101 lines
5.3 KiB
Plaintext
101 lines
5.3 KiB
Plaintext
|
|
||
|
|
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
|
||
|
|
uK E-
|
||
|
|
KE "The Varicella Virus Source Codes -N
|
||
|
|
E- Nu
|
||
|
|
-N uK
|
||
|
|
Nu By KE
|
||
|
|
uK Rock Steady E-
|
||
|
|
KE -N
|
||
|
|
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
|
||
|
|
|
||
|
|
ahh, NuKE PoX viruses will never end... Well I noticed a few flaws and faults
|
||
|
|
in code in the old NuKE PoX virus version 2.0, which I wanted to refine. This
|
||
|
|
time I had a lot of time, and I _fully_ commented the source codes.
|
||
|
|
|
||
|
|
% Improvements %
|
||
|
|
|
||
|
|
The most major improvement is the infection routine, I have created a generic
|
||
|
|
method that will always use the same infection/disinfection routine. If you
|
||
|
|
remember NuKE PoX v2.0 you noticed that I copied whole blocks of the code twice,
|
||
|
|
which gave the virus a size of 1800 Bytes! This version hovers at 1483 bytes,
|
||
|
|
and it's far from tight, but it's EXTREMELY reliable! Meaning this baby should
|
||
|
|
never crash for any reason. And it has _many_ added features that N-Pox v2.0
|
||
|
|
didn't have!
|
||
|
|
|
||
|
|
|
||
|
|
% Introduction to the ideology of the Stealth Virus %
|
||
|
|
|
||
|
|
Like the SVC viruses, this virus will `disinfect' on the fly. And to the DIMWIT
|
||
|
|
that said SVC doesn't disinfect by rewriting the program on disk, GO CHECK YOUR
|
||
|
|
INFO NITWIT. The SVC viruses will disinfect a file when opened, the SVC virus
|
||
|
|
will actually remove the virus from the infected program. It will NOT attempt
|
||
|
|
a disinfection in memory only! It does have the ability to do this to a
|
||
|
|
certain extent, if you execute the file, and if you jump towards the end
|
||
|
|
of the file by Int21h/4202h the SVC virus will fool DOS to think that the file
|
||
|
|
is not infected, whereby it really is. But this method has a MAJOR flaw, one
|
||
|
|
flaw is exercised by F-Prot anti-virus, to defeat this dumb method.
|
||
|
|
|
||
|
|
The major flaw is that these viruses _cannot_ keep track of file pointers, it
|
||
|
|
would take too much code to exercise this. So if you read a file from the
|
||
|
|
beginning and read sequentially toward the end, surely enough you will
|
||
|
|
encounter the SVC virus, because it does not have the ability to keep track
|
||
|
|
of the file pointer. So in order to fix this, SVC will do a _real_ disinfection
|
||
|
|
of the file on disk. Therefore in all aspects the file will look clean, as it
|
||
|
|
_is_ clean! Also note, that the SVC viruses also infect System Device drivers,
|
||
|
|
this is _rarely_ noted, maybe because people use VSUM as a reference?
|
||
|
|
|
||
|
|
% Varicella Features %
|
||
|
|
|
||
|
|
The virus will only infect .com and .exe generic files. I have removed the
|
||
|
|
.ovl infections because of certain crashes that persist with certain large
|
||
|
|
programs. No virus to date successfully does this for some reason.
|
||
|
|
|
||
|
|
The virus will hide its file length by FCB directory method (Int21h/ah=11h,12h)
|
||
|
|
and by File Handles method (Int21h/ah=4Eh,4Fh).
|
||
|
|
|
||
|
|
The virus will disinfect the file on opens & extended opens via
|
||
|
|
(Int21h/ah=3Fh,6Ch). The virus will also disinfect files as they are executed,
|
||
|
|
(Int21h/ah=4Bh) and will later reinfect it when it has terminated.
|
||
|
|
|
||
|
|
The virus will infect on closing (Int21h/ah=3Eh) and it uses the very
|
||
|
|
sophisticated Job File Table method (The List of List).
|
||
|
|
|
||
|
|
Infection is denoted by the seconds field will equal the day of the month! This
|
||
|
|
method is _a lot_ better than having the seconds field to 60 or 62, because many
|
||
|
|
AV programs flag on invalid seconds field. Therefore now the seconds field will
|
||
|
|
be from a number 1->31 (Days in a month), and only with a 6% chance of an
|
||
|
|
invalid second field stamp. Also in order not to create problems, the last two
|
||
|
|
bytes of the virus _must_ be DBh,DBh. Therefore the virus uses TWO methods of
|
||
|
|
detecting infection, because we wouldn't want to `disinfect' a file that isn't
|
||
|
|
infected, so we must be 100% sure.
|
||
|
|
|
||
|
|
I found it no use to have a `fake' disinfection routine, whereby it fakes a
|
||
|
|
disinfection, for the reason that this method contains several flaws. And I
|
||
|
|
found that testing this virus on my PC with a 40 Meg MFM 65ms drive, showed
|
||
|
|
_very_ little signs of abnormality. So in speed wise, it's very fast, what is
|
||
|
|
a 1-2 millisecond more, (1/100s of a second).
|
||
|
|
|
||
|
|
When disinfecting a file, the virus even puts back the original seconds field
|
||
|
|
time stamp, leaving absolutely no trace of its existence! How many viruses do
|
||
|
|
that? huh?
|
||
|
|
|
||
|
|
% To Come %
|
||
|
|
|
||
|
|
Well I already have a multi-partition version of this virus, I'm currently
|
||
|
|
tring to add NED polymorphic possibilities to this virus. This will be a nice
|
||
|
|
task, as NED is variable in length, therefore I have to save the original
|
||
|
|
file length, or I will fix NED to be constant in length. Nevertheless you
|
||
|
|
should see it coming soon.
|
||
|
|
|
||
|
|
% About the Name %
|
||
|
|
|
||
|
|
Well I didn't want to call this N-Pox, because it has NO code similarities
|
||
|
|
with N-Pox, the only thing they share is the method of going resident.
|
||
|
|
|
||
|
|
But I called this "Varicella" because, Varicella is the medical term for
|
||
|
|
(Chicken Pox) that adults get! When a child gets the Pox, you call it Chicken
|
||
|
|
Pox, when an adult gets it, you call it Varicella! So I found it appropriate
|
||
|
|
to call this Varicella because it is perhaps the `adult' or later out come
|
||
|
|
of the N-Pox virus. <hehe>
|