82 lines
3.6 KiB
Plaintext
82 lines
3.6 KiB
Plaintext
|
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>------
|
|||
|
|
Pi<50>W<EFBFBD>RM v1.7 Beta A coded by <20>irogen
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>------
|
|||
|
|
|
|||
|
|
Welcome to my latest viral creation -- Pi<50>W<EFBFBD>rM version 1.7.
|
|||
|
|
|
|||
|
|
Definition - PINWORM:
|
|||
|
|
A parasite that crawls out your ass and lays little white eggs ..
|
|||
|
|
It's amazing what you can learn from Biology class.
|
|||
|
|
|
|||
|
|
Pi<50>W<EFBFBD>rM is a memory resident, polymorphic, parastic infector of COM
|
|||
|
|
and EXE files. Files become infected when they are executed. Eligible
|
|||
|
|
files are COMs which will not exceed the 64k boundary and EXE files
|
|||
|
|
smaller than approx 256k and are not "new-format" EXEs such as Windoze
|
|||
|
|
filez.
|
|||
|
|
COMMAND.COM may also become infected.
|
|||
|
|
|
|||
|
|
Original Infection Marker-
|
|||
|
|
Infected EXE files have their checksum in the header set to random
|
|||
|
|
value other than 0. This should prevent anti-virus software from easily
|
|||
|
|
determining if an exe is infected by a simple check of the header.
|
|||
|
|
Infected COM files will have the fourth byte set to 0.
|
|||
|
|
|
|||
|
|
Polymorphism-
|
|||
|
|
This virus has 0 bytes constant and 0 ops in constant locations in
|
|||
|
|
the decryptor. It's full polymorphic. The garbage code consists of
|
|||
|
|
randomly retrieved one-byte operands, OR a constant fill of a single
|
|||
|
|
one-byte operand. The virus selects between these types of garbage code
|
|||
|
|
randomly in order to prevent scanners from detecting the actual garbage
|
|||
|
|
code.
|
|||
|
|
|
|||
|
|
Anti-Anti virus-
|
|||
|
|
When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted
|
|||
|
|
in that directory. Also, when the user trys to execute EXE files ending in
|
|||
|
|
the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory
|
|||
|
|
requirment in the header is changed to FFFFh. Thus making the file unusable
|
|||
|
|
whether the virus is in memory or not.
|
|||
|
|
Pinworm also uses VSAFE and VWATCH's uninstall API as an installation
|
|||
|
|
check. When pinworm checks itself for residency it also removes these
|
|||
|
|
shitty programs from memory.
|
|||
|
|
|
|||
|
|
Anti-Debugging-
|
|||
|
|
This virus uses a double encryption technique to prevent debugging of the
|
|||
|
|
code. The first encryptor is ofcourse polymorphic, while the second is there
|
|||
|
|
only to try and deter debuggers. It's hardly foolproof .. but nonetheless
|
|||
|
|
will keep out the ignorant.
|
|||
|
|
|
|||
|
|
Symptoms-
|
|||
|
|
The user may notice a slight size increase for infected COM and EXE files.
|
|||
|
|
There may also be a total conventional memory size decrease of approx 5k,
|
|||
|
|
however the virus randomly decides not to protect its code in memory. As
|
|||
|
|
stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as
|
|||
|
|
"Not enough memory" errors when trying to load many anti-virus applications.
|
|||
|
|
18 byte RUNME.COM files may appear in directories.
|
|||
|
|
|
|||
|
|
Additonal-
|
|||
|
|
-Pinworm uses it's own critical error handler.
|
|||
|
|
-The virus is kept encrypted in memory
|
|||
|
|
|
|||
|
|
Activation-
|
|||
|
|
On the 13th of any month, Pinworm will continously play with the keyboard
|
|||
|
|
lights and create directories named after itself. In these directories will
|
|||
|
|
be a file which contains a little message from me..
|
|||
|
|
|
|||
|
|
|
|||
|
|
Version history:
|
|||
|
|
version 1.0:
|
|||
|
|
<20> Original Release
|
|||
|
|
version 1.5: [several months later]
|
|||
|
|
<20> Conditional compilation equates added for creation of new variants
|
|||
|
|
<20> Improved polymorphic engine
|
|||
|
|
<20> Fixed possible bug in polymorphic engine after 50 or so generations
|
|||
|
|
version 1.6:
|
|||
|
|
<20> Re-Enabled Constant 1 Byte Garbage Generation
|
|||
|
|
<20> Changed activation routine
|
|||
|
|
version 1.7:
|
|||
|
|
<20> The virus will now spawns trojans entitiled "RUNME.COM" if there are
|
|||
|
|
many successive failed infection attempts.
|
|||
|
|
<20> Added SAFE_MEM compile option
|
|||
|
|
|