hexfiles

Possessed Possessed is the first file infecting virus written in the Philippines to successfully spread throughtout the country. What complicated things is that several variants were released one after the other, if not at the same time. The author, Jonjon Gumba, claims that the release of the virii were accidental considering that his name is included in the virus code. However, most believed otherwise. Gumba reported 11 Possessed variants, one of which he could not document. This might be because he had written many variants but did not keep track on what exactly did he passed to his friends and classmates, if not released in the wild....

Preacher 1.1 by Mikee Preacher goes resident as a low memory TSR (one full segment!). It hooks Int 09. Unlike majority of file infectors, it does not hook int 21. Infection is carried through int 09 instead. To avoid crashing the system, Preacher checks InDOS or the DOS busy flag to check if DOS is processing an Int 21 function. Preacher only infects COM files through DOS' find file functions. It is prepended to programs and is 524 bytes long. Contains texts "PREACHER" (also used to check files for infection) and "Jesus Reigns!". These are not displayed. Preacher is still on the development phase. You can expect a better and expanded ...

Last Update: March 1998 PhVx Register This PhVx listing is divided into three parts. Part I covers PhVx found in the wild a copy of which is in HEX-FILES collection. Part II contains PhVx released through HEX-FILES. Part III are virii mentioned in AVs documentation as originating from the Philippines or from all indications a PhVx. Those mentioned by foreign AVs still needs verification. Virii mentioned in VSUM as originating from the Philippines are not acceptable unless independently corraborated by another source. The PhVx in Parts I and II were scanned by AVs coming from the Philippines and other countries to cross-reference their ide...

⁄-------------------------------------------------------------¬--------------ø | €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€ | Issue No. | | € €€ € € €€€ €€€€€€ € € €€€€€ € € | | | € €€ € €€€€€€ € €€€€€€€ €€€€€ € €€€€€ €€€€€ €€‹‹€ | flflfl€ | | € € €€€€ €€ € €€ € €€€€€ €€ € | € | | € €€ € €€€€€€ € €€€€€€€ €€€€€ € €€€€€ €€€€€flfl€€ € | €flflfl | | € €€ € € €€€ €€€€€€ €€€€€ € € € € | € | | €€€€€€€€€€€€€€€€€flflflflflflflflflflflflflflflflflflflflflflflfl€€€€€€€€€€€€€€€€€€ | €‹‹‹ | | €€€€€€€€€€€€€€€€€ Philippines Virus Zine €€€€€€€€€€€€€€€€€€ | | | €€€€€€€€€€€€€€€€€‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹‹€€€€€€€€€€€€€€€€€€ | March 1998 | ¿---------------------------------...

Virus : Philippines.3133 Author : Putoksa Kawayan Origin : Manila, Philippines SelfRecFile : File[18..19]=0x18 0x98 && File[EOF-11..EOF]=Philippines Comments : Infect .COM and .EXE but COMMAND.COM is not infected. Tricks with get/set file attribute. Problems occur while copying infected program. Disallows execution of AVs, popular at that time. Virii is encrypted (multi-layered and self-modifying). For other things about Philippines.3133, disassemble the infected file in the debug script on this file. This is actually a part of the second series of my virii. The first being the one based on Possessed, and then this series. Th...

CREATE VARIANTS WITHOUT REALLY TRYING Believe me not but it is really true. You can create variants of your virii with hardly an effort on your part. This is a lamer's delight and it is for you, my dear lamer and the rest of your kind out there, that made me do this article. As you well know, a difference in the length of virii means that it is a different variant. (ex.: Diamond.606, Diamond.607) If virii of the same length have differences between them, then they are minor variants of that virii. (ex.: Cascade.1701.A, Cascade.1701.B). Let's wait and see how the AVs react to this. But if they recognize patched virii as minor vari...

Duwende is my attempt to write a short memory resident virus. My only limitation is that it should not be more than one sector or 512 bytes. Although I did not make an effort to hide the infection, i did mask some instructions so that it won't trigger thunderbyte undocumented dos flag. As result, it is not detected by thunderbyte in low and auto heuristic. AVP and F-Prot detects it as unknown virus if heuristics is used. -=-=-=-=-=-=-=-=-=-=-=-=-=- *Thunderbyte high heuristics (not detect by low and auto heuristics) DWND409A.COM might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. F ...

Virus Name: Cara.Kara.739 The only reason I modified Cara.Standard.1024 is because I could not run it in any computer I have access to. Although a lot of changes had been made on the original virii, the functionality of the original routines had been retained. The changes made on this variant are: 1. Use of 286 CPU instructions to shorten the virii a bit. 2. Removed immunization of boot sectors as it might create problems against a stealth virii. 3. Updated the boot virii checked for to those most reported in the wild, in the global perspective or in the Philippines. 4. Translated text in virii to Pilipino. As a result, infection recognit...

Cara is the first file-infecting virus that originated from the Philippines. It is just fitting that the first issue of HEX-FILES includes this virus. For the analysis of the virus, I will give way to August Li's article which appeared in OnDisk! Magazine No. 7 (July 1991) and the entry of Cara in CaroBase. COMMENTS ON CARA by AUGUST LI CARA: A Commented Disassembly by August Li I have almost fully disassembled the virus and here are my findings. Virus name : Clandestino Auto-Reproductivo Anti-virus (C.A.R.A.) Description: 1. Infects COM files only. 2. Adds 1024 bytes to infected file. 3. Occupies 2048 bytes in memory. 4. Checks syste...

Microbe virus is now nearing extinction and might only exist in virus collections because of its inability to infect disks other than 360 kb diskettes. I am bringing it to you in its original form so that you can get a personal look at the virus. The Microbe dropper program checks a diskette if it is a 360 kb before implanting the virus on the diskette. If you do not have a 5.25" floppy disk drive nor a 360 kb diskette, tough luck. If you decide to modify the dropper source code so that it will infect diskettes other than 360 kb, that is up to you. But you might get errors when you use that diskette because Microbe does not retain the dat...