mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
451 lines
17 KiB
Plaintext
451 lines
17 KiB
Plaintext
|
Gotcha 1
|
|||
|
|
|||
|
This was the first virus I wrote. It is a resident COM and EXE infector.
|
|||
|
It infects programs when they are executed. It hides at the top of
|
|||
|
conventional memory. When infecting it intercepts INT24, circumvents
|
|||
|
the read-only attribute and disables Ctrl-Break. It also restores the
|
|||
|
original file date and time after the infection. Some parts of it were
|
|||
|
taken from the Yankee Doodle virus, but nevertheless this is an enterly
|
|||
|
new virus.
|
|||
|
|
|||
|
|
|||
|
Gotcha 4
|
|||
|
|
|||
|
This is a resident COM infector. It is a stripped-down variant of
|
|||
|
version 1. The special thing about this virus is that it contains
|
|||
|
scan-strings of a few other viruses. These scan-strings are encrypted
|
|||
|
and in every infected file one of them is decrypted. So scanners can be
|
|||
|
fooled to think that there are up to 8 differrent other viruses in case
|
|||
|
a lot of files have been infected with this virus.
|
|||
|
|
|||
|
|
|||
|
Gotcha 6
|
|||
|
|
|||
|
This version is the follow-up of version 1. This one has some additional
|
|||
|
features. It can also infect files when they are opened, it avoids to
|
|||
|
infect files matching the name *AN*.* (like SCAN.EXE, CLEAN.EXE,
|
|||
|
TBSCAN.EXE etc...) and it won't infect files when the DOS environment
|
|||
|
contains "E=mc<6D>".
|
|||
|
|
|||
|
|
|||
|
Gotcha 7
|
|||
|
|
|||
|
This is a minor bug-fix of version 6.
|
|||
|
|
|||
|
|
|||
|
Gotcha 9
|
|||
|
|
|||
|
In this next version a few bugs are removed and the code has been made
|
|||
|
a little bit efficient. It can also infect files on more different DOS
|
|||
|
funcions like rename (56h), attribute (43h), findfirst (4Eh) and many
|
|||
|
others. It now also avoids files matching the name V*.* (like VIRX.EXE,
|
|||
|
VSHIELD.EXE, etc..).
|
|||
|
|
|||
|
|
|||
|
Gotcha 17
|
|||
|
|
|||
|
This version is quite different from the others. It uses another technique
|
|||
|
to access files, similar as many bulgarian viruses (like 512). Also other
|
|||
|
things are made more efficient. This one only infects files when they are
|
|||
|
executed or closed. It now also avoids files matching the name F*.*.
|
|||
|
|
|||
|
|
|||
|
46 Virus
|
|||
|
|
|||
|
This is an extremely simple virus. It just overwrites all COM files in
|
|||
|
it's directory with a copy of itself. It's length is 46 bytes, hence the
|
|||
|
name.
|
|||
|
|
|||
|
|
|||
|
Seventh Son 1
|
|||
|
|
|||
|
This is a simple non-resident COM infecting virus. It will infect all
|
|||
|
other COM files in it's directory. It circumvents read-only attributes,
|
|||
|
intercepts INT24, disables Ctrl-break and keeps the original file date
|
|||
|
and time when infecting. The virus contains a generation counter. If
|
|||
|
both his own and the previous generation are 7, it will display the text
|
|||
|
"Seventh son of a seventh son" on the screen. This virus was named after
|
|||
|
an Iron Maiden song (yes, I admit, not very original).
|
|||
|
|
|||
|
|
|||
|
Seventh Son 2
|
|||
|
|
|||
|
This version is a little bit smaller and more efficiently coded. This
|
|||
|
virus alsos contain the text 'Virus' in cyrilic (<28><><EFBFBD><EFBFBD><EFBFBD>) at the end. This
|
|||
|
has no special purpose. Just to confuse some people.
|
|||
|
|
|||
|
|
|||
|
Seventh son 4
|
|||
|
|
|||
|
This version is again made smaller and more efficient.
|
|||
|
|
|||
|
|
|||
|
Little Brother 1
|
|||
|
|
|||
|
This is a resident spawning EXE infector. It infects EXE files by
|
|||
|
creating a COM file with the same name, without touching the EXE file.
|
|||
|
The COM file only contains the complete virus. The first time the virus
|
|||
|
is executed it will install itself in an unused part of memory (and not
|
|||
|
run the original program). When DOS wants to execute a program, the virus
|
|||
|
uses a clumsy algorithm to decide whether a COM or an EXE file should be
|
|||
|
executed.
|
|||
|
|
|||
|
|
|||
|
Little Brother 2
|
|||
|
|
|||
|
In this version a few bugs are removed and it is also a bit more
|
|||
|
efficiently coded.
|
|||
|
|
|||
|
|
|||
|
Little Brother 3
|
|||
|
|
|||
|
This version works a little bit different than the previous two. This
|
|||
|
one doesn't use the resident algorithm anymore to decide wether to
|
|||
|
execute a COM or an EXE file. Instead the original EXE program is
|
|||
|
spawned from the COM program (the virus).
|
|||
|
|
|||
|
|
|||
|
Tiny 126
|
|||
|
|
|||
|
This is a small resident COM infecting virus. It is written as an attempt
|
|||
|
to write the smallest possible virus. The length of this virus is 126
|
|||
|
bytes. It does NOT re-infect programs that are already infected. This
|
|||
|
virus hides in memory at address 0050:0100.
|
|||
|
|
|||
|
|
|||
|
Tiny 124
|
|||
|
|
|||
|
This one is exactly the same as the previous one, only it hides at address
|
|||
|
0000:0100. That location is part of the interrupt area, and because of
|
|||
|
that this virus is very unstable. It crashes very often, but nevertheless
|
|||
|
it is able to infect files.
|
|||
|
|
|||
|
|
|||
|
Tiny 124B
|
|||
|
|
|||
|
This is a variant of version 126. It will not infect COM files that begin
|
|||
|
with a near JMP (E9h). This version has a disadvantage that it also tries
|
|||
|
to infect EXE files. Infected EXE files will not function anymore.
|
|||
|
|
|||
|
|
|||
|
Tiny 122
|
|||
|
|
|||
|
This one is based on version 124. It has the same disadvantage as
|
|||
|
version 124B.
|
|||
|
|
|||
|
|
|||
|
Mini 99
|
|||
|
|
|||
|
This is a small non-resident COM infecting virus. Like the previous
|
|||
|
mentioned viruses, this one too was written as an attempt to write the
|
|||
|
smallest possible virus. A big part of the code is similar although it
|
|||
|
is a different type of virus. This virus will infect all COM files in
|
|||
|
it's directory.
|
|||
|
|
|||
|
|
|||
|
Mini 97
|
|||
|
|
|||
|
This version is 2 bytes smaller. It will not infect COM files that begin
|
|||
|
with a near JMP (E9h).
|
|||
|
|
|||
|
|
|||
|
Mini 91
|
|||
|
|
|||
|
This version only tries to infect the first COM file in it's directory.
|
|||
|
|
|||
|
|
|||
|
Mini 117
|
|||
|
|
|||
|
This one is a little bit improved variant. It will infect only the first
|
|||
|
uninfected COM file in it's directory (if the first one is infected it
|
|||
|
will infect the second one).
|
|||
|
|
|||
|
|
|||
|
Mini 111
|
|||
|
|
|||
|
This is an improved version of Mini 97. This one will keep the original
|
|||
|
DTA area, so programs that use command-line input will still function.
|
|||
|
|
|||
|
|
|||
|
Cannabis 1
|
|||
|
|
|||
|
This is an overwriting floppy bootsector virus. It is a sort of
|
|||
|
combination of a (simplified) bootsector and a virus. Instead of
|
|||
|
keeping the original bootsector somewhere else on the disk, it just
|
|||
|
overwrites the original bootsector. When an infected floppy is booted,
|
|||
|
the virus installs itself in memory and then prints the message
|
|||
|
"Non-System disk or disk error Replace and press a key when ready" on
|
|||
|
the screen. Then it tries to boot again. One has to boot from another
|
|||
|
disk or from harddisk to continue. But the virus will stay resident
|
|||
|
in memory. Sometimes the virus will print the message "Hey man, I don't
|
|||
|
wanna work. I'm too stoned right now..." on the screen when booting, and
|
|||
|
the computer will then hang.
|
|||
|
|
|||
|
|
|||
|
Cannabis 2
|
|||
|
|
|||
|
Unlike the previous version, this one is able to boot from the infected
|
|||
|
disk, just like normal bootsectors. It doesn't contain the part that
|
|||
|
writes the "Hey man..." message anymore.
|
|||
|
|
|||
|
|
|||
|
Cannabis 3
|
|||
|
|
|||
|
This is a minor bug-fix of version 2. The previous versions had a serious
|
|||
|
bug that they sometimes wrote to the wrong side of the floppy.
|
|||
|
|
|||
|
|
|||
|
Pogue Mahone
|
|||
|
|
|||
|
This one is the most famous virus of this collection. It is a resident
|
|||
|
COM infecting virus. It's based on the last version of the Gotcha virus.
|
|||
|
The most remarkable thing about this virus is that it uses the Mutation
|
|||
|
Engine (MtE). The Mutation Engine is a small module written by "Dark
|
|||
|
Avenger", which can be included in viruses to make them polymorphic.
|
|||
|
This virus does not infect files matching the name CO*.COM (like
|
|||
|
COMMAND.COM). When the virus becomes resident between 1:00 and 9:00
|
|||
|
it will play the song 'Streams of Whiskey' (by The Pogues!). On the first
|
|||
|
of May it will play another song.
|
|||
|
|
|||
|
|
|||
|
Redhair ANSI bomb
|
|||
|
|
|||
|
This is not a virus but an ANSI bomb. Unlike most other bombs this one
|
|||
|
does not destroy anything. This bomb is in fact both an ANSI picture and
|
|||
|
a COM file. The COM file is infected with the MINI-117 virus. When the
|
|||
|
ANSI bomb triggers (when the backslash key is pressed) it will rename
|
|||
|
itself to X.COM and then execute X.COM. So the virus is then activated!
|
|||
|
After that it changes it's name back to REDHAIR.ANS.
|
|||
|
|
|||
|
|
|||
|
ANSI virus
|
|||
|
|
|||
|
This is another program that uses ANSI techniques. It's not just an ANSI
|
|||
|
bomb but an ANSI virus! Many people think ANSI viruses don't exist, but
|
|||
|
this one proves them wrong. This one uses the same trick as Redhair, it's
|
|||
|
at the same time an ANSI picture and a COM program. When activated, it
|
|||
|
will overwrite one .ANS file in the directory with a copy of itself. It
|
|||
|
adjusts the text in the virus to the victim's filename.
|
|||
|
|
|||
|
|
|||
|
Legalize
|
|||
|
|
|||
|
This is another virus that is based on Gotcha 17. It is a resident
|
|||
|
COM and EXE infector. It doesn't infect CO*.*. The special thing about
|
|||
|
this virus is that it will display a picture of a large green hemp leaf
|
|||
|
when the virus becomes resident on fridays. After showing the picture,
|
|||
|
the virus will ask the user a few questions about what he/she thinks
|
|||
|
about legalizing cannabis. After this, the virus will quit to DOS.
|
|||
|
The picture in the virus is packed with DIET to keep the virus small.
|
|||
|
A few small bugs from Gotcha 17 are fixed in this virus, but unfortunatly
|
|||
|
this virus has a new bug which causes some infected EXE programs to crash.
|
|||
|
|
|||
|
|
|||
|
Coffeeshop 1
|
|||
|
|
|||
|
This one is based on Gotcha 17 and Legalize. Originally it was planned
|
|||
|
to be a final bug-free version of Gotcha, but later I put the picture
|
|||
|
routine from Legalize in it. Although it is based on Gotcha 17, a large
|
|||
|
part of it has changed. It infects COM or EXE files when it is executed
|
|||
|
or opened with DOS function 6C00h. It avoids to infect several known
|
|||
|
programs that use a self-check (like most virus scanners). It also doesn't
|
|||
|
infect several other files, like Windows files, files with internal
|
|||
|
overlays etc. The virus doesn't use any undocumented features of DOS
|
|||
|
anymore. I wanted it to be as compatible as possible. The picture routine
|
|||
|
is also improved. It activates on fridays on a pseudo-random base when the
|
|||
|
virus becomes resident. It will then show the big green hemp leaf and
|
|||
|
after that it will continue with the original program (unlike Legalize).
|
|||
|
|
|||
|
|
|||
|
Coffeeshop 2
|
|||
|
|
|||
|
This virus is very similar to the previous one, but with MtE included.
|
|||
|
It only infects EXE files. At the time this virus was made a lot of
|
|||
|
scanners claimed that they were able to detect MtE, but none of them
|
|||
|
could detect this virus.
|
|||
|
|
|||
|
|
|||
|
Coffeeshop 3
|
|||
|
|
|||
|
This one too is very similar to the previous ones. Like version 2,
|
|||
|
this one is also highly polymorphic. But instead of using MtE, I wrote
|
|||
|
the encrytion routine myself. It infects both COM and EXE files.
|
|||
|
|
|||
|
|
|||
|
Coffeeshop 4
|
|||
|
|
|||
|
This is a minor bugfix of version 3. This one can also activate when
|
|||
|
the virus is already resident.
|
|||
|
|
|||
|
|
|||
|
Virus_for_Windows 1.4
|
|||
|
|
|||
|
This is a primitive non-resident virus that only infects Windows EXE
|
|||
|
program. As far as I know this is the first known Windows virus. It
|
|||
|
will try to infect all Windows EXE files in its directory. This virus
|
|||
|
has a big problem, it is not able to execute the original program.
|
|||
|
As a solution to this the virus will disinfect itself after infecting
|
|||
|
the other programs. So one has to execute infected programs twice to
|
|||
|
execute the original program. This virus will only infect programs which
|
|||
|
have a big enough data-segment.
|
|||
|
|
|||
|
|
|||
|
MK Worm
|
|||
|
|
|||
|
This is not a real virus, but some simple kind of worm. It does not
|
|||
|
infect programs in any way. Instead it will only copy itself to a few
|
|||
|
other directories on the disk from which it was executed. Each variant
|
|||
|
will have a different name and also their lenghts will be slightly
|
|||
|
different. It can spread because many people are used to try out every
|
|||
|
new executable file they get, and many people often use the command
|
|||
|
'COPY *.*'.
|
|||
|
|
|||
|
|
|||
|
Cruncher 1.0
|
|||
|
|
|||
|
This is a virus that uses data-compression. It is a resident COM
|
|||
|
infector, based on the Coffeeshop series. It compresses the victim file
|
|||
|
after infection. So the virus will be compressed together with the
|
|||
|
original program. The compression algorithm is the same as that of the
|
|||
|
program 'Diet'.
|
|||
|
|
|||
|
|
|||
|
Cruncher 2.0
|
|||
|
|
|||
|
This version also infects EXE files.
|
|||
|
|
|||
|
|
|||
|
Cruncher 2.1
|
|||
|
|
|||
|
This version is almost equal to version 2.0 but this one asks permission
|
|||
|
from the user before going resident. This feature changes it from a
|
|||
|
naughty virus into a userfriendly automatic compression utility!
|
|||
|
|
|||
|
|
|||
|
TPE 1.1
|
|||
|
|
|||
|
This is an OBJ module that can be linked to a virus to make it
|
|||
|
polymorphic. It can be used in a similar way as the famous MtE
|
|||
|
module. The encryption routine of TPE is taken from Coffeeshop
|
|||
|
version 3/4.
|
|||
|
|
|||
|
|
|||
|
TPE 1.2
|
|||
|
|
|||
|
This is a bugfix. The previous version often produced decryption
|
|||
|
routines that didn't work on all processor types.
|
|||
|
|
|||
|
|
|||
|
TPE 1.3
|
|||
|
|
|||
|
This is a another bugfix. This version is made fully relocatable
|
|||
|
within a memory segment, which is very handy for non-resident
|
|||
|
viruses. Also another incompatibility bug is fixed.
|
|||
|
|
|||
|
|
|||
|
TPE 1.4
|
|||
|
|
|||
|
In this version the encryption/decryption algorithms are made more
|
|||
|
complex. The previous versions could be detected by decrypting the
|
|||
|
encrypted code.
|
|||
|
|
|||
|
|
|||
|
PlayGame
|
|||
|
|
|||
|
This is a semi-stealth multi-partite EXE-infector. This virus infects
|
|||
|
the master bootsector of the harddisk when an infected program is
|
|||
|
executed. The virus only uses stealth techniques when a known anti-virus
|
|||
|
program is executed or at the 'DIR' command. The payload of this virus
|
|||
|
is a little arcade game that the user can play for fun. It activates in
|
|||
|
december after 21:00.
|
|||
|
|
|||
|
|
|||
|
DOS-1
|
|||
|
|
|||
|
This is a simple non-resident COM infector. It uses only FCB function
|
|||
|
calls, so it is compatible with all previous DOS versions, including
|
|||
|
version 1.0.
|
|||
|
|
|||
|
|
|||
|
Bosnia
|
|||
|
|
|||
|
This is a variant of Coffeeshop 3/4, but with another picture routine.
|
|||
|
The TPE 1.4 module is linked with this virus.
|
|||
|
|
|||
|
|
|||
|
PCA virus
|
|||
|
|
|||
|
This is a very simple overwriting virus. After infecting it shows a
|
|||
|
picture of the mascotte of the dutch magazine "PC Active". The picture
|
|||
|
inside the virus is compressed in a special way, to keep the virus
|
|||
|
small.
|
|||
|
|
|||
|
|
|||
|
==============================================================================
|
|||
|
|
|||
|
Virus Characteristics List
|
|||
|
|
|||
|
|
|||
|
ANSI keyboard remap-------------------+
|
|||
|
Polymorphic-------------------------+ |
|
|||
|
Infects Windows EXE files---------+ | |
|
|||
|
Infects EXE files---------------+ | | |
|
|||
|
Infects COM files-------------+ | | | |
|
|||
|
Memory Resident-------------+ | | | | |
|
|||
|
Overwriting---------------+ | | | | | |
|
|||
|
Bootsector virus--------+ | | | | | | |
|
|||
|
| | | | | | | |
|
|||
|
V V V V V V V V Length
|
|||
|
---------------------------------------------------
|
|||
|
Gotcha 1 . . R C E . . . 732
|
|||
|
Gotcha 4 . . R C . . . . 607
|
|||
|
Gotcha 6 . . R C E . . . 879
|
|||
|
Gotcha 7 . . R C E . . . 881
|
|||
|
Gotcha 9 . . R C E . . . 906
|
|||
|
Gotcha 17 . . R C E . . . 627
|
|||
|
46 Virus . O . C . . . . 46
|
|||
|
Seventh Son 1 . . . C . . . . 350
|
|||
|
Seventh Son 2 . . . C . . . . 332
|
|||
|
Seventh Son 4 . . . C . . . . 284
|
|||
|
Little Brother 1 . . R . E . . . 299
|
|||
|
Little Brother 2 . . R . E . . . 307
|
|||
|
Little Brother 3 . . R . E . . . 321
|
|||
|
Tiny 126 . . R C . . . . 126
|
|||
|
Tiny 124 . . R C . . . . 124
|
|||
|
Tiny 124B . . R C E . . . 124
|
|||
|
Tiny 122 . . R C E . . . 122
|
|||
|
Mini 99 . . . C . . . . 99
|
|||
|
Mini 97 . . . C . . . . 97
|
|||
|
Mini 91 . . . C . . . . 91
|
|||
|
Mini 117 . . . C . . . . 117
|
|||
|
Mini 111 . . . C . . . . 111
|
|||
|
Cannabis 1 B O R . . . . . 512
|
|||
|
Cannabis 2 B O R . . . . . 512
|
|||
|
Cannabis 3 B O R . . . . . 512
|
|||
|
Pogue Mahone . . R C . . P . 3017+
|
|||
|
Redhair ANSI bomb . . . . . . . A -
|
|||
|
ANSI virus . O . . . . . A 881
|
|||
|
Legalize . . R C E . . . 1781
|
|||
|
Coffeeshop 1 . . R C E . . . 1568
|
|||
|
Coffeeshop 2 . . R . E . P . 3792+
|
|||
|
Coffeeshop 3 . . R C E . P . 3000+
|
|||
|
Coffeeshop 4 . . R C E . P . 3000+
|
|||
|
Virus_for_Windows 1.4 . . . . . W . . 854
|
|||
|
MK Worm . . . . . . . . 715+
|
|||
|
Cruncher 1.0 . . R C . . . . 2092-
|
|||
|
Cruncher 2.0 . . R C E . . . 4000-
|
|||
|
Cruncher 2.1 . . R C E . . . 4800-
|
|||
|
TPE 1.1 . . . . . . P . 1378
|
|||
|
TPE 1.2 . . . . . . P . 1355
|
|||
|
TPE 1.3 . . . . . . P . 1411
|
|||
|
TPE 1.4 . . . . . . P . 1637
|
|||
|
PlayGame B . R . E . . . 2000
|
|||
|
Dos-1 . . . C . . . . 184
|
|||
|
Bosnia . . R C E . P . 3112+
|
|||
|
PCA virus . O . C . . . . 342
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|