home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CASIOCOL.ZIP
/
KRILE1E.ZIP
/
KRILE.NFO
< prev
Wrap
Text File
|
1997-12-29
|
9KB
|
157 lines
Virus Author: RAiD - [SLAM] Written on December 29th, 1997
Virus Name : KRiLE v1.0e [Official Release!]
Virus Target: .EXE and .COM *multi-os* (see below)
Virus Size..: 5831 bytes.
Target OS...: KRiLE is a multi-OS virus. Meaning, any .EXE or .COM file
on Win3.x/MsDos/Win95/WinNT/Os2Warp are capable of not
only being infected, but still operating as if nothing had
happened.
Virus Info..: KRiLE is an HLL virus, which makes use of some pure ASM
functions included for size and speed. Since KRiLE is an
HLL, it provides automatic shielding against hueristic
analysis, but does not in any way damage KRiLE's ability
to spread. KRiLE is system friendly in the sense it will
avoid the following files to prevent any possible system
lockups and/or program failures, which could lead to the
premature detection of this virus.
[command.com, start.exe, emm386.exe, mouse.com(exe),
mscdex.exe, setver.exe, dos4gw.exe, explorer.exe,
smartdrv.exe] KRiLE accesses files in a network or
multi-tasking friendly manner, so as not to cause failure
loading programs, which could tip the user to a possible
virus related problem. (please see the section How KRiLE
infects below for more detailed information)
Encryption..: The entire KRiLE virus and files it infects are/will be stored
in an encrypted format. NEW: Each infection of krile will be
different for the host. :)
PayLoad.....: Good viruses usually contain some form of a payload. KRiLE is
no exception to this rule! KRiLE contains a siren effect
which it might trigger before control is passed back to the host
or it may decide not to trigger. KRiLE also contains a short
encrypted message to infected users, and AV. :) This
doesn't imply that KRiLE should be considered a good virus
though. Some people will baulk because it's not pure ASM.
Oh well, can't please everyone.
Stealth.....: Some stealth is performed to keep the executing file from
noticing any changes. As memory-image checking files are
rare, this method should be fine. In fact, I have yet to
find one program which will detect it has been infected by
KRiLE. (I've infected all kinds of files for testing
purposes. I even infected f-prot v2.28. <g>)
How does KRiLE infect?
KRiLE is a direct action prepending virus. This said, it will randomly choose
based on how many directories were found via PATH statement to scan for
victims. Once it chooses a directory, it will decide to infect between 1
and 2 exe/com files inside that directory. This version of KRiLE attracts
less to NAV and TBFILE if they happen to be resident, by renaming the file
just before infection to some odd name (not exe/com), this way, resident
scanners won't report modifications to Exe/Com files. We restore the filename
right after :)
KRiLE contains minimal bait-file avoidance programming. Basically, the
only exe/com files KRiLE will consider to be bait and not bother with
are files which are not KRiLE's size or larger.
KRiLE also polls for checksum files created by Thunderbyte, CPAV, MSAV and
VSAFE. If these files are found, they are quickly destroyed. VSAFE if loaded
will be bypassed during the execution of KRiLE. The infected user will not
be aware of any of this. KRiLE doesn't currently poll for NAV checksum files
since I don't have NAV to study. If this turns out to be something important
I'll add it, otherwise, I don't care.
Although a win 3.x series (NE) file can be infected by KRiLE, it will no longer
run properly unless it's run under Win95/NT. If you run an NE file on win3.x,
KRiLE will still spread, but shortly after executing windows will say this
file is not windows based. This problem does not occur on win95/nt or os/2
based operating systems.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. KRiLE has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, NORTON, and Integrity Master.
KRiLE has been tested against TBSCAN v8.03, The only flags triggered:
c?. Hardly enough to warn or scare a user :)
Greetz:
[SLAM] - Official release! Works fine under WinNT FAT/NTFS(will only infect
files the user is allowed under NTFS)
#Virus - Greetz To pawk,mef,yosha,vdeamon,marc,unknown,warblade,polt,prom,etc
This one should prove a little more interesting :)
Microsoft - WinNT..I support you now :)
Mcafee - Couldnt remove KRiLE v1.0c? Boy, you'll hate this one :)
To all VX related:
Those of you who think my viruses suck, Oh well. I really don't care
what you think. Those of you who think i'm an asshole, Good. I don't
care who or how many scum sucking lamers i infect. I'm doing the world
a favor removing dipshits like that.
To all AV related:
Blow Me. I'm coding more of these fuckers then U shitheads know what to do
with. Go ahead, put it on some auto analyzing machine. hehe
Except this time, atleast TRY to get your "Virus Description" information
right. It's annoying looking over your work, counting your pathetic errors
and for once, Wise up, These viruses aren't going to go away Just because
you don't name them as what they are. Lame asses.
VX Ezines are welcome to publish the exe and/or this nfo file if they want.
Source code will no longer be given out. You already know what it looks like
anyway. And if by some small chance you don't, Find someone who has older
source code to look at. Get a good laugh out of it. Hell, I laugh
everytime I infect someone.
This is also an experimental KRiLE.. as such, it might fuckup on occasion.
Too bad.
Revision History:
KRiLE v1.0 - First KRiLE on the scene, Used old internal decryptor and
LZEXE to maintain compression. Was easily caught and payloads
went off often.
KRiLE v1.0a - Second release, Minor bug fixes, experimental crypto engine.
KRiLE v1.0b - Added randomness for dirs and files, trying to speed it up
changed compressor again.
KRiLE v1.0c - More randomness, added code to try and avoid tbfile/nav, also
changed compressor/encryptor and various encryption sequences
withen KRiLE. KRiLE uses about 30k less then all previous
varients, due to more efficient coding and change of
compression. Occasionally, Previous varients would infect
files that they shouldn't have. This has been corrected.
KRiLE v1.0d - Streamlined encryption/compression yet again. (seems I'm always
fucking with this part) Added a special Fuck U payload. And
made this version of KRiLE a bit smaller then the last, By
350 bytes or so. Changed docs a bit, to reflect my mood.
If anyone is pissed off by this, Waaaa.
KRiLE v1.0e - This one is very experimental..I've changed the way it
passes control to the host, Hopefully making KRiLE
compatable with ALL winNT based systems. the side effect,
This different method eats a little more ram. A trade-off
I suppose. Oh well. Also, This new method is a little bit
faster as well. And Should stop those odd system lockups
I've heard about. DOS based programs which are intense
memory hogs may (depending on the users system) fail to
run, exiting with not enough memory.
KRiLE v1.0eF The OFFICIAL v1.0e release! KRiLE now encrypts the host data
differently for each host! KRiLE can generate thousands of
different host data encryptions! Also uses less ram..:)
Send me your hate mail, complaints, comments etc! I'd like to read what
you have to say about this or any other virus of mine. Don't email
asking for source code. I've already sent the source code all over the
place, Look around for it. If you know where to look, you can find an
email address for me. Is whatever you have to say worth it? :)
By all means, use whatever methods you know/can to spread this virus into
as many unsuspecting users as possible. If it means taking a network offline
fine by me. A local BBS will provide some entertainment :)
"If ignorance is bliss, Why aren't you smiling?"