MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.mkvirlst.txt

451 lines
17 KiB
Plaintext
Raw Permalink Normal View History

2021-01-12 23:49:21 +00:00
Gotcha 1
This was the first virus I wrote. It is a resident COM and EXE infector.
It infects programs when they are executed. It hides at the top of
conventional memory. When infecting it intercepts INT24, circumvents
the read-only attribute and disables Ctrl-Break. It also restores the
original file date and time after the infection. Some parts of it were
taken from the Yankee Doodle virus, but nevertheless this is an enterly
new virus.
Gotcha 4
This is a resident COM infector. It is a stripped-down variant of
version 1. The special thing about this virus is that it contains
scan-strings of a few other viruses. These scan-strings are encrypted
and in every infected file one of them is decrypted. So scanners can be
fooled to think that there are up to 8 differrent other viruses in case
a lot of files have been infected with this virus.
Gotcha 6
This version is the follow-up of version 1. This one has some additional
features. It can also infect files when they are opened, it avoids to
infect files matching the name *AN*.* (like SCAN.EXE, CLEAN.EXE,
TBSCAN.EXE etc...) and it won't infect files when the DOS environment
contains "E=mc<6D>".
Gotcha 7
This is a minor bug-fix of version 6.
Gotcha 9
In this next version a few bugs are removed and the code has been made
a little bit efficient. It can also infect files on more different DOS
funcions like rename (56h), attribute (43h), findfirst (4Eh) and many
others. It now also avoids files matching the name V*.* (like VIRX.EXE,
VSHIELD.EXE, etc..).
Gotcha 17
This version is quite different from the others. It uses another technique
to access files, similar as many bulgarian viruses (like 512). Also other
things are made more efficient. This one only infects files when they are
executed or closed. It now also avoids files matching the name F*.*.
46 Virus
This is an extremely simple virus. It just overwrites all COM files in
it's directory with a copy of itself. It's length is 46 bytes, hence the
name.
Seventh Son 1
This is a simple non-resident COM infecting virus. It will infect all
other COM files in it's directory. It circumvents read-only attributes,
intercepts INT24, disables Ctrl-break and keeps the original file date
and time when infecting. The virus contains a generation counter. If
both his own and the previous generation are 7, it will display the text
"Seventh son of a seventh son" on the screen. This virus was named after
an Iron Maiden song (yes, I admit, not very original).
Seventh Son 2
This version is a little bit smaller and more efficiently coded. This
virus alsos contain the text 'Virus' in cyrilic (<28><><EFBFBD><EFBFBD><EFBFBD>) at the end. This
has no special purpose. Just to confuse some people.
Seventh son 4
This version is again made smaller and more efficient.
Little Brother 1
This is a resident spawning EXE infector. It infects EXE files by
creating a COM file with the same name, without touching the EXE file.
The COM file only contains the complete virus. The first time the virus
is executed it will install itself in an unused part of memory (and not
run the original program). When DOS wants to execute a program, the virus
uses a clumsy algorithm to decide whether a COM or an EXE file should be
executed.
Little Brother 2
In this version a few bugs are removed and it is also a bit more
efficiently coded.
Little Brother 3
This version works a little bit different than the previous two. This
one doesn't use the resident algorithm anymore to decide wether to
execute a COM or an EXE file. Instead the original EXE program is
spawned from the COM program (the virus).
Tiny 126
This is a small resident COM infecting virus. It is written as an attempt
to write the smallest possible virus. The length of this virus is 126
bytes. It does NOT re-infect programs that are already infected. This
virus hides in memory at address 0050:0100.
Tiny 124
This one is exactly the same as the previous one, only it hides at address
0000:0100. That location is part of the interrupt area, and because of
that this virus is very unstable. It crashes very often, but nevertheless
it is able to infect files.
Tiny 124B
This is a variant of version 126. It will not infect COM files that begin
with a near JMP (E9h). This version has a disadvantage that it also tries
to infect EXE files. Infected EXE files will not function anymore.
Tiny 122
This one is based on version 124. It has the same disadvantage as
version 124B.
Mini 99
This is a small non-resident COM infecting virus. Like the previous
mentioned viruses, this one too was written as an attempt to write the
smallest possible virus. A big part of the code is similar although it
is a different type of virus. This virus will infect all COM files in
it's directory.
Mini 97
This version is 2 bytes smaller. It will not infect COM files that begin
with a near JMP (E9h).
Mini 91
This version only tries to infect the first COM file in it's directory.
Mini 117
This one is a little bit improved variant. It will infect only the first
uninfected COM file in it's directory (if the first one is infected it
will infect the second one).
Mini 111
This is an improved version of Mini 97. This one will keep the original
DTA area, so programs that use command-line input will still function.
Cannabis 1
This is an overwriting floppy bootsector virus. It is a sort of
combination of a (simplified) bootsector and a virus. Instead of
keeping the original bootsector somewhere else on the disk, it just
overwrites the original bootsector. When an infected floppy is booted,
the virus installs itself in memory and then prints the message
"Non-System disk or disk error Replace and press a key when ready" on
the screen. Then it tries to boot again. One has to boot from another
disk or from harddisk to continue. But the virus will stay resident
in memory. Sometimes the virus will print the message "Hey man, I don't
wanna work. I'm too stoned right now..." on the screen when booting, and
the computer will then hang.
Cannabis 2
Unlike the previous version, this one is able to boot from the infected
disk, just like normal bootsectors. It doesn't contain the part that
writes the "Hey man..." message anymore.
Cannabis 3
This is a minor bug-fix of version 2. The previous versions had a serious
bug that they sometimes wrote to the wrong side of the floppy.
Pogue Mahone
This one is the most famous virus of this collection. It is a resident
COM infecting virus. It's based on the last version of the Gotcha virus.
The most remarkable thing about this virus is that it uses the Mutation
Engine (MtE). The Mutation Engine is a small module written by "Dark
Avenger", which can be included in viruses to make them polymorphic.
This virus does not infect files matching the name CO*.COM (like
COMMAND.COM). When the virus becomes resident between 1:00 and 9:00
it will play the song 'Streams of Whiskey' (by The Pogues!). On the first
of May it will play another song.
Redhair ANSI bomb
This is not a virus but an ANSI bomb. Unlike most other bombs this one
does not destroy anything. This bomb is in fact both an ANSI picture and
a COM file. The COM file is infected with the MINI-117 virus. When the
ANSI bomb triggers (when the backslash key is pressed) it will rename
itself to X.COM and then execute X.COM. So the virus is then activated!
After that it changes it's name back to REDHAIR.ANS.
ANSI virus
This is another program that uses ANSI techniques. It's not just an ANSI
bomb but an ANSI virus! Many people think ANSI viruses don't exist, but
this one proves them wrong. This one uses the same trick as Redhair, it's
at the same time an ANSI picture and a COM program. When activated, it
will overwrite one .ANS file in the directory with a copy of itself. It
adjusts the text in the virus to the victim's filename.
Legalize
This is another virus that is based on Gotcha 17. It is a resident
COM and EXE infector. It doesn't infect CO*.*. The special thing about
this virus is that it will display a picture of a large green hemp leaf
when the virus becomes resident on fridays. After showing the picture,
the virus will ask the user a few questions about what he/she thinks
about legalizing cannabis. After this, the virus will quit to DOS.
The picture in the virus is packed with DIET to keep the virus small.
A few small bugs from Gotcha 17 are fixed in this virus, but unfortunatly
this virus has a new bug which causes some infected EXE programs to crash.
Coffeeshop 1
This one is based on Gotcha 17 and Legalize. Originally it was planned
to be a final bug-free version of Gotcha, but later I put the picture
routine from Legalize in it. Although it is based on Gotcha 17, a large
part of it has changed. It infects COM or EXE files when it is executed
or opened with DOS function 6C00h. It avoids to infect several known
programs that use a self-check (like most virus scanners). It also doesn't
infect several other files, like Windows files, files with internal
overlays etc. The virus doesn't use any undocumented features of DOS
anymore. I wanted it to be as compatible as possible. The picture routine
is also improved. It activates on fridays on a pseudo-random base when the
virus becomes resident. It will then show the big green hemp leaf and
after that it will continue with the original program (unlike Legalize).
Coffeeshop 2
This virus is very similar to the previous one, but with MtE included.
It only infects EXE files. At the time this virus was made a lot of
scanners claimed that they were able to detect MtE, but none of them
could detect this virus.
Coffeeshop 3
This one too is very similar to the previous ones. Like version 2,
this one is also highly polymorphic. But instead of using MtE, I wrote
the encrytion routine myself. It infects both COM and EXE files.
Coffeeshop 4
This is a minor bugfix of version 3. This one can also activate when
the virus is already resident.
Virus_for_Windows 1.4
This is a primitive non-resident virus that only infects Windows EXE
program. As far as I know this is the first known Windows virus. It
will try to infect all Windows EXE files in its directory. This virus
has a big problem, it is not able to execute the original program.
As a solution to this the virus will disinfect itself after infecting
the other programs. So one has to execute infected programs twice to
execute the original program. This virus will only infect programs which
have a big enough data-segment.
MK Worm
This is not a real virus, but some simple kind of worm. It does not
infect programs in any way. Instead it will only copy itself to a few
other directories on the disk from which it was executed. Each variant
will have a different name and also their lenghts will be slightly
different. It can spread because many people are used to try out every
new executable file they get, and many people often use the command
'COPY *.*'.
Cruncher 1.0
This is a virus that uses data-compression. It is a resident COM
infector, based on the Coffeeshop series. It compresses the victim file
after infection. So the virus will be compressed together with the
original program. The compression algorithm is the same as that of the
program 'Diet'.
Cruncher 2.0
This version also infects EXE files.
Cruncher 2.1
This version is almost equal to version 2.0 but this one asks permission
from the user before going resident. This feature changes it from a
naughty virus into a userfriendly automatic compression utility!
TPE 1.1
This is an OBJ module that can be linked to a virus to make it
polymorphic. It can be used in a similar way as the famous MtE
module. The encryption routine of TPE is taken from Coffeeshop
version 3/4.
TPE 1.2
This is a bugfix. The previous version often produced decryption
routines that didn't work on all processor types.
TPE 1.3
This is a another bugfix. This version is made fully relocatable
within a memory segment, which is very handy for non-resident
viruses. Also another incompatibility bug is fixed.
TPE 1.4
In this version the encryption/decryption algorithms are made more
complex. The previous versions could be detected by decrypting the
encrypted code.
PlayGame
This is a semi-stealth multi-partite EXE-infector. This virus infects
the master bootsector of the harddisk when an infected program is
executed. The virus only uses stealth techniques when a known anti-virus
program is executed or at the 'DIR' command. The payload of this virus
is a little arcade game that the user can play for fun. It activates in
december after 21:00.
DOS-1
This is a simple non-resident COM infector. It uses only FCB function
calls, so it is compatible with all previous DOS versions, including
version 1.0.
Bosnia
This is a variant of Coffeeshop 3/4, but with another picture routine.
The TPE 1.4 module is linked with this virus.
PCA virus
This is a very simple overwriting virus. After infecting it shows a
picture of the mascotte of the dutch magazine "PC Active". The picture
inside the virus is compressed in a special way, to keep the virus
small.
==============================================================================
Virus Characteristics List
ANSI keyboard remap-------------------+
Polymorphic-------------------------+ |
Infects Windows EXE files---------+ | |
Infects EXE files---------------+ | | |
Infects COM files-------------+ | | | |
Memory Resident-------------+ | | | | |
Overwriting---------------+ | | | | | |
Bootsector virus--------+ | | | | | | |
| | | | | | | |
V V V V V V V V Length
---------------------------------------------------
Gotcha 1 . . R C E . . . 732
Gotcha 4 . . R C . . . . 607
Gotcha 6 . . R C E . . . 879
Gotcha 7 . . R C E . . . 881
Gotcha 9 . . R C E . . . 906
Gotcha 17 . . R C E . . . 627
46 Virus . O . C . . . . 46
Seventh Son 1 . . . C . . . . 350
Seventh Son 2 . . . C . . . . 332
Seventh Son 4 . . . C . . . . 284
Little Brother 1 . . R . E . . . 299
Little Brother 2 . . R . E . . . 307
Little Brother 3 . . R . E . . . 321
Tiny 126 . . R C . . . . 126
Tiny 124 . . R C . . . . 124
Tiny 124B . . R C E . . . 124
Tiny 122 . . R C E . . . 122
Mini 99 . . . C . . . . 99
Mini 97 . . . C . . . . 97
Mini 91 . . . C . . . . 91
Mini 117 . . . C . . . . 117
Mini 111 . . . C . . . . 111
Cannabis 1 B O R . . . . . 512
Cannabis 2 B O R . . . . . 512
Cannabis 3 B O R . . . . . 512
Pogue Mahone . . R C . . P . 3017+
Redhair ANSI bomb . . . . . . . A -
ANSI virus . O . . . . . A 881
Legalize . . R C E . . . 1781
Coffeeshop 1 . . R C E . . . 1568
Coffeeshop 2 . . R . E . P . 3792+
Coffeeshop 3 . . R C E . P . 3000+
Coffeeshop 4 . . R C E . P . 3000+
Virus_for_Windows 1.4 . . . . . W . . 854
MK Worm . . . . . . . . 715+
Cruncher 1.0 . . R C . . . . 2092-
Cruncher 2.0 . . R C E . . . 4000-
Cruncher 2.1 . . R C E . . . 4800-
TPE 1.1 . . . . . . P . 1378
TPE 1.2 . . . . . . P . 1355
TPE 1.3 . . . . . . P . 1411
TPE 1.4 . . . . . . P . 1637
PlayGame B . R . E . . . 2000
Dos-1 . . . C . . . . 184
Bosnia . . R C E . P . 3112+
PCA virus . O . C . . . . 342

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>