real-full encryption
via another compressor/encryptor, Not LzExe. KRiLE uses
a simple, yet fast encryption/decryption algorithm for files
it infects. Knowledge of assembly would be required in order
to break the encryption algorithm KRiLE now uses. This version
of KRiLE no longer contains an internal text decryptor, since
the compressor used encrypted KRiLE's text already, and
decrypts it in memory at run-time. A rather nice trade off for
slightly larger resulting files.
PayLoad.....: KRiLE has two payloads, one being a unique siren which can
go-off randomly, but will always go-off before control
is passed to the host, that is, if it does trigger. The other
payload is also random, which displays a short message:
"■KRiLE■ v1.0a Thought you got me eh? :> coded by RAiD UsA [SLAM]97"
Each payload may go-off either before or after the original
program has executed. KRiLE has *no* destructive payloads of
any kind. I do not support intentional destruction, besides
formatting a hard-disk is not considered a new thing among
virus coders. Each payload has a 1:256 chance of going
off. This keeps the chance of virus discovery to a minimum
since either payload will rarely occur. In fact, testing
over 2 hours to ensure KRiLE worked as designed, the siren
only sounded once. This version of KRiLE contains a different
siren effect then v1.0 does.
Stealth.....: Some stealth is performed to keep the executing file from
noticing any changes. As memory-image checking files are
rare, this method should be fine.
KRiLE infects its host via the following:
1. Search for files inside any directories found via the PATH variable.
2. Search for files in current directory
3. Pass control to host
4. Search current directory again - The infected host might have created
more .exe and/or .com files. pkunzip.exe is an example of a host
which might do this.
KRiLE also polls for checksum files created by Thunderbyte, CPAV, MSAV and
VSAFE. If these files are found, they are quickly destroyed. VSAFE if loaded
will be bypassed during the execution of KRiLE. The infected user will not
be aware of any of this.
Although a win 3.x series (NE) file can be infected by KRiLE, it will no longer
run properly unless it's run under Win95/NT. If you run an NE file on win3.x,
KRiLE will still spread, but shortly after executing windows will say this
file is not windows based. This problem does not occur on win95/nt or os/2
based operating systems.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. KRiLE has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, TBAV, NORTON, and Integrity Master.
Greetz:
[SLAM] - This one's for you! Enjoy it, and I'll be coding more of these
HLL viruses you have come to know me by. <G> Special thanks to
VDaemon, who told me not to give up my HLL viruses. <G>
#Virus - ReAll! This is yet another HLL creation of mine, except it's
alot faster at what it does. Speed is an issue, and since KRiLE
is 4k, the faster it can infect the better, eh? :)
To all VX related:
Yep, that's right! Another KRiLE. I consider this one to be an experimental
one. Since I've made a few rather odd changes to it. Based on the responses
I get about this one, will decide wether I continue to use the new methods
or result to KRiLE v1.0 based methods. :)
To all AV related:
If I stick with these methods, You guys aren't going to be happy!
I can easily make about 200 different KRiLEs with ease now. :)
Anyone who wants to see how this virus works, heh, Debug it. KRiLE is
hard-coded for it's size, so don't expect it to work if you reverse the
exe compression. It'll *try* to replicate, but it won't make
working-offspring. <Shrug>
Also, this is a 1st generation sample. It will self-corrupt once its
executed, so be sure to set a bait file atleast as large as the virus to
infect. Otherwise, you won't have a sample of the virus to play with.
This probably goes without saying, but, Be damn careful with this thing.
During coding and (shudder) testing (eeek!) the virus did manage to get
loose. Fortunatly, there were no encryption errors of my infected files,
so I was able to restore them shortly there after. Do not let this happen
to you. You don't have the benefit of the source code to look at. :)
And, if you think a virus *never* infects it's author, Your ahem, How shall
I put this... Wrong! :) Coding these is fun, testing is not so fun. :)
"If ignorance is bliss, Why aren't you smiling?"