H0l0kausT

Disclaimer The author of this document isn't responsible of any kind of damage that could be made with the bad use of this information. The objective of this tutorial is to teach people how to create and defend against the attack of a lame YAM virus :) This tute is for educational purposes only. So, lawyers, i don't give a shit if a lamer takes this information and makes destructive viruses. And if through this document you see anywhere that i encourage to destroy or corromp data, go directly to buy glasses. Presentations Welcome the Billy Belcebu's Virus Writing Guide. This document is dedicated to my master, zAxOn, my mento...

At last... the source of the most complex virus ever is published in a virus magazine. And we're glad that the fortunate magazine is 29A :) You are stepping with the reader cool smooth scroll through the original source code of the best of the three versions (7271, 7307, 7313) of Zhengxi. This source code, as the compiled version of the virus itself, is quite hard to understand. Anyway, i decided to leave the source code 'as is', albeit some weeks ago i started making it up a bit and commenting some uncommented code so it would be more easy and clear to read. At last i decided to stop spending my time on this and give you the ...

NOTE These are the final versions of my old Messev and Gwar which were supposed to be published in 29A#3, instead, older versions were used. Unlike what some of you may think, the versions included in this file are completely different from the ones in 29A#3, much code was rewritten and alot of features were added. Messev + Gwar were my first virii written for public release, that explains the weak coding, nevertheless, they ain't exactly trivial, and thus, interesting.... - T-2000 / [Immortal Riot] - Here are a few fucked-up AV-descriptions of slightly modified versions, I added some of my own comments where needed: DATAFELLOWS ...

; **************************************************************************** ; * The Virus Program Information * ; **************************************************************************** ; * * ; * Designer : CIH Source : TTIT of TATUNG in Taiwan * ; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net * ; * Modification Time : 06/01/1998 Version : 1.5 * ; * * ; * Turbo Assembler Version 5.0 : Tasm /m cih * ; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe * ; * * ; *==========================================================================* ; * Modification History * ; *=======================...

;============================================================================ ; ; ; NAME: Win32.Darling v1.00 ; TYPE: Direct-action variable-encrypting PE-infector. ; SIZE: Around 1700 bytes. ; AUTHOR: T-2000 / [Immortal Riot]. ; E-MAIL: T2000_@hotmail.com ; DATE: May 1999. ; PAYLOAD: Randomly pops-up a message-box. ; ; ; FEATURES: ; ; - True Win32-compatible (Win-95/98/NT). ; - Variable encrypting (32-bit key). ; - Traps possible errors with a SEH. ; - Infects files in current/windoze/system-directory. ; - Non-destructive payload (ARGHHH!!!!!). ; ; ; Nothing brand new at all, this is just a quick Win32.Savior hack, w...

‹‹ ‹‹‹ ‹‹ ‹‹ ‹‹‹‹ ‹fl fl € € ‹fl € ‹fl fl € € flfl € € ‹‹ € €flfl‹ € € ‹‹ €‹‹€ € € € € € € € € € € € € flflfl ‹fl € ‹fl flflfl € fl fl € by Mister Sandman fl Introduction This new creation of mine has turned to be my first "pure" Win32 virus, as well as one of which i'm really proud of. After an absence of months in which i haven't coded absolutely anything because of certain reasons i won't explain here, i see Girigat as a new start in my VX career. My style has changed, and i am not referring to the fact that of course Win32 viruses have nothing to do with DOS viruses. I am sure these differences i'm writing about are relevant enough so th...

±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± WIN32 ±±±±±± ±±±±±± ±±±±±± ±±±±±± ±±±±±± ±± ±± ±± ±± ±± ±± ±± ±± ±± ±±±±±± ±±±±± ±± ±± ±± ±± ±±±±±± ±± ±± ±± ±± ±±±±±± ±±±±±± by Lord Julus (C) 1999 ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± I am very proud to present you my first win32 resident virus. I usually don't like to fuss to much about my releases, but this time, I am so proud of this release, that I cannot hold...;-) However, this virus will probably not spread at all. The fact is it has a small bug. Actually it's not quite a bug. When I added the infection an...

--------------------------------------------------------------[winapp32.cpp]-- // THE APPARITION for Win32 // Written by LordAsd #include "winapp32.h" HWND MainWindow; #include "scanner.cpp" #include "diag.cpp" #include "misc.cpp" #include "main.cpp" #include "mutant.cpp" //Declaration #pragma argsused int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int cmdShow) { MSG msg;; DiagInit();; strcpy(CommandLine,lpszCmdLine);; InitAll();; if (!AskBoss("RUN RUN RUN?")) return 0;; LoadCarrier();; if (GlobalFindAtom(IDAtom)!=0) exit(EXIT_SUCCESS);; ATOM MyTSRAtom = GlobalAddAtom(IDAtom);;...

DATAFELLOWS: Gwar is a boot virus that infects MBR of hard disks and floppy boot records. The virus is one sector long. It is partially encrypted. Gwar is a stealth and resident virus. The system is infected after booting from an infected floppy or after executing COM or EXE file infected by Messev.3158 virus that acts as a dropper for Gwar. Before infecting the hard disk with the Gwar the Messev.3158 tries to delete Windows 95 floppy device driver HSFLOP.PDR, but there's an error in the virus and this never happens. Floppy boot records are infected by the virus on first access to them. When infecting hard disks the virus (or a droppe...

GoLLuM is the very first hybrid DOS-Windows virus ever... it infects DOS EXE files only when they're executed inside a DOS window under any of the known versions of Microsoft Windows (Windows 3.1x, Windows95...). It becomes resident as a virtual device driver when Windows starts, and then hooks V86 int 21h in order to monitor file execution, trying to infect more files under DOS sessions. When an EXE file is executed inside a MS-DOS window, GoLLuM will attach itself to the end of the file (it copies first its DOS code and then the VxD file, both of them encrypted with a simple 'not' operation). GoLLuM will not infect files tha...