mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 00:28:50 +00:00
4b9382ddbc
push
451 lines
17 KiB
Plaintext
451 lines
17 KiB
Plaintext
Gotcha 1
|
||
|
||
This was the first virus I wrote. It is a resident COM and EXE infector.
|
||
It infects programs when they are executed. It hides at the top of
|
||
conventional memory. When infecting it intercepts INT24, circumvents
|
||
the read-only attribute and disables Ctrl-Break. It also restores the
|
||
original file date and time after the infection. Some parts of it were
|
||
taken from the Yankee Doodle virus, but nevertheless this is an enterly
|
||
new virus.
|
||
|
||
|
||
Gotcha 4
|
||
|
||
This is a resident COM infector. It is a stripped-down variant of
|
||
version 1. The special thing about this virus is that it contains
|
||
scan-strings of a few other viruses. These scan-strings are encrypted
|
||
and in every infected file one of them is decrypted. So scanners can be
|
||
fooled to think that there are up to 8 differrent other viruses in case
|
||
a lot of files have been infected with this virus.
|
||
|
||
|
||
Gotcha 6
|
||
|
||
This version is the follow-up of version 1. This one has some additional
|
||
features. It can also infect files when they are opened, it avoids to
|
||
infect files matching the name *AN*.* (like SCAN.EXE, CLEAN.EXE,
|
||
TBSCAN.EXE etc...) and it won't infect files when the DOS environment
|
||
contains "E=mcý".
|
||
|
||
|
||
Gotcha 7
|
||
|
||
This is a minor bug-fix of version 6.
|
||
|
||
|
||
Gotcha 9
|
||
|
||
In this next version a few bugs are removed and the code has been made
|
||
a little bit efficient. It can also infect files on more different DOS
|
||
funcions like rename (56h), attribute (43h), findfirst (4Eh) and many
|
||
others. It now also avoids files matching the name V*.* (like VIRX.EXE,
|
||
VSHIELD.EXE, etc..).
|
||
|
||
|
||
Gotcha 17
|
||
|
||
This version is quite different from the others. It uses another technique
|
||
to access files, similar as many bulgarian viruses (like 512). Also other
|
||
things are made more efficient. This one only infects files when they are
|
||
executed or closed. It now also avoids files matching the name F*.*.
|
||
|
||
|
||
46 Virus
|
||
|
||
This is an extremely simple virus. It just overwrites all COM files in
|
||
it's directory with a copy of itself. It's length is 46 bytes, hence the
|
||
name.
|
||
|
||
|
||
Seventh Son 1
|
||
|
||
This is a simple non-resident COM infecting virus. It will infect all
|
||
other COM files in it's directory. It circumvents read-only attributes,
|
||
intercepts INT24, disables Ctrl-break and keeps the original file date
|
||
and time when infecting. The virus contains a generation counter. If
|
||
both his own and the previous generation are 7, it will display the text
|
||
"Seventh son of a seventh son" on the screen. This virus was named after
|
||
an Iron Maiden song (yes, I admit, not very original).
|
||
|
||
|
||
Seventh Son 2
|
||
|
||
This version is a little bit smaller and more efficiently coded. This
|
||
virus alsos contain the text 'Virus' in cyrilic (‚¨°³±) at the end. This
|
||
has no special purpose. Just to confuse some people.
|
||
|
||
|
||
Seventh son 4
|
||
|
||
This version is again made smaller and more efficient.
|
||
|
||
|
||
Little Brother 1
|
||
|
||
This is a resident spawning EXE infector. It infects EXE files by
|
||
creating a COM file with the same name, without touching the EXE file.
|
||
The COM file only contains the complete virus. The first time the virus
|
||
is executed it will install itself in an unused part of memory (and not
|
||
run the original program). When DOS wants to execute a program, the virus
|
||
uses a clumsy algorithm to decide whether a COM or an EXE file should be
|
||
executed.
|
||
|
||
|
||
Little Brother 2
|
||
|
||
In this version a few bugs are removed and it is also a bit more
|
||
efficiently coded.
|
||
|
||
|
||
Little Brother 3
|
||
|
||
This version works a little bit different than the previous two. This
|
||
one doesn't use the resident algorithm anymore to decide wether to
|
||
execute a COM or an EXE file. Instead the original EXE program is
|
||
spawned from the COM program (the virus).
|
||
|
||
|
||
Tiny 126
|
||
|
||
This is a small resident COM infecting virus. It is written as an attempt
|
||
to write the smallest possible virus. The length of this virus is 126
|
||
bytes. It does NOT re-infect programs that are already infected. This
|
||
virus hides in memory at address 0050:0100.
|
||
|
||
|
||
Tiny 124
|
||
|
||
This one is exactly the same as the previous one, only it hides at address
|
||
0000:0100. That location is part of the interrupt area, and because of
|
||
that this virus is very unstable. It crashes very often, but nevertheless
|
||
it is able to infect files.
|
||
|
||
|
||
Tiny 124B
|
||
|
||
This is a variant of version 126. It will not infect COM files that begin
|
||
with a near JMP (E9h). This version has a disadvantage that it also tries
|
||
to infect EXE files. Infected EXE files will not function anymore.
|
||
|
||
|
||
Tiny 122
|
||
|
||
This one is based on version 124. It has the same disadvantage as
|
||
version 124B.
|
||
|
||
|
||
Mini 99
|
||
|
||
This is a small non-resident COM infecting virus. Like the previous
|
||
mentioned viruses, this one too was written as an attempt to write the
|
||
smallest possible virus. A big part of the code is similar although it
|
||
is a different type of virus. This virus will infect all COM files in
|
||
it's directory.
|
||
|
||
|
||
Mini 97
|
||
|
||
This version is 2 bytes smaller. It will not infect COM files that begin
|
||
with a near JMP (E9h).
|
||
|
||
|
||
Mini 91
|
||
|
||
This version only tries to infect the first COM file in it's directory.
|
||
|
||
|
||
Mini 117
|
||
|
||
This one is a little bit improved variant. It will infect only the first
|
||
uninfected COM file in it's directory (if the first one is infected it
|
||
will infect the second one).
|
||
|
||
|
||
Mini 111
|
||
|
||
This is an improved version of Mini 97. This one will keep the original
|
||
DTA area, so programs that use command-line input will still function.
|
||
|
||
|
||
Cannabis 1
|
||
|
||
This is an overwriting floppy bootsector virus. It is a sort of
|
||
combination of a (simplified) bootsector and a virus. Instead of
|
||
keeping the original bootsector somewhere else on the disk, it just
|
||
overwrites the original bootsector. When an infected floppy is booted,
|
||
the virus installs itself in memory and then prints the message
|
||
"Non-System disk or disk error Replace and press a key when ready" on
|
||
the screen. Then it tries to boot again. One has to boot from another
|
||
disk or from harddisk to continue. But the virus will stay resident
|
||
in memory. Sometimes the virus will print the message "Hey man, I don't
|
||
wanna work. I'm too stoned right now..." on the screen when booting, and
|
||
the computer will then hang.
|
||
|
||
|
||
Cannabis 2
|
||
|
||
Unlike the previous version, this one is able to boot from the infected
|
||
disk, just like normal bootsectors. It doesn't contain the part that
|
||
writes the "Hey man..." message anymore.
|
||
|
||
|
||
Cannabis 3
|
||
|
||
This is a minor bug-fix of version 2. The previous versions had a serious
|
||
bug that they sometimes wrote to the wrong side of the floppy.
|
||
|
||
|
||
Pogue Mahone
|
||
|
||
This one is the most famous virus of this collection. It is a resident
|
||
COM infecting virus. It's based on the last version of the Gotcha virus.
|
||
The most remarkable thing about this virus is that it uses the Mutation
|
||
Engine (MtE). The Mutation Engine is a small module written by "Dark
|
||
Avenger", which can be included in viruses to make them polymorphic.
|
||
This virus does not infect files matching the name CO*.COM (like
|
||
COMMAND.COM). When the virus becomes resident between 1:00 and 9:00
|
||
it will play the song 'Streams of Whiskey' (by The Pogues!). On the first
|
||
of May it will play another song.
|
||
|
||
|
||
Redhair ANSI bomb
|
||
|
||
This is not a virus but an ANSI bomb. Unlike most other bombs this one
|
||
does not destroy anything. This bomb is in fact both an ANSI picture and
|
||
a COM file. The COM file is infected with the MINI-117 virus. When the
|
||
ANSI bomb triggers (when the backslash key is pressed) it will rename
|
||
itself to X.COM and then execute X.COM. So the virus is then activated!
|
||
After that it changes it's name back to REDHAIR.ANS.
|
||
|
||
|
||
ANSI virus
|
||
|
||
This is another program that uses ANSI techniques. It's not just an ANSI
|
||
bomb but an ANSI virus! Many people think ANSI viruses don't exist, but
|
||
this one proves them wrong. This one uses the same trick as Redhair, it's
|
||
at the same time an ANSI picture and a COM program. When activated, it
|
||
will overwrite one .ANS file in the directory with a copy of itself. It
|
||
adjusts the text in the virus to the victim's filename.
|
||
|
||
|
||
Legalize
|
||
|
||
This is another virus that is based on Gotcha 17. It is a resident
|
||
COM and EXE infector. It doesn't infect CO*.*. The special thing about
|
||
this virus is that it will display a picture of a large green hemp leaf
|
||
when the virus becomes resident on fridays. After showing the picture,
|
||
the virus will ask the user a few questions about what he/she thinks
|
||
about legalizing cannabis. After this, the virus will quit to DOS.
|
||
The picture in the virus is packed with DIET to keep the virus small.
|
||
A few small bugs from Gotcha 17 are fixed in this virus, but unfortunatly
|
||
this virus has a new bug which causes some infected EXE programs to crash.
|
||
|
||
|
||
Coffeeshop 1
|
||
|
||
This one is based on Gotcha 17 and Legalize. Originally it was planned
|
||
to be a final bug-free version of Gotcha, but later I put the picture
|
||
routine from Legalize in it. Although it is based on Gotcha 17, a large
|
||
part of it has changed. It infects COM or EXE files when it is executed
|
||
or opened with DOS function 6C00h. It avoids to infect several known
|
||
programs that use a self-check (like most virus scanners). It also doesn't
|
||
infect several other files, like Windows files, files with internal
|
||
overlays etc. The virus doesn't use any undocumented features of DOS
|
||
anymore. I wanted it to be as compatible as possible. The picture routine
|
||
is also improved. It activates on fridays on a pseudo-random base when the
|
||
virus becomes resident. It will then show the big green hemp leaf and
|
||
after that it will continue with the original program (unlike Legalize).
|
||
|
||
|
||
Coffeeshop 2
|
||
|
||
This virus is very similar to the previous one, but with MtE included.
|
||
It only infects EXE files. At the time this virus was made a lot of
|
||
scanners claimed that they were able to detect MtE, but none of them
|
||
could detect this virus.
|
||
|
||
|
||
Coffeeshop 3
|
||
|
||
This one too is very similar to the previous ones. Like version 2,
|
||
this one is also highly polymorphic. But instead of using MtE, I wrote
|
||
the encrytion routine myself. It infects both COM and EXE files.
|
||
|
||
|
||
Coffeeshop 4
|
||
|
||
This is a minor bugfix of version 3. This one can also activate when
|
||
the virus is already resident.
|
||
|
||
|
||
Virus_for_Windows 1.4
|
||
|
||
This is a primitive non-resident virus that only infects Windows EXE
|
||
program. As far as I know this is the first known Windows virus. It
|
||
will try to infect all Windows EXE files in its directory. This virus
|
||
has a big problem, it is not able to execute the original program.
|
||
As a solution to this the virus will disinfect itself after infecting
|
||
the other programs. So one has to execute infected programs twice to
|
||
execute the original program. This virus will only infect programs which
|
||
have a big enough data-segment.
|
||
|
||
|
||
MK Worm
|
||
|
||
This is not a real virus, but some simple kind of worm. It does not
|
||
infect programs in any way. Instead it will only copy itself to a few
|
||
other directories on the disk from which it was executed. Each variant
|
||
will have a different name and also their lenghts will be slightly
|
||
different. It can spread because many people are used to try out every
|
||
new executable file they get, and many people often use the command
|
||
'COPY *.*'.
|
||
|
||
|
||
Cruncher 1.0
|
||
|
||
This is a virus that uses data-compression. It is a resident COM
|
||
infector, based on the Coffeeshop series. It compresses the victim file
|
||
after infection. So the virus will be compressed together with the
|
||
original program. The compression algorithm is the same as that of the
|
||
program 'Diet'.
|
||
|
||
|
||
Cruncher 2.0
|
||
|
||
This version also infects EXE files.
|
||
|
||
|
||
Cruncher 2.1
|
||
|
||
This version is almost equal to version 2.0 but this one asks permission
|
||
from the user before going resident. This feature changes it from a
|
||
naughty virus into a userfriendly automatic compression utility!
|
||
|
||
|
||
TPE 1.1
|
||
|
||
This is an OBJ module that can be linked to a virus to make it
|
||
polymorphic. It can be used in a similar way as the famous MtE
|
||
module. The encryption routine of TPE is taken from Coffeeshop
|
||
version 3/4.
|
||
|
||
|
||
TPE 1.2
|
||
|
||
This is a bugfix. The previous version often produced decryption
|
||
routines that didn't work on all processor types.
|
||
|
||
|
||
TPE 1.3
|
||
|
||
This is a another bugfix. This version is made fully relocatable
|
||
within a memory segment, which is very handy for non-resident
|
||
viruses. Also another incompatibility bug is fixed.
|
||
|
||
|
||
TPE 1.4
|
||
|
||
In this version the encryption/decryption algorithms are made more
|
||
complex. The previous versions could be detected by decrypting the
|
||
encrypted code.
|
||
|
||
|
||
PlayGame
|
||
|
||
This is a semi-stealth multi-partite EXE-infector. This virus infects
|
||
the master bootsector of the harddisk when an infected program is
|
||
executed. The virus only uses stealth techniques when a known anti-virus
|
||
program is executed or at the 'DIR' command. The payload of this virus
|
||
is a little arcade game that the user can play for fun. It activates in
|
||
december after 21:00.
|
||
|
||
|
||
DOS-1
|
||
|
||
This is a simple non-resident COM infector. It uses only FCB function
|
||
calls, so it is compatible with all previous DOS versions, including
|
||
version 1.0.
|
||
|
||
|
||
Bosnia
|
||
|
||
This is a variant of Coffeeshop 3/4, but with another picture routine.
|
||
The TPE 1.4 module is linked with this virus.
|
||
|
||
|
||
PCA virus
|
||
|
||
This is a very simple overwriting virus. After infecting it shows a
|
||
picture of the mascotte of the dutch magazine "PC Active". The picture
|
||
inside the virus is compressed in a special way, to keep the virus
|
||
small.
|
||
|
||
|
||
==============================================================================
|
||
|
||
Virus Characteristics List
|
||
|
||
|
||
ANSI keyboard remap-------------------+
|
||
Polymorphic-------------------------+ |
|
||
Infects Windows EXE files---------+ | |
|
||
Infects EXE files---------------+ | | |
|
||
Infects COM files-------------+ | | | |
|
||
Memory Resident-------------+ | | | | |
|
||
Overwriting---------------+ | | | | | |
|
||
Bootsector virus--------+ | | | | | | |
|
||
| | | | | | | |
|
||
V V V V V V V V Length
|
||
---------------------------------------------------
|
||
Gotcha 1 . . R C E . . . 732
|
||
Gotcha 4 . . R C . . . . 607
|
||
Gotcha 6 . . R C E . . . 879
|
||
Gotcha 7 . . R C E . . . 881
|
||
Gotcha 9 . . R C E . . . 906
|
||
Gotcha 17 . . R C E . . . 627
|
||
46 Virus . O . C . . . . 46
|
||
Seventh Son 1 . . . C . . . . 350
|
||
Seventh Son 2 . . . C . . . . 332
|
||
Seventh Son 4 . . . C . . . . 284
|
||
Little Brother 1 . . R . E . . . 299
|
||
Little Brother 2 . . R . E . . . 307
|
||
Little Brother 3 . . R . E . . . 321
|
||
Tiny 126 . . R C . . . . 126
|
||
Tiny 124 . . R C . . . . 124
|
||
Tiny 124B . . R C E . . . 124
|
||
Tiny 122 . . R C E . . . 122
|
||
Mini 99 . . . C . . . . 99
|
||
Mini 97 . . . C . . . . 97
|
||
Mini 91 . . . C . . . . 91
|
||
Mini 117 . . . C . . . . 117
|
||
Mini 111 . . . C . . . . 111
|
||
Cannabis 1 B O R . . . . . 512
|
||
Cannabis 2 B O R . . . . . 512
|
||
Cannabis 3 B O R . . . . . 512
|
||
Pogue Mahone . . R C . . P . 3017+
|
||
Redhair ANSI bomb . . . . . . . A -
|
||
ANSI virus . O . . . . . A 881
|
||
Legalize . . R C E . . . 1781
|
||
Coffeeshop 1 . . R C E . . . 1568
|
||
Coffeeshop 2 . . R . E . P . 3792+
|
||
Coffeeshop 3 . . R C E . P . 3000+
|
||
Coffeeshop 4 . . R C E . P . 3000+
|
||
Virus_for_Windows 1.4 . . . . . W . . 854
|
||
MK Worm . . . . . . . . 715+
|
||
Cruncher 1.0 . . R C . . . . 2092-
|
||
Cruncher 2.0 . . R C E . . . 4000-
|
||
Cruncher 2.1 . . R C E . . . 4800-
|
||
TPE 1.1 . . . . . . P . 1378
|
||
TPE 1.2 . . . . . . P . 1355
|
||
TPE 1.3 . . . . . . P . 1411
|
||
TPE 1.4 . . . . . . P . 1637
|
||
PlayGame B . R . E . . . 2000
|
||
Dos-1 . . . C . . . . 184
|
||
Bosnia . . R C E . P . 3112+
|
||
PCA virus . O . C . . . . 342
|
||
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|