home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CASIOCOL.ZIP
/
KRILE1B.ZIP
/
KRILE.NFO
< prev
next >
Wrap
Text File
|
1997-11-29
|
10KB
|
177 lines
Note: I apologize beforehand the size of this nfo file. There is just so
much I wanted to tell you about my virus. I'm rather proud of it. <G>
Virus Author: RAiD - [SLAM] Written on November 27, 28, and 29- 1997
Virus Name : KRiLE v1.0b [Randomizer Version]
Virus Target: .EXE and .COM *multi-os* (see below)
Virus Size..: 4608 bytes exactly. Yes, large for a virus, But this
is an HLL after all. An HLL with *very* unpredictable
infection targets.
Target OS...: KRiLE is a multi-OS virus. Meaning, any .EXE or .COM file
on Win3.x/MsDos/Win95/WinNT/Os2Warp are capable of not
only being infected, but still operating as if nothing had
happened.
Virus Info..: KRiLE is an HLL virus, which makes use of some pure ASM
functions included for size and speed. Since KRiLE is an
HLL, it provides automatic shielding against hueristic
analysis, but does not in any way damage KRiLE's ability
to spread. KRiLE is system friendly in the sense it will
avoid the following files to prevent any possible system
lockups and/or program failures, which could lead to the
premature detection of this virus.
[command.com, start.exe, emm386.exe, mouse.com(exe),
mscdex.exe, setver.exe, dos4gw.exe, explorer.exe,
smartdrv.exe] KRiLE accesses files in a network or
multi-tasking friendly manner, so as not to cause failure
loading programs, which could tip the user to a possible
virus related problem. (please see the section How KRiLE
infects below for more detailed information)
Encryption..: Since KRiLE is after-all an HLL, it had to be compressed
with a third-party compressor, which incidently completely
encrypts all aspects of KRiLE's internal code as well as text.
This does not hender KRiLE's abilities in the least! KRiLE
will also perform encryption on the file it's infecting.
Atleast minimal cryptography skill and/or asm skills
(to disassemble KRiLE's encryptor/decryptor) would be
required to manually disinfect an infected file. A task
which non-programmers are usually not capable of doing.
PayLoad.....: KRiLE has two payloads, one being a unique siren which can
go-off randomly, but will always go-off before control
is passed to the host, that is, if it does trigger. The other
payload is also random, which displays a short message:
"■KRiLE■ v1.0a Thought you got me eh? :> coded by RAiD UsA [SLAM]97"
Each payload may go-off either before or after the original
program has executed. KRiLE has *no* destructive payloads of
any kind. I do not support intentional destruction, besides
formatting a hard-disk is not considered a new thing among
virus coders. Each payload has a 1:256 chance of going
off. This keeps the chance of virus discovery to a minimum
since either payload will rarely occur. In fact, testing
over 2 hours to ensure KRiLE worked as designed, the siren
only sounded once.
Stealth.....: Some stealth is performed to keep the executing file from
noticing any changes. As memory-image checking files are
rare, this method should be fine. In fact, I have yet to
find one program which will detect it has been infected by
KRiLE. (I've infected all kinds of files for testing
purposes. I even infected f-prot v2.28. <g>)
How does KRiLE infect?
This release of KRiLE is something unique indeed! KRiLE now determines how
many paths are defined via the PATH variable (if any). It then randomly
decides how many paths it will scan for possible targets. As well as randomly
deciding how many .com and how many .exe files it will choose to infect per
path/directory. and lastly, KRiLE randomly chooses which paths out of the
random total it has decided to infect. Of course, KRiLE will randomly
decide how many files to infect in the current directory, Both before
the host get's control and after! (This let's us catch atleast one
exe/com file the host may have freshly created. IE: Archiving programs
or assemblers or compilers). This makes KRiLE a *very* unpredictable virus.
And *should* allow KRiLE to spread better (although less infections per run).
To annoy and possibly confuse infected users and AV alike, the payload text
is the same in v1.0a. The difference being, v1.0a pauses for about 5 seconds
before returning control to the user, Where-as v1.0b does not pause.
KRiLE contains minimal bait-file avoidance programming. Basically, the
only exe/com files KRiLE will consider to be bait and not bother with
are files which are not KRiLE's size or larger.
KRiLE also polls for checksum files created by Thunderbyte, CPAV, MSAV and
VSAFE. If these files are found, they are quickly destroyed. VSAFE if loaded
will be bypassed during the execution of KRiLE. The infected user will not
be aware of any of this.
Although a win 3.x series (NE) file can be infected by KRiLE, it will no longer
run properly unless it's run under Win95/NT. If you run an NE file on win3.x,
KRiLE will still spread, but shortly after executing windows will say this
file is not windows based. This problem does not occur on win95/nt or os/2
based operating systems.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. KRiLE has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, NORTON, and Integrity Master.
KRiLE has not yet been tested against TBAV, however, it is my opinion,
that thunderbyte is not used nearly as much as f-prot Mcafee and
DrSolomon. Therefore, I don't care if TBAV suspects something.
The TBCLEAN information above holds true no matter what TBSCAN detects!
Greetz:
[SLAM] - Can you tell I miss net access yet? <G> Well, I will return
soon! (atleast, I hope so!)
#Virus - Yea, I know. My skills don't compare with almost all of you.
Mainly because I don't yet code in pure ASM. But, with the way
new OSes are appearing and faster systems, I might not have too. :)
Besides, How often do you come across an odd fellow such as
myself? You must admit, I am a sadistic SoB. <EG>
Microsoft - If it weren't for your kind Win95 methods of controlling my
spawning, KRiLE wouldn't be near as infectious. As much as i
despise you Bill, Your shitty OS is making me one happy VXer!
To all VX related:
That's 3 KRiLE viruses written by me now. :-) A family. Each one is
hopefully an improvement over the previous version. Since as of writing
these viruses I do not have any net access (this will change soon I
hope). I've spent the time experimenting with different ways to make
viruses. My goal is to eventually make KRiLE (hll) nearly as fast and
unnoticed to an infected user as a pure ASM virus using the same
techniques and methods. Will I accomplish my goal? Only many infected
lamerz and possibly more varients will tell. <EG>
To all AV related:
Oh, the sorrow and the annoyance I must cause. I know it takes longer to
disect an HLL virus then it usually does to disect a pure ASM one.
Aren't I an asshole? hahaha.
Anyone who wants to see how this virus works, heh, Debug it. KRiLE is
hard-coded for it's size, so don't expect it to work if you reverse the
exe compression. It'll *try* to replicate, but it won't make
working-offspring. <Shrug>
Also, this is a 1st generation sample. It will self-corrupt once its
executed, so be sure to set a bait file atleast as large as the virus to
infect. Otherwise, you won't have a sample of the virus to play with.
This probably goes without saying, but, Be damn careful with this thing.
During coding and (shudder) testing (eeek!) the virus did manage to get
loose. Fortunatly, there were no encryption errors of my infected files,
so I was able to restore them shortly there after. Do not let this happen
to you. You don't have the benefit of the source code to look at. :)
And, if you think a virus *never* infects it's author, Your ahem, How shall
I put this... Wrong! :) Coding these is fun, testing is not so fun. :)
The following is something I just plain forgot to mention in the nfo'z
for the previous KRiLE's. KRiLE uses a critical error handler with one
strange side-effect. If by some remote chance KRiLE infects a file which
does *not* have a critical error handler, the one built into KRiLE will
remain active during the control passing to the host. What does this
mean you might ask? KRiLE's critical error handler will provide critical
error handling for the Host (while it's under KRiLE's control). This
error handler will not interfere with programs containing there own
critical error handler. So, knowing this you can determine if a file has
been infected if it would display such errors as "Drive not ready Abort,
Retry, Fail". if the same program no longer displays such errors when it
did before, There's a very good chance KRiLE has infected the file, and
is providing critical error handling for that file. And here's the most
interesting part! KRiLE is *not* a TSR type virus. It's direct action
only! Not bad eh? <G>
I haven't decided whether or not I will release the source code to this
virus. If I do release the source, It will only be to certain
individuals. VX Ezines are welcome to publish the exe and/or this nfo
file if they want.
Until another creative idea pops into my head, Have phun and please (I'm
begging here hehe) infect some files and pass them around!
"If ignorance is bliss, Why aren't you smiling?"