Xine

/-----------------------------\ | Xine - issue #2 - Phile 033 | \-----------------------------/ Short addendum to Injector docs and description In Xine #1 we presented to the reader the program Injector, which is a program for "injecting" (this is sending) packets on an ethernet and monitoring the ethernet traffic (it has a lot of customizable options and so on, give a look to issue #1 if you don't remember of it). Unfortunately there aren't a lot of guys that actually have a local network attached to internet so Injector may not be fully used by a lot of persons. This was one of the complains we received about Injector. ...

/-----------------------------\ | Xine - issue #2 - Phile 032 | \-----------------------------/ ; ;€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€ ;€€ €€ ;€€ GUERILLA 1996 Disassembly €€ ;€€ by b0z0/iKx €€ ;€€ €€ ;€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€ ; ; Virus Name : Guerilla 1996 ; Virus Author : PH (?) ; Virus Lenght : 1996 ; Virus Type : TSR EXE infector, Full stealth, Polymorphic ; Hooked Ints : 21h ; Hooked Funcs. : 09h,11h,12h,32h,3Dh,3Eh,4Bh,4Ch,4Eh,4Fh,6Ch ; Infect on : Close (3Eh) ; Payloads : None ; Compiling : Use TASM 3.0 to get the original Guerilla...

/-----------------------------\ | Xine - issue #2 - Phile 031 | \-----------------------------/ ============================================================================== The Mutation Engine used in BEOL96 ================================== Welcome to the best mutation engine ever written for Amiga computers! (I think it's even the best one for 680x0 in general!) It still lacks some features, a good mutation engine should have: * Insertion of dummy-instruction. (2 different types: Instructions not changing anything and instructions changing unused registers) This shouldn't be hard to implement. * More than just 4 vari...

/-----------------------------\ | Xine - issue #2 - Phile 030 | \-----------------------------/ ***************************************************************************** * BEOL III v2 * * Diff from v1: Stealth only enabled when file is _REALLY_ infected! * * * * Bugs: Libraryinfectioncode isn't reentrant => we could end up with fucked * * up libs, if we infect 2 libraries at the same time!!! * * Libraryinfection doesn't recognize libs with 2nd word != $4e75 * * There is no list arbitration, which could lead to missed read-calls.* * Library infection can't handle libs with name&id-string in other * * hunks. ...

/-----------------------------\ | Xine - issue #2 - Phile 029 | \-----------------------------/ ;****************************************************************************** ; THIS IS FOR EDUCATIONAL PURPOSE ONLY Gi0rGeTt0 ; ; Virus name : B00BS ; Author : Unknwon :) ; Group : iKx ; Origin : Italy 1996/97 ; Compiling : Use TASM ; TASM /M2 B00BS.ASM ; TLINK B00BS ; Targets : EXE COM ; Features : stealth via 11h,12h,4eh,4fh,disinfect and infect on the fly ; on opening(3dh,6c00h) and closing(3eh) ,int 24h handler ; TSR by MCB and int21h (48h) ; uses some 386 instructions for some routines (just for fun) ; fucks TBAV,AVP,F-...

/-----------------------------\ | Xine - issue #2 - Phile 028 | \-----------------------------/ ; ; Virus Name : Sailor_Neptune ; Virus Author : b0z0 ; Origin : Padania, March/April 1997 ; Compiling : Use TASM 3.0 ; tasm /m5 neptune.asm ; tlink /t neptune ; Tech Desc : Sailor_Neptune is a quite simple TSR COM infector, ; that will place itself not at the end of the file but ; in a random position in the middle of the file. ; It is just a little bit polymorphic. The sequence of ; the operations in the decryptor is always the same, ; but registers and operations are changed. The key ; of the operation (add,sub,xor) is c...

/-----------------------------\ | Xine - issue #2 - Phile 027 | \-----------------------------/ ; ; Name : Sailor_Pluto ; Author : b0z0 ; Group : iKx ; Origin : Padania, Jan/Feb/Mar 1997 ; Compile : Use TASM 3.0 ; tasm /m2 pluto.asm ; tlink pluto ; Description : This is a polymorphic COM/EXE TSR infector using SMPE ; (Sailor Moon Polymorphic Engine) version 0.2. Well, what ; does SMPE do? SMPE will generate quite large decryptors ; (also some Kb sometime) that contains a lot of garbage ; code from the most normal one (reg moving, reg math ; operations, reading/using memory stuff, conditional and ; normal jumps...

/-----------------------------\ | Xine - issue #2 - Phile 026 | \-----------------------------/ ;****************************************************************************** ; ; Virus name : Sailor_Uranus ; Author : b0z0 ; Group : iKx ; Origin : Padania, December 1996 / January 1997 ; Compiling : Use TASM 3.00 ; TASM /ZI /M2 URA.ASM ; TLINK /M /V URA ; TDSTRIP -C URA.EXE ; Then put the first 512 bytes into a floppy boot sector ; and the rest to the floppy boot starting at 79,1,13. ; Remember also to put the original boot sector to 79,1,12 ; Targets : HD Boot Sector / FD Boot Sector / COM / EXE &#...

/-----------------------------\ | Xine - issue #2 - Phile 025 | \-----------------------------/ ; This virus was designed for Xine2 the second zine release for iKx ; sadly Xine2 may never be released. Another group dies with the first ; zine it releases <sigh> ; Thanks to Murkry for some of the ideas ; like using the unused data area in the data segment ; and other invaluable ideas ;) ;cheers, ; jhb ; ; Compiling: ; ;tasm32 /ml /m3 Xine2,,; ;tlink32 /Tpe /aa /c Xine2,Xine2,, import32.lib ; ; Two assumations are made that will keep this virus within the win95 ; realm ; 1 Check for 400000h as the bas loading...

/-----------------------------\ | Xine - issue #2 - Phile 024 | \-----------------------------/ ; This virus was written to use a GetProc address routine that jhb wrote ; it basically does what Bizatch does. It adds a section to the file and has ; the entry point point at it. Hopefully JHB has written a PE file infection ; tutorial with Xine 2. So check that, also check the code for comments I did ; not recomment the GetprocAddress check JHB article on the finaly version ; I just modified it a bit ;). ; Well enjoy this due to the fact that this is a direct action virus and does ; not jump directories I dount it will spread far. B...