*****************************
*** CHAOS-AD by Sepultura ***
*** South Australia - '95 ***
*****************************

Polymorphic, Full(ish) Stealth, Retro, Anti-Heuristic, Tunneling, COM+EXE.

*** IMPORTANT ***

This is the OFFICIAL version... due to a bit of a mistake, I sent a few ppl
on #virus the wrong version which has a TINY (one line) bug :P

******************

********
FEATURES:
********
Personal Stuff: - My First Polymorphic Virus.
               - My First Full Stealth Virus.
               - My First EXE infector.

Retro Stuff:    - Deletes CHKLIST.CPS, CHKLIST.MS, ANTI-VIR.DAT files.
               - Avoids infecting AV programs.
               - Disables VSAFE.
               - Avoids VSAFE, and older versions of TBMEM, from reporting
                 changes to System Memory / Environment.

Anti-Heuristics:- Uses some fairly heav Anti-Heuristic structures throughout.
               - TCE generates HUGE, spaced out Decryptors, avoiding # flag.
               - TBSCAN 6.50 finds 0 flags on DECRYPTED virus.
               - F-PROT( /paranoid) 2.19 finds nothing on DECRYPTED virus.
               - AVP 2.2 finds nothing on DECRYPTED virus.
               - About 10% of decryptors are flagged by TBSAN HR
                                                        (high heuristics).
               - No Decryptors (as far as i know) flagged by AVP, F-Prot.

Tunneling:      - Uses a /<-R4D NEW (I think) method to find the original
                 INT 21 vector.. see the subroutine find_21 for more info..

Polymorphy:     - Polymorphy is provided by TCE-0.4 (The Chaos Engine).

               It can generate decryptors of the form:
                  ADD/SUB/ADC/SBB/XOR [BP/SI/DI/BX(+xx(xx))],reg16

               It can move a value to a register as such:
                  MOV reg,VAL
               or LEA reg,[VAL]
               or XOR/SUB reg,reg + OR/XOR/ADD reg,VAL
               or XOR/SUB reg,reg + SUB reg, negative VAL

               It can test for a zero value, using:
                  OR/AND/TEST reg,reg

               It can generate the following looping methods:
                  JNZ loopstart
               or CLC + JA loopstart
               or LOOP loopstart
               or LOOPNZ loopstart

               It can modify the KEY register, using:
                  ADD/SUB/XOR reg,xxxx

               - Although TCE is a stand alone engine, I do not really
                 expect other people to use it in their virii, mainly
                 because it sux, and there are many better engines around.

Stealth:        - This is probably the shittiest part of the virus!
               - I could not get FULL (disinfect on the fly) type stealth
                 working with the variable length poly, and size padding,
                 so for now I am using Disinfect on Open, Infect on Close
                 type stealth.
               - It also Disinfects files loaded by debuggers.
               - If an archiver is running, it Infects instead of Disinfect.

Other Stuff:    - Marks files by padding the size up, so that the Least
                 Significant Byte, of the Size field, is ADh (chaos-AD).
                 This is reliable, and doesn't cause anything suspicious
                 looking..
               - Has a Cool Activation Routine (see the sub-routine
                 setup_activator for more info).

Things That Delayed This Viruses Progress:
               - Drugs.
               - School.
               - Stupidity.
               - I couldn't stop playing that 'Dont Touch The Sides' game
                 in VLAD-#3 (and i still cant :P).

;===============================================================================

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.