home *** CD-ROM | disk | FTP | other *** search
- 40Hex Volume 1 Issue 2 0001
-
- - HOW TO GET INFECTED FILES INTO LAME BBS's -
-
-
- Ok, one problem with sending infected files to BBS's is that you never
- can tell if they will be detected by SCAN. Or if you are sending bombs
- the sysop might use CHK4BOMB to detect code that is data damaging.
-
- I'm gonna tell you how to get around this, what you need is the following-
-
- PKLITE or LZEXE
- and
- A good hex editor
-
- What you do is this, compress the infected file with Pklite or Lzexe. This
- will make change the files checksum and ID strings quite a bit so it can't
- be detected by SCAN and damaging data will not be found by CHK4BOMB. The
- problem is that now the sysop can use CHK4LITE to detect is the file is
- indeed infected. So what you do is this --
-
- Load up the hex editior -
-
- Now look at the file, it will look something like this if you compressed it
- with PKLITE.
-
- ------------------------------------------------------------------------------
-
- 0000 4D 5A 12 01 13 00 00 00-07 00 98 05 4A A4 52 02 MZ··········J·R·
- 0010 00 04 00 00 00 01 F0 FF-50 00 00 00 03 01 50 4B ········P·····PK
- 0020 4C 49 54 45 20 43 6F 70-72 2E 20 31 39 39 30 20 LITE Copr. 1990
- 0030 50 4B 57 41 52 45 20 49-6E 63 2E 20 41 6C 6C 20 PKWARE Inc. All
- 0040 52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 00 Rights Reserved·
- 0050 0A 00 20 00 17 01 48 00-4A 04 4A A4 E2 03 00 40 ·· ···H·J·J····@
- 0060 00 00 56 11 00 00 1C 00-00 00 00 00 00 00 00 00 ··V·············
- 0070 B8 E3 07 BA 4B 02 8C DB-03 D8 3B 1E 02 00 73 1D ····K·····;···s·
- 0080 83 EB 20 FA 8E D3 BC 00-02 FB 83 EB 19 8E C3 53 ·· ············S
- 0090 B9 C3 00 33 FF 57 BE 48-01 FC F3 A5 CB B4 09 BA ···3·W·H········
- 00A0 36 01 CD 21 CD 20 4E 6F-74 20 65 6E 6F 75 67 68 6··!· Not enough
- 00B0 20 6D 65 6D 6F 72 79 24-FD 8C DB 53 83 C3 2D 03 memory$···S··-·
- 00C0 DA BE FE FF 8B FE 8C CD-8B C5 2B EA 8B CA D1 E1 ··········+·····
-
- ------------------------------------------------------------------------------
-
- You see the header? Well what you have to do is overwrite the header with
- garbage. Don't write text cause that is to dectectable by a dump program.
- Just overwrite the part that says "PKLITE corp....Reserved" with hex bytes.
- Also distroy the part of the code that says "Not enough memory", dont kill
- the "$" symbol.
-
- This will make the compressed file-
-
- A> Undetectable to virus scanners, and CHK4BOMB type programs
- B> Un-Decompressable
- C> CHK4LITE wont notice it as a PKLITE file
-
- It's that easy!
-
- Keep in mind however than any file that the virus infects will no longer
- be encrypted by PKLITE, so this method is good only on getting your virus
- into the front door.
-
- See the article in issue one on making new virus strains.
-
-
- Forenote
-
- After writing this article SCAN Version 80 came out, It now has the
- ability to scan into Pklite compressed files. Just to let you know that
- this teqnique still works and SCAN cannot detect the file as being
- compressed as PKLITE.
-
- HR