94 lines
3.7 KiB
Plaintext
94 lines
3.7 KiB
Plaintext
% Pinworm.asm %
|
|
~~~~~~~~~~~~~~~
|
|
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
|
|
PiïWéRM v1.00 coded by ûirogen
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
|
|
Original Release: 06-03-94
|
|
Source Code Release: 07-05-94
|
|
|
|
Welcome to my latest viral creation -- PiïWérM version 1.00.
|
|
|
|
Definition - PINWORM:
|
|
A parasite that crawls out your ass and lays little white eggs ..
|
|
It's amazing what you can learn from Biology class.
|
|
|
|
PiïWérM is a memory resident, polymorphic, parastic infector of COM
|
|
and EXE files. Files become infected when they are executed. Eligible
|
|
files are COMs which will not exceed the 64k boundary and EXE files
|
|
smaller than approx 256k and are not "new-format" EXEs such as Windoze
|
|
filez.
|
|
COMMAND.COM may also become infected.
|
|
|
|
Original Infection Marker-
|
|
Infected EXE files have their checksum in the header set to random
|
|
value other than 0. This should prevent anti-virus software from easily
|
|
determining if an exe is infected by a simple check of the header.
|
|
Infected COM files will have the fourth byte set to 0.
|
|
|
|
Polymorphism-
|
|
This virus has 0 bytes constant and 0 ops in constant locations in
|
|
the decryptor. It's full polymorphic. The garbage code consists of
|
|
randomly retrieved one-byte operands, OR a constant fill of a single
|
|
one-byte operand. The virus selects between these types of garbage code
|
|
randomly in order to prevent scanners from detecting the actual garbage
|
|
code.
|
|
|
|
Anti-Anti virus-
|
|
When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted
|
|
in that directory. Also, when the user trys to execute EXE files ending in
|
|
the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory
|
|
requirment in the header is changed to FFFFh. Thus making the file unusable
|
|
whether the virus is in memory or not.
|
|
Pinworm also uses VSAFE and VWATCH's uninstall API as an installation
|
|
check. When pinworm checks itself for residency it also removes these
|
|
shitty programs from memory.
|
|
|
|
Anti-Debugging-
|
|
This virus uses a double encryption technique to prevent debugging of the
|
|
code. The first encryptor is ofcourse polymorphic, while the second is there
|
|
only to try and deter debuggers. It's hardly foolproof .. but nonetheless
|
|
will keep out the ignorant.
|
|
|
|
Symptoms-
|
|
The user may notice a slight size increase for infected COM and EXE files.
|
|
There may also be a total conventional memory size decrease of approx 5k,
|
|
however the virus randomly decides not to protect its code in memory. As
|
|
stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as
|
|
"Not enough memory" errors when trying to load many anti-virus applications.
|
|
|
|
Additonal-
|
|
-Pinworm uses it's own critical error handler.
|
|
-The virus is kept encrypted in memory
|
|
|
|
Activation-
|
|
On the 1st of any month, Pinworm will continously play with the keyboard
|
|
lights and create directories named after itself. In these directories will
|
|
be several files that together form a message from ûirogen to the general
|
|
populous.
|
|
|
|
|
|
Length: Code length -
|
|
Approximatly 1900 bytes
|
|
Added phile size -
|
|
Varies from 1900-2200 bytes
|
|
Detected by: Nothing, nada, nope, kein
|
|
As of SCAN v2.00.0
|
|
F-PROT v2.11
|
|
and TBAV v6.20
|
|
|
|
|
|
|
|
Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--
|
|
Included in this archive should be:
|
|
INFECTED.COM - Infected phile, second generation
|
|
PINWORM.NFO - This phile
|
|
PINWORM.ASM - Assembly language source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|