This is the OFFICIAL version... due to a bit of a mistake, I sent a few ppl
on #virus the wrong version which has a TINY (one line) bug :P
******************
********
FEATURES:
********
Personal Stuff: - My First Polymorphic Virus.
- My First Full Stealth Virus.
- My First EXE infector.
Retro Stuff: - Deletes CHKLIST.CPS, CHKLIST.MS, ANTI-VIR.DAT files.
- Avoids infecting AV programs.
- Disables VSAFE.
- Avoids VSAFE, and older versions of TBMEM, from reporting
changes to System Memory / Environment.
Anti-Heuristics:- Uses some fairly heav Anti-Heuristic structures throughout.
- TCE generates HUGE, spaced out Decryptors, avoiding # flag.
- TBSCAN 6.50 finds 0 flags on DECRYPTED virus.
- F-PROT( /paranoid) 2.19 finds nothing on DECRYPTED virus.
- AVP 2.2 finds nothing on DECRYPTED virus.
- About 10% of decryptors are flagged by TBSAN HR
(high heuristics).
- No Decryptors (as far as i know) flagged by AVP, F-Prot.
Tunneling: - Uses a /<-R4D NEW (I think) method to find the original
INT 21 vector.. see the subroutine find_21 for more info..
Polymorphy: - Polymorphy is provided by TCE-0.4 (The Chaos Engine).
It can generate decryptors of the form:
ADD/SUB/ADC/SBB/XOR [BP/SI/DI/BX(+xx(xx))],reg16
It can move a value to a register as such:
MOV reg,VAL
or LEA reg,[VAL]
or XOR/SUB reg,reg + OR/XOR/ADD reg,VAL
or XOR/SUB reg,reg + SUB reg, negative VAL
It can test for a zero value, using:
OR/AND/TEST reg,reg
It can generate the following looping methods:
JNZ loopstart
or CLC + JA loopstart
or LOOP loopstart
or LOOPNZ loopstart
It can modify the KEY register, using:
ADD/SUB/XOR reg,xxxx
- Although TCE is a stand alone engine, I do not really
expect other people to use it in their virii, mainly
because it sux, and there are many better engines around.
Stealth: - This is probably the shittiest part of the virus!
- I could not get FULL (disinfect on the fly) type stealth
working with the variable length poly, and size padding,
so for now I am using Disinfect on Open, Infect on Close
type stealth.
- It also Disinfects files loaded by debuggers.
- If an archiver is running, it Infects instead of Disinfect.
Other Stuff: - Marks files by padding the size up, so that the Least
Significant Byte, of the Size field, is ADh (chaos-AD).
This is reliable, and doesn't cause anything suspicious
looking..
- Has a Cool Activation Routine (see the sub-routine
setup_activator for more info).
Things That Delayed This Viruses Progress:
- Drugs.
- School.
- Stupidity.
- I couldn't stop playing that 'Dont Touch The Sides' game
in VLAD-#3 (and i still cant :P).