82 lines
3.6 KiB
Plaintext
82 lines
3.6 KiB
Plaintext
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
|
|
PiïWéRM v1.7 Beta A coded by ûirogen
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
|
|
|
|
Welcome to my latest viral creation -- PiïWérM version 1.7.
|
|
|
|
Definition - PINWORM:
|
|
A parasite that crawls out your ass and lays little white eggs ..
|
|
It's amazing what you can learn from Biology class.
|
|
|
|
PiïWérM is a memory resident, polymorphic, parastic infector of COM
|
|
and EXE files. Files become infected when they are executed. Eligible
|
|
files are COMs which will not exceed the 64k boundary and EXE files
|
|
smaller than approx 256k and are not "new-format" EXEs such as Windoze
|
|
filez.
|
|
COMMAND.COM may also become infected.
|
|
|
|
Original Infection Marker-
|
|
Infected EXE files have their checksum in the header set to random
|
|
value other than 0. This should prevent anti-virus software from easily
|
|
determining if an exe is infected by a simple check of the header.
|
|
Infected COM files will have the fourth byte set to 0.
|
|
|
|
Polymorphism-
|
|
This virus has 0 bytes constant and 0 ops in constant locations in
|
|
the decryptor. It's full polymorphic. The garbage code consists of
|
|
randomly retrieved one-byte operands, OR a constant fill of a single
|
|
one-byte operand. The virus selects between these types of garbage code
|
|
randomly in order to prevent scanners from detecting the actual garbage
|
|
code.
|
|
|
|
Anti-Anti virus-
|
|
When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted
|
|
in that directory. Also, when the user trys to execute EXE files ending in
|
|
the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory
|
|
requirment in the header is changed to FFFFh. Thus making the file unusable
|
|
whether the virus is in memory or not.
|
|
Pinworm also uses VSAFE and VWATCH's uninstall API as an installation
|
|
check. When pinworm checks itself for residency it also removes these
|
|
shitty programs from memory.
|
|
|
|
Anti-Debugging-
|
|
This virus uses a double encryption technique to prevent debugging of the
|
|
code. The first encryptor is ofcourse polymorphic, while the second is there
|
|
only to try and deter debuggers. It's hardly foolproof .. but nonetheless
|
|
will keep out the ignorant.
|
|
|
|
Symptoms-
|
|
The user may notice a slight size increase for infected COM and EXE files.
|
|
There may also be a total conventional memory size decrease of approx 5k,
|
|
however the virus randomly decides not to protect its code in memory. As
|
|
stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as
|
|
"Not enough memory" errors when trying to load many anti-virus applications.
|
|
18 byte RUNME.COM files may appear in directories.
|
|
|
|
Additonal-
|
|
-Pinworm uses it's own critical error handler.
|
|
-The virus is kept encrypted in memory
|
|
|
|
Activation-
|
|
On the 13th of any month, Pinworm will continously play with the keyboard
|
|
lights and create directories named after itself. In these directories will
|
|
be a file which contains a little message from me..
|
|
|
|
|
|
Version history:
|
|
version 1.0:
|
|
þ Original Release
|
|
version 1.5: [several months later]
|
|
þ Conditional compilation equates added for creation of new variants
|
|
þ Improved polymorphic engine
|
|
þ Fixed possible bug in polymorphic engine after 50 or so generations
|
|
version 1.6:
|
|
þ Re-Enabled Constant 1 Byte Garbage Generation
|
|
þ Changed activation routine
|
|
version 1.7:
|
|
þ The virus will now spawns trojans entitiled "RUNME.COM" if there are
|
|
many successive failed infection attempts.
|
|
þ Added SAFE_MEM compile option
|
|
|