home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CASIOCOL.ZIP
/
KRILE1C.ZIP
/
KRILE.NFO
< prev
next >
Wrap
Text File
|
1997-12-05
|
7KB
|
131 lines
Virus Author: RAiD - [SLAM] Written on December 4th, 1997
Virus Name : KRiLE v1.0c [Experimental A]
Virus Target: .EXE and .COM *multi-os* (see below)
Virus Size..: 5880 bytes.
Target OS...: KRiLE is a multi-OS virus. Meaning, any .EXE or .COM file
on Win3.x/MsDos/Win95/WinNT/Os2Warp are capable of not
only being infected, but still operating as if nothing had
happened.
Virus Info..: KRiLE is an HLL virus, which makes use of some pure ASM
functions included for size and speed. Since KRiLE is an
HLL, it provides automatic shielding against hueristic
analysis, but does not in any way damage KRiLE's ability
to spread. KRiLE is system friendly in the sense it will
avoid the following files to prevent any possible system
lockups and/or program failures, which could lead to the
premature detection of this virus.
[command.com, start.exe, emm386.exe, mouse.com(exe),
mscdex.exe, setver.exe, dos4gw.exe, explorer.exe,
smartdrv.exe] KRiLE accesses files in a network or
multi-tasking friendly manner, so as not to cause failure
loading programs, which could tip the user to a possible
virus related problem. (please see the section How KRiLE
infects below for more detailed information)
Encryption..: The entire KRiLE virus and files it infects are/will be stored
in an encrypted format.
PayLoad.....: Good viruses usually contain some form of a payload. KRiLE is
no exception to this rule! KRiLE contains a siren effect
which it might trigger before control is passed back to the host
or it may decide not to trigger. KRiLE also contains a short
encrypted message to infected users, and AV. :)
Stealth.....: Some stealth is performed to keep the executing file from
noticing any changes. As memory-image checking files are
rare, this method should be fine. In fact, I have yet to
find one program which will detect it has been infected by
KRiLE. (I've infected all kinds of files for testing
purposes. I even infected f-prot v2.28. <g>)
How does KRiLE infect?
KRiLE is a direct action prepending virus. This said, it will randomly choose
based on how many directories were found via PATH statement to scan for
victoms. Once it chooses a directory, it will decide to infect between 1
and 2 exe/com files inside that directory. This version of KRiLE attracts
less to NAV and TBFILE if they happen to be resident, by renaming the file
just before infection to some odd name (not exe/com), this way, resident
scanners won't report modifications to Exe/Com files. We restore the filename
right after :)
KRiLE contains minimal bait-file avoidance programming. Basically, the
only exe/com files KRiLE will consider to be bait and not bother with
are files which are not KRiLE's size or larger.
KRiLE also polls for checksum files created by Thunderbyte, CPAV, MSAV and
VSAFE. If these files are found, they are quickly destroyed. VSAFE if loaded
will be bypassed during the execution of KRiLE. The infected user will not
be aware of any of this.
Although a win 3.x series (NE) file can be infected by KRiLE, it will no longer
run properly unless it's run under Win95/NT. If you run an NE file on win3.x,
KRiLE will still spread, but shortly after executing windows will say this
file is not windows based. This problem does not occur on win95/nt or os/2
based operating systems.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. KRiLE has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, NORTON, and Integrity Master.
KRiLE has been tested against TBSCAN v8.03, The only flags triggered:
cK. Hardly enough to warn or scare a user :)
Greetz:
[SLAM] - This makes 4! At the request of another coder, I have started
a revisions section in these nfos. It lists the major differences
between the different versions of KRiLE.
#Virus - Here's another HLL for you to study guys :) This one spreads over
longer periods of time, But it *should* be less-noticable
Microsoft - If it weren't for your kind Win95 methods of controlling my
spawning, KRiLE wouldn't be near as infectious. As much as i
despise you Bill, Your shitty OS is making me one happy VXer!
To all VX related:
Revision history has been added to this nfo. Be sure to read it. :)
To all AV related:
Spreading the other varients was fun, Lets see how far this one gets hehe
Want KRiLE source? heh, debug it :)
Also, this is a 1st generation sample. It will self-corrupt once its
executed, so be sure to set a bait file atleast as large as the virus to
infect. Otherwise, you won't have a sample of the virus to play with.
This probably goes without saying, but, Be damn careful with this thing.
During coding and (shudder) testing (eeek!) the virus did manage to get
loose. Fortunatly, there were no encryption errors of my infected files,
so I was able to restore them shortly there after. Do not let this happen
to you. You don't have the benefit of the source code to look at. :)
And, if you think a virus *never* infects it's author, Your ahem, How shall
I put this... Wrong! :) Coding these is fun, testing is not so fun. :)
VX Ezines are welcome to publish the exe and/or this nfo file if they want.
I consider this varient of KRiLE an experimental one, So get in touch with
me should you discover bugs with it.
Revision History:
KRiLE v1.0 - First KRiLE on the scene, Used old internal decryptor and
LZEXE to maintain compression. Was easily caught and payloads
went off often.
KRiLE v1.0a - Second release, Minor bug fixes, experimental crypto engine.
KRiLE v1.0b - Added randomness for dirs and files, trying to speed it up
changed compressor again.
KRiLE v1.0c - More randomness, added code to try and avoid tbfile/nav, also
changed compressor/encryptor and various encryption sequences
withen KRiLE. KRiLE uses about 30k less then all previous
varients, due to more efficient coding and change of
compression. Occasionally, Previous varients would infect
files that they shouldn't have. This has been corrected.
"If ignorance is bliss, Why aren't you smiling?"