💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › GVN › gvhn_2.tx… captured on 2021-12-03 at 14:04:38.
View Raw
More Information
-=-=-=-=-=-=-
God@rky's Virus Heaven Newsletter #2
Written by God@rky
(C)Circle-A Computers 1996 All Rights Reserved...
-----------------------------------------------------------------------------
- *Warning** This magazine deals with Viruses, thier production, and
thier distribution, and frankly anything else that is virus related that we
wish to publish here. The ethics of this magazine's very existance my upset
you.
The intent of this magazine is to keep those interested in collecting
or authoring viruses up to date as well as we can with some of the information
that can be found here and abroad.
If you have any questions, comments, ideas or article submissions, by all
means send them via E-mail at: godarky@ilf.net
-----------------------------------------------------------------------------
CONTENTS
Section One - Site News & Corrections
Section Two - In The Wild List
Section Three - Beginners Guide For Newbie Collectors
Section Four - *NEW* Virus Related Newsgroup
Section Five - Vx Related Books
Section Six - Vx Site Guide (FTP/WWW) - Revised
Section Seven - Assembly Language Help For Beginners
Section Eight - Out With The Old/In With The New - E'zines
Section Nine - Integrety of Virus Collections - Questioned
Section Ten - A Call For Help With GVHN
=============================================================================
Section One - Site News & Corrections
I suppose top of the list should be regarding Virus Bits & Bytes
magazine. I have recently contacted Dark Night of VBB. He advised he has
been real busy as of late with Life's necessities (Work) and hasn't had time
to do anything lately. But that VBB is still around, and waiting for new
articles and so forth. So in the future we can expect to see more from VBB.
Also in the last issue, in the Disappearing Sites area, I posted of
the absense of ChibaCity. Promptly after the release of Issue #1, I recieved
several letters with the new URL for ChibaCity. You can now once again
enjoy accessing ChibaCity at; http://www.chibacity.com/chiba/vrc.html.
One more site that disappeared during the month of November, was
was actually that of one of the Virus Bits & Bytes members "RickDogg" the
author of the LordNatas v666 bug that came out last August. Anyhow his old
site was located on PSInet's "Pipeline USA" service. It actually lasted
quite awhile till somebody either reported it, or Pipeline actually found out
about this little gem amongst thier homepages. So Rickdogg's entire account
disappeared, not just the website. He has picked up residencey at ILF with
some of the rest of us. His site can be found at: http://www.ilf.net/rickdogg
As well as his two new virus releases which will also be at Virus Heaven.
Cicatrix, they guy keeping track of all the viruses around the scene,
and putting them in NIFTY collections to keep us all a little more organized,
has finally put up a Web site. It is small right now, with very few links to
files. Currently though, there is a good portion of his collections available
at http://www.ilf.net/god@rky/virii.htm in the "Virus Collections" section of
the site. Also there, you will be able to get ahold of VDAT170.ZIP. VDAT is
a dos-based virus hypertext (Windows version is currently under development)
which is an excellent tool for those in the Vx and Av worlds alike. All
kinds of Info is available in it, and is a must see, if you are interested in
computer viruses. Keep an eye on this site, it should become a hot site as
Cicatrix gets more time to work on it. Anyhow to get to this site, point your
favorite browser to http://www.cyberstation.net/~cicatrix and bookmark this
bad boy.
PhreeX's Site Guide there was a link to TASM 4.0 which led to
a TASM v2.0 (1989).
=============================================================================
Section Two - In The Wild Lists
In The Wild Lists are kinda a strange animal. As you will see in the
newest one available which I am pasting into this issue of GVHN, there are
some requirements for which your virus must go, before it reaches
acknowledgment by an AV company for inclusion in thier scanner.
While it is most author's objective to keep thier virus from being
detectable by a mainstream scanner. If the virus has anykind of effect on
other people's systems, such as a decent infection ratio, it is almost
inevitable that it will end up on the ITW lists, as well as on some AV
scanner's list of detectable and cleanable virus list.
So, as I covered in the last issue, CARO gives the virus it's
industry name. Usually, if CARO knows what the AUTHOR named the virus, it
will be labeled in the ALIAS field of the ITW list. But CARO's name of the
virus is the one that the listing will use as the viruses primary name.
A good example of this is the HARE inclusion in this list. There is no
alias listed for this virus. Yet many of us know that at least one of the
strains was called "HDEUTHANASIA". You will see alot of blanks in the
Alias field.
What follows is the most recent ITW list I could find. The one
at the Dr. Solomon's AV site was from July 1996. That was a little old. The
One I have here, came from the archive and was the newest one available
there as of November 18th, and it is from October. I have included it almost
entirely in it's original state, so you could read what thier basis is for
adding viruses to thier list, and so forth.
============================================================================
PC Viruses in the Wild - October 22, 1996
============================================================================
This is a cooperative listing of viruses reported as being in the wild
by 44 virus information professionals. The basis for these reports are
virus incidents where a sample was received, and positively identified
by the participant. Rumors and unverified reports have been excluded.
This report is cumulative. That is, this is not just a report of which
were seen last month. Monthly data is received from most participants,
but the new data is added to the old. Participants are expected to let
me know when I should remove their name from a virus that they haven't
seen in a year and a half or so.
The list should not be considered a list of "the most common viruses",
however, since no specific provision is made for a commonness factor.
This data indicates only "which" viruses are in the wild, but viruses
reported by many (or most) participants are obviously widespread.
The WildList is current being used as the basis for in-the-wild virus
testing of antivirus products by Virus Bulletin and the NCSA (National
Computer Security Association). Additionally, a virus collection based
upon the WildList is being used in an effort to standardize the naming
of common viruses.
The WildList - (c)1993-1996 by Joe Wells - wildlist@vcnet.com
============================================================================
The section below gives the names of participants, along with their
geographic region, organization, and antivirus product (if any). The
locations with an asterisk (*) note that the reports are regional, all
others being multinational or global.
Key Participant *Region Organization Product
============================================================================
Ac Alan Candy *New Zealand Applied Insight F-Prot Pro
Ad Allan Dyer *Hong Kong Yui Kee Co. Ltd. F-Prot
Ae Amir Elbaz Israel EliaShim ViruSafe
Bn Barnabas Nagy *Slovokia NaBaware Dr. Solomon's
Bq Blend Qapiti *Albania Poly U Tirana None
Cb Carl Bretteville Norway Norman Data NVC
Cj Craig Jackson USA Datawatch VirexPC
Cs Christian Schmid *Austria DataPROT Linz F-Prot
Dc Dave Chess USA IBM IBM AntiVirus
Dg Dmitry Gryaznov UK S&S Int'l Dr. Solomon's
Ek Eugene Kaspersky *Russia KAMI AVP
Ev Eduardo Velasquez *Colombia/Vene. SOFTEAM Ltda VirusCOP
Ew Eddy Willems *Belgium/Lux. De Vaderlandsche None
Fl Ferenc Leitold *Hungary Hunix Ltd. Virus Buster
Fs Fridrik Skulason Iceland Frisk Int'l F-Prot
Gm Gerard Mannig *France RECIF None
Gp Gabriel Pislaru *Romania SoftWin AVX
Iw Ian Whalley UK Virus Bulletin None
Jd Joost de Raeymaeker *Portugal RSVP Dr. Solomon's
Jk Jimmy Kuo USA McAfee ViruScan
Jm Jose Martinez *Peru HackSoft S.R.Ltda TH AV
Kd K. T. Davies *India Pioneer Micro Vaxine
Ks Klas Scholdstrom *Sweden QA Informatik Dr. Solomon's
Ls Luca Sambucci *Italy I.C.A.R.O. None
Mh Mikko Hypponen *Finland Data Fellows F-Prot Pro
Ms Marek Sell *Poland APEXIM MkS_vir
Nb Neville Bulsara *India N&N Systems Dr. Solomon's
Oh Omar Herrera *Mexico Escuadron AV Aguila AV
Pb Pavel Baudis *Czech Republic Alwil Software Avast!
Pd Paul Ducklin UK Sophos Plc. Sweep
Ra Ruben Arias *Argentina RALP Integ Master
Re Ralph Tee *Malaysia R.E.Solutions Armour AV
Rf Richard Foley *Ireland Reflex Magnetics TBAV
Rk Richard Ku Taiwan Trend Micro PC-cillin
Rr Roger Riordan Australia CYBEC VET
Rt Roger Thompson USA Thompson Network Doctor
Rv Robert Vibert *Canada Sensible Security Dr. Solomon's
Rz Righard Zwienenberg Netherlands ESaSS BV ThunderBYTE
Sc Shane Coursen USA Symantec NAV
Sg Sarah Gordon USA Command Software F-Prot Pro Net
Sm Seiji Murakami *Japan Jade Corp Scan Vakzin
Td Toralv Dirro *Germany U of Hamburg None
Ws Wolfgang Stiller USA Stiller Research Integ Master
Yp Ywain Penberthy *So Africa CSIR Virus Lab VPS
============================================================================
The WildList
============================================================================
This main list includes viruses reported by multiple participants, which
appear to be non-regional in nature. Technically, this first list is "the"
WildList according to my original specification, which required viruses to
be verified in the wild by a minimum of two participants. A supplemental
list follows that contains viruses reported by single participants.
If a virus listed has minor variants, but no specific variant letter is
attached, the virus meant is the .A variant.
Please note that all the MS Word macro viruses are grouped under WM.name.
+ Viruses marked with a plus sign (+) are new to the main list this month.
CARO Name of Virus [ Alias(es) ] Reported by:
============================================================================
15_Years................[Espejo, Esto te] AeDcDgEvJkJmRtScSgSm
Aircop.Standard.........[...............] OhRk
Alfons.1344.............[Iutt99.........] AeFsGpJkJmKsMsPbRrSg
Anticad.4096.Mozart.....[Invader........] DgSg
AntiCMOS.A..............[Lenart.........] AcAdCbCjDcDgEvEwFlFsGmIwJdJkJmKd
KsMhMsPdReRtRvScSgSmWsYp
AntiCMOS.B..............[LiXi...........] AcAdCbDcIwKsMsReRzScSmTd
AntiEXE.A...............[D3, Newbug.....] AcAdBqCbCjDcDgEvEwFlFsGmGpIwJkJm
KdKsMhMsNbPdRfRkRtRvRzScSgSmTdWsYp
Arianna.3375............[...............] DcDgLs
Avispa.D................[...............] AeDgJkRaRtSc
BackFormat.2000.A.......[Backform.......] BnDgFlFsGpJkMs
Bad_Sectors.3428........[...............] FlGp
Barrotes.1310.A.........[Barrotos.......] DgEvGmJdJkJmPdScYp
Boot-437................[...............] AcBqCbCjDcDgFlFsGmGpJkKdKsMsOhPb
PdRkRtRzScSgSmWs
BootEXE.451.............[BFD, BE-451....] FlFsIwJkMhMsNbRzSg
Brasil..................[...............] CjSc
Burglar.1150.A..........[GranGrave.1150.] AcAdCbDgFsJkKsMhMsRkRzScWsYp
Bye.....................[ByeBye.........] CbDcIwKsMsPdRzTd
Byway.A.................[Dir2.Byway.....] DcDgEvFlFsGmIwJdJkJmScSg
Byway.B.................[Dir2.Byway.....] DcDgEvJkJm
Cascade.1701.A..........[1701...........] CbCjCsDgFlFsGmGpKsMhMsPdRtRzSgSm
Ws
Cascade.1704.A..........[1704...........] CsDgEkFsGpKsRtScSg
Cawber..................[NTU.T4, BacLab.] RtSc
Chance.B................[Lennon.........] DcFsJkSc
Changsha.A..............[Centry, Changes] MsRrRt
Chaos.1241..............[Faust..........] RrSg
Chill...................[Chill Touch....] RtSc
Chinese_Fish............[Fish Boot......] CjDgRkRrRt
Civil_Defence.6672......[CDV 3.3........] DcMsPbSg
Cordobes.3334...........[...............] FsJkSc
CPW.1527................[Mediera, Mierda] DgEvFsJkJmSc
Crazy_Boot..............[...............] DcDgEwFlJkScSgTd
+Cruel...................[...............] GmGpMhTd
DA_Boys.................[...............] CjDcEwFsIwJkRtScSgWs
Dark_Avenger.1800.A.....[Eddie..........] CjDgFsGpRrSgWs
Dark_Avenger.2100.SI.A..[V2100..........] DgIwRf
DelCMOS.B...............[Int7F-E9, Feint] DgFsIwJmPdRz
Delta.1163..............[...............] FsSc
DelWin.1759.............[Goblin.1759....] CbDcDgGpJkKsMsPdTd
Den_Zuko.2.A............[Den Zuk........] DgRtSg
Desperado.1403.C........[...............] JkKs
Diablo_Boot.............[...............] DcEvFsJmMhPdRaSc
Die_Hard................[DH2, Wix.......] AcAdCbCjDcDgFlFsJkJmKdKsMsNbReRk
RtRvRzScSgSmTdWsYp
Digi.3547...............[Deliver.Stealth] FsMsPb
Dir_II.A................[Creeping Death.] BnCsDgEkFlFsGmJkKsNbOhRkRrScSgWs
Yp
Disk_Killer.1_00........[Ogre...........] DgEk
DR&ET.1710..............[Dret...........] JkMs
+Ear.Leonardo.1207.......[...............] DgMs
+Edwin...................[...............] DgGmKsSc
Empire.Int_10.B.........[...............] RtScSg
Empire.Monkey.A.........[Monkey.........] DcGmJkJmKsOhPdRrRtScSg
Empire.Monkey.B.........[Monkey 2.......] AcCbCjDcDgEvEwFsGmIwJdJkJmKdKsMh
MsNbOhPdRkRrRtRvRzScSgSmTdWsYp
EXE_Bug.A...............[CMOS Killer....] DgEwFlFsGmIwJkKsOhPdRfRtScTdWsYp
EXE_Bug.C...............[...............] RtYp
EXE_Bug.Hooker..........[...............] MhRtYp
Fairz...................[Khobar.........] JkKdMsRf
Fat_Avenger.............[...............] DcKdRrSm
Fichv.2_1...............[905, CHV 2.1...] DgGmRz
Filler.A................[DiskFiller.....] CbCjFlKs
Finnish_Sprayer.........[Aija...........] FsKsMhSc
Flame...................[Stamford.......] FlJkRrSc
Flip.2153.A.............[Omicron........] DcDgFsGmKsRv
Flip.2343...............[Omicron 2......] DgFsJd
Form.A..................[Form 18........] AcAdCbCjCsDcDgEvEwFlFsGmGpIwJdJk
JmKdKsLsMhMsNbPbPdRfRtRzScSgSmTd
WsYp
Form.C..................[...............] CsMs
Form.D..................[Form May.......] CsDcEvFlFsGmIwKdMsPdRtScYp
Frankenstein............[Frank, Sblank..] DcDgJkKdMs
Freddy_Krueger..........[Freddy 2.......] FsJkScWs
Frodo.Frodo.A...........[4096, 100 Year.] DcDgEwFsGpKsRr
Galicia.................[Telecom........] GpJkRtSc
Ginger.2774.............[Gingerbread....] JkRrSc
GoldBug.................[...............] DgFlJkMh
Green_Caterpillar.1575..[Find, 1575.....] CjDgFlFsGmGpIwJkKdKsOhRrRtScSmWs
Hare.7610...............[...............] AcDgFsIwMhRzScYp
Hare.7750...............[...............] MhMs
Hare.7786...............[...............] FsKsMhMsRz
Helloween.1376.A........[1376...........] DcDgFlIwJkJmPbRrScWs
Hi.460..................[Hi.............] GpMs
Hidenowt................[...............] AeDgGmIwJkJmKdPdScSm
HLLC.Even_Beeper.B......[...............] DgMsRz
Ibex....................[Bones..........] CbJkMhSc
Int40...................[...............] PbPd
Istanbul.1349...........[...............] DgMs
J&M.....................[Jimi, Hasita...] AdBnCbCjDcFlFsGpIwJkKsMhMsPbPdSm
Jerusalem.1244..........[1244...........] DgLsSg
Jerusalem.1500..........[Xug.1500.......] JkSc
Jerusalem.1808.Standard.[1808, Israeli..] CbCjCsDcDgFlFsJmKsNbRkRtRzSgSmWs
Yp
Jerusalem.Mummy.1364.A..[Mummy 2.1......] DgRtYp
Jerusalem.Sunday.A......[Sunday.........] RkRtSgYp
Jerusalem.Zero_Time.Aust[Slow...........] DgJdRrRtSm
Jos.1000................[Jabberwocky....] GpMs
Joshi.A.................[...............] CjDcDgFsJkJmRkRrRtScSgSmWs
Jumper.A................[French Boot, 2k] CbCjDcDgEwFsGmGpJmMsPdRtScSg
Jumper.B................[SillyBop, 2kb..] CbDgFsJkKsMhMsSgSm
+June_12th.2660..........[Mabuhay........] AdMs
Junkie..................[...............] AcAdBnCbCsDcDgEwFlFsGmGpIwJkJmKs
LsMhMsPbPdRfRrRtRvRzScSmTdWs
Kampana.A...............[AntiTel........] CbCjDcDgEwFsGmIwJdJkKsMhMsPbPdRf
RtScSgSmTd
Kaos4.697...............[...............] JkMsScSgYp
Karnivali.1971..........[...............] DgJk
Keypress.1232.A.........[Turku, Twins...] DcDgFlGpJkJmRrRtRzSg
Laroux..................[XM.............] DgJkSg
Leandro.................[TimeWarp.......] AeCbDcEvFsIwJkJmMhMsPdRtRzScWs
Lemming.2160............[...............] RrSc
Liberty.2857.A..........[Mystic, Magic..] DcEvRt
Little_Red.1465.........[Red Book, Mao..] CjDcDgFsKdMsRtSmTdWsYp
MacGyver.2803...........[Shoo...........] GmJkMsRkYp
Major.1644..............[Major BBS......] AeCbDgFsJkKsMhMsRzScSg
Maltese_Amoeba..........[Amoeba.2367....] CbDgFsGmKsMsRtSgWsYp
Mange_Tout.1099.........[1099...........] DgGmJkMsPbSc
Manzon.1414.............[...............] CbDcEwFsIwJkKsMhMsPdRrTd
Markt.1533..............[Werbe, Media...] DgFs
Michelangelo.A..........[...............] AdBnCjCsDcDgEkFlFsGmGpOhPbPdRkRr
RtScSgSmWsYp
MIREA.1788..............[Lyceum.1788....] AeEkJm
Moloch..................[...............] FsSc
Mongolian_Boot..........[Mongol.........] DgScSm
Music_Bug...............[...............] CjWs
Natas.4744..............[Satan, Sat_Bug.] AdCbDcDgEvEwFlFsGpJdJkJmKdKsMhMs
NbOhPbPdRkRtRvScSgSmTdYp
Necros.1164.............[Gnose, Irish3..] DgRf
Neuroquila..............[Havoc, Wedding.] DgJkWs
Nightfall.4518.B........[N8Fall.........] CbDgJkPbTd
No_Frills.Dudley........[Oi Dudley......] DgJkRrRt
No_Frills.No_Frills.843.[...............] JkRrSc
Nomenklatura.A..........[Nomen..........] DgMh
November_17th.800.A.....[Jan1, Int83.800] DcFlLsSc
November_17th.855.A.....[Int83.855......] DcDgFsGmLsMsRtSc
NPox.963.A..............[Evil Genius....] FsSc
NYB.....................[B1.............] CjDcDgEkEwFlFsIwJkJmKdKsLsMhMsPd
RtRvRzScSgSmTdWsYp
One_Half.3544...........[Dis, Free Love.] AcAdAeBnCbCsDcDgEkEvEwFlFsGmGpJk
JmKdKsLsMhMsNbPbRfRkRtRzScSgSmTd
WsYp
One_Half.3570...........[...............] FsJk
Ontario.1024............[SBC, 1024......] DcRr
Parity_Boot.A...........[...............] CbGpIwMhMsTd
Parity_Boot.B...........[Generic 1......] CbCjCsDcDgEvEwFlFsGmGpIwJdJkKdKs
MhPdRfRtRzScSgSmTdYp
Pasta...................[Boot-446.......] DgJkSc
Pathogen:SMEG.0_1.......[SMEG...........] DgScWsYp
+Paula_Boot..............[...............] FsRa
Peter...................[Peter II.......] CbDcFsJdJkMhSmYp
Ph33R.1332..............[...............] EwFsJkMh
Phx.965.................[PUX.965........] DgJmMsRa
Pieck.4444..............[Kaczor.4444....] CbMsRvYp
Ping_Pong.B.............[Bouncing-Ball..] DcDgFsGmYp
+Plagiarist.2051.........[...............] DgSc
Predator.2448...........[2448...........] FsJkKsRvSc
QRry....................[Query, Essex...] DcEvJkSc
Quandary................[Parity_Boot.Enc] AcDgFsIwJkKsMhMsPdRvSmTd
Quicky.1376.............[Quicksilver....] AcCbDgFlFsGmJkPdScTd
Quiver..................[Qvr............] EvMh
Quox.A..................[Stealth 2......] CbDcFlFsJkRtScSgSm
Reverse.948.............[Red Spider.....] MsYp
Ripper..................[Jack Ripper....] AcAdCjCsDcDgEwFlFsGmGpIwJkKsMhMs
PbPdRfRkRtRvRzScSgSmTdWsYp
Russian_Flag............[Slydell, Ekater] DcDgIwJkRzScSmYp
Sampo...................[Turbo, Wllop...] AcAdCjDcDgEwFlFsGmIwJkKdKsMhMsNb
PbPdRtScSgSmWsYp
Sarampo.1371............[...............] DgJdJk
Sat_Bug.Sat_Bug.........[Satan Bug......] EvSc
Satria.A................[July 4th.......] JkTd
Sayha...................[...............] JkSc
Screaming_Fist.II.696...[Fist 2, Scream.] CjDgJkRtSg
She_Has.................[Breasts........] CbDgIwPdRzTd
Sibylle.................[...............] DcDgFl
Sleep_Walker.1266.......[Swalker........] RrSc
Stealth_Boot.B..........[AMSE, NopB.....] CbCjDcDgEvFsJkMsPdRtScSgSm
Stealth_Boot.C..........[AMSE, NopB2....] CbCjEvFsGmJdJkJmPdRtScSgSmYp
Stoned.16.A.............[Brunswick......] DcDgSc
Stoned.Angelina.A.......[...............] BqCbCsDcDgEvFlGmIwJdJkJmKdMhMsPb
PdRkRvScSgSmTdYp
Stoned.Azusa.A..........[Hong Kong......] CjCsDgJkKsRrRtScYp
Stoned.Bravo............[...............] DgMsYp
Stoned.Bunny.A..........[...............] ScSgWsYp
Stoned.Daniela..........[...............] MsScSg
Stoned.Dinamo...........[...............] DcIwMsRtSc
Stoned.June_4th.A.......[Bloody!........] CbCjCsDgJkRkRrScSmWs
Stoned.Kiev.............[Epbr...........] CjDcEkMsPdRt
Stoned.Lzr..............[Lisa2, Whit....] AdCjDcEvFsRtSc
Stoned.Manitoba.........[Stonehenge.....] DcDgFsKsPdRtRvScSm
Stoned.No_INT.A.........[Stoned.........] AcCbCjCsDcDgEwFlFsGmIwJkMhOhPbPd
RrRtScSgWsYp
Stoned.NOP..............[NOP............] DgJkWs
Stoned.Spirit...........[...............] AeDgFsGmJkMhMsPbRz
Stoned.Standard.A.......[New Zealand....] CjDcDgEkEvFsGmGpJkPdRkRrRtScSmWs
Yp
Stoned.Swedish_Disaster.[...............] CjDgIw
Stoned.W-Boot...........[Stoned.P, Wonka] AdDcEvJkMsPdRrScWs
SVC.3103.A..............[SVC 5.0........] DgEkEvSc
Swiss_Boot..............[Swiss Army.....] DcFlFsJkKsNbSm
Tai-Pan.438.............[Whisper........] CbDcDgFlFsGmJkJmKdKsMhMsPbPdRtSg
TdWsYp
Tai-Pan.666.............[D2D, Doom2Death] AcBnCbDcDgEkEwJkMhMsRtScSgSmWsYp
Tanpro.524..............[...............] AdJkSc
Tentacle.10634..........[Tentacle II....] DgJkKsMhRvSc
Tentacle.1996...........[...............] DgEwFsJkKsMhRzSc
Tequila.A...............[...............] CsDcDgEwFsGmIwJkPdRfRkRtScSgSmTd
WsYp
Teraz.2717..............[...............] DgIw
Three_Tunes.1784........[Flip, PCBB.1784] AeCjDcDgEvJkJmSc
Trakia.653..............[...............] RrSc
Tremor.4000.A...........[...............] CbCsDgFlFsJkKsMhMsPbRtSgWsYp
Trojector.1463..........[Athens.........] DcDgJkKdNbSgSm
Trojector.1561..........[...............] GpKsRzSc
+TVPO.3873...............[...............] GpRz
Unashamed...............[...............] IwJdJkJmLsMhMsPdScYp
Unsnared.814............[ V.814.........] AeGpRz
Urkel...................[Nwait..........] CjDcFsJkRzScSgWs
V-Sign..................[Cansu, Sigalit.] BnCjDcDgFsGmIwJkKdMhMsPbPdRrRtSc
SgSmWs
Vacsina.TP-05.A.........[RCE-1206.......] CjDgFsRtSc
Vacsina.TP-16.A.........[RCE-1339.......] DgFs
Vampiro.................[...............] DgRaWs
Vienna.648.Reboot.A.....[DOS-62.........] AeDgEkGpRkSg
Vinchuca................[...............] DgRaWs
VLamiX..................[Die Lamer......] DgFlJkMsRt
WelcomB.................[Bupt.9146......] AdCjCsDcDgEvFlGmGpIwJkJmKsMhMsPb
PdRtScYp
Werewolf.1500.B.........[...............] DgEwFsGmJkMhMsRzScSgSmYp
+WM.Buero................[...............] DgJkMhScTd
+WM.Colors.A.............[...............] JdJkYp
WM.Concept..............[Concept, Prank ] AcAdBqCbCjCsDgEwFlFsIwJdJkJmKdKs
MhMsNbPbPdReRfRkRrRvRzScSgSmTdWs
Yp
WM.Date.................[AntiDMV........] DgPbSc
+WM.Divina...............[Divina.........] FsSc
WM.Hot..................[Hot............] RvSc
WM.Imposter.............[Imposter.......] AcDgIwMhSc
+WM.Irish................[Irish..........] JkSc
WM.MDMA.................[MDMADMV........] JkMhSc
WM.NOP.A................[Nop............] FsMhRzSc
+WM.Npad.................[Bandung........] DgJkJmMhRzScTd
WM.Nuclear.B............[Nuclear.B......] FlFsYp
WM.Wazzu................[Wazzu..........] AdAeCbDgFsJdJkJmKsRkRvSc
WXYC....................[...............] CjJmMsOhScSmWs
Xeram.1664..............[N-Xeram.1664...] JkPd
Xuxa.1984...............[...............] DgFs
Yankee Doodle.TP-39.....[RCE-2772.......] DgFs
Yankee Doodle.TP-44.A...[RCE-2885.......] DgEkEwFlFsGmGpKsMhMsNbPdRtSgSmTd
Yankee Doodle.XPEH.4928.[Micropox.......] CbFlFs
============================================================================
Total for the WildList: 223
============================================================================
Supplemental List
============================================================================
As was noted at the start of the main list, this list is not, technically,
part of "The WildList" as I have defined it. By design, the WildList is a
list of viruses verified as being in the wild by a minimum of two WildList
participants. The viruses listed below do not currently meet that criteria.
This additional list includes viruses reported by a single participant and
are often either moving onto the main list, or dropping off of it.
Please note especially that this list also tends to be more of a regional
reporting mechanism. For example, a virus is often reported as very common
by one regional participant, but is found nowhere else in the world.
Viruses marked with a minus sign (-) dropped off the main list this month.
CARO Name of Virus [Alias(es) ] Reported by:
============================================================================
15_Years.B..............[Espejo.B.......] Jk
A&A.....................[...............] Dg
Accept.3773.............[...............] Ra
Acid....................[...............] Ew
Alphabetic.A............[...............] Mh
Anticad.4096.A..........[Plastique 5.12.] Sg
AntiCMOS.D..............[AntiCMOS.G.....] Jk
Arusiek.817.............[...............] Cb
Avalon..................[...............] Fs
Baby.962................[_962...........] Ad
BackFormat.B............[BackForm.B.....] Ms
Barrotes.1303...........[Sta Tecla......] Ev
Barrotes.1463...........[...............] Rz
Beer.2473...............[...............] Fl
Cavaco..................[...............] Jk
Chameleon...............[...............] Iw
Cosenza.................[...............] Fs
Coup.2052...............[...............] Dg
Dalian..................[...............] Ad
Danish_Boot.............[...............] Sc
Datalock.920.A..........[...............] Dg
Defo....................[PeterII.Runtime] Fs
Deliver.1771............[Blue Shark.....] Ms
Diciembre_30_Boot.......[...............] Jm
Dual_Gtm.1643...........[BewareBug.1643.] Jk
DullBoy.................[...............] Jk
DuPoem..................[...............] Jk
Error_Vir...............[...............] Mh
Face....................[...............] Jk
Fighter.5871.APE........[Stealth_Fighter] Ek
Finnish.357.............[...............] Ks
Finnpoly................[...............] Mh
FITW....................[...............] Pd
Flag3.1901..............[Furtive.1901...] Jk
Form.B..................[...............] Iw
Glupak.857..............[...............] Rz
Gripe.2040..............[...............] Jk
H-Andromeda.1024........[Axe............] Fl
Ha!.1224................[Info,Zmaina....] Ms
Hack_Master.............[...............] Ae
Halt....................[BM_Birthday....] Jk
Hi.833..................[Hi.............] Gp
Hiroshima.830...........[...............] Jk
HLLO.Novademo...........[Nova...........] Ms
Horror.1173.............[...............] Td
Immortal.2190...........[...............] Ms
Indonga.2197............[...............] Dg
Infector.1022...........[Alia.1023......] Sc
Invisible_Man.2926......[...............] Kd
ITV.457.................[...............] Oh
IVP.264.B...............[...............] Rz
IVP.674.B...............[...............] Ks
IVP.Flipper.872.........[...............] Rr
Japanese_Xmas...........[Xmas in Japan..] Sm
Jerusalem.AntiScan......[...............] Dg
Jerusalem.June_13.......[...............] Gp
Johana_Boot.............[...............] Jm
K-Hate..................[...............] Iw
Kmee....................[...............] Fs
Kysia.1536..............[Kyokushinkai...] Ms
Kysia.3072..............[Kyokushinkai...] Ms
Legozz..................[...............] Fl
Little_Brother.307......[...............] Jk
LTS.....................[...............] Fs
Lucho...................[...............] Jm
Lutil.591...............[...............] Jk
MacGyver.4112...........[...............] Jk
Magda...................[Magdzie........] Ms
Mannequin...............[...............] Gp
Mario.745...............[...............] Ms
Matthew.3044............[...............] Ad
Menem_Tocoto............[...............] Ra
Mirage..................[...............] Dg
MISiS...................[Zharinov,NIKA..] Ev
Natas.4738..............[...............] Dg
Nightfall.*.............[N8Fall.........] Td
NJH2LBC.A...............[Korea Boot.....] Dg
November_17th.800.B.....[...............] Dc
NoWin.2576..............[Zielona........] Ms
Oktubre.1784............[...............] Dg
Ornate..................[...............] Dg
Patras.196..............[...............] Gm
PC_Ogre.................[...............] Jk
Peligro.1213............[...............] Jm
Phx.1295................[...............] Ra
Print_Screen_Boot.A.....[India,PrnSn....] Dg
PS-MPC.475..............[...............] Sc
Pysk.2464...............[...............] Dg
Rhubarb.................[RP.............] Ms
Scitzo..................[...............] Fl
Scroll.1532.............[Kato...........] Ms
Sierra..................[...............] Jk
SillyCR.409.............[...............] Jk
Spectre.513.............[...............] Ks
Stealth_Boot.Alfredo....[...............] Dc
Stoned.Michelangelo.D...[...............] Fl
Stoned.Scale............[BootM1.........] Ae
Suriv_1.Argentina.......[...............] Ra
Tai-Pan.512.............[...............] Mh
Teraz.4004..............[Flaga..........] Ms
Turner..................[...............] Ek
Ulate...................[...............] Dg
Ultra_Violent...........[...............] Jk
Unkempt.1350............[...............] Jm
Uvjan.2246..............[...............] Ev
Uvjan.2262..............[...............] Ev
V-160...................[SillyRC.160....] Jk
Valentine.2332..........[...............] Jk
VCL.541.................[...............] Ks
VCL.Genocide.839........[...............] Ms
Vienna.Bua..............[Big Caibua.....] Dg
Voyage.1134.............[...............] Ws
Werewolf.684............[Claws..........] Jk
Werewolf.693............[Fangs..........] Jk
WM.Boom.................[...............] Sc
WM.Concept.B:Fr.........[...............] Jk
WM.Concept.C............[...............] Dg
WM.Concept.F............[...............] Fs
WM.Parasite.............[...............] Sc
WM.Taiwan1..............[...............] Rk
WM.Wazzu.E..............[...............] Jk
Xtc.2153................[...............] Jk
Yesmile.................[...............] Fs
Zimboot.................[...............] Yp
============================================================================
Total for both lists: 347
============================================================================
Release notes for the October 15 list:
Neville Busara of India and Ralph Tee have been added to the list. Since
Rt is already used Ralph Tee is represented by Re. (His company is R.E.S.)
Please note that all the MS Word macro viruses are grouped under WM.name.
So Concept is now under WM.Concept. This follows the precedent set by
some antivirus companies and makes isolating the macro viruses easier for
some who use the list just to track macro viruses. E.g. Mac user groups.
I am continuously seeking WildList participants, especially for regional
reporting in the following countries:
Bulgaria, Chile, China, Denmark, Greece, Indonesia, Phillipines, Saudi
Arabia, Singapore, South Korea, Spain, Thailand, Turkey, and Ukraine.
Such new participants will need to be in a position where they can monitor
and verify virus incidents. People who develop av products are best suited.
People who represent one or more av products (agents) and provide localized
support may also be qualified if they actually verify the viruses or
forward samples to developers. If you thus qualify, please send your name,
location, organization, product name, favorite brand of beer, and
references (preferably CARO members who know you). Send the information to
wildlist@vcnet.com. Thanks.
============================================================================
The collation of this list is done by Joe Wells, Editor of the IBM web
site for virus information, www.av.ibm.com, who is solely responsible for
its contents.
The latest WildList is always posted directly by me to the NCSA Security
forum on Compuserve, in the Virus Info/Tools library. The official archive
location for the WildList is ftp.ncsa.com in pub/virus/wildlist.
A complete archive of WildLists is available at the Virus Bulletin web
site (http://www.virusbtn.com/WildLists/index.html).
The WildList is copyright material, but may be freely quoted or cited in
part or in whole. No permission is needed to reprint the list.
All mail in regard to the WildList should be sent to wildlist@vcnet.com.
============================================================================
WildList Vol.610 - (c)1993-1996 Joe Wells - 75511,635 - wildlist@vcnet.com
============================================================================
=============================================================================
Section Three - Beginners Guide For Newbie Collectors
Due to frequent posts on the Usenet, as well as frequent E-mails
asking me some of the basic questions when it comes to collecting, I felt
it would probably save everyone some time, to sit back and write a few basics
on aquiring and storing viruses.
We will start with aquisition. For those who have not learned yet,
the Usenet is not a Virus Collector friendly medium. Very few viruses are
exchanged via Usenet newsgroups. The only newsgroup which I have seen any
sort of exchange going on, has been in alt.comp.virus.source.code. There
are a few people who have been exchanging here and there. And there is a
virus posted maybe once a week there.
Posting to a newsgroup messages like "Please send me a Virus", is
not a good way to get viruses. All it will probably get you is some hate
mail, maybe some cheezy flames in the newsgroup itself. Other than that
it will be your time wasted.
I would say the best way, is use your favorite WWW or FTP search
engine and search for some keywords (EG virii, virus). In these searches you
will pull up an enormous amount of garbage, but you should find something
interesting in your travels.
Once you have a few sites, it is best to explore the links from those
sites to others. And last but not least, download everything you can.
Something I don't run into very often, but do every now and again,
is someone e-mailing me asking me if I want to trade viruses VIA e-mail. It
dosn't sound stupid to them, and maybe to most it dosn't. But I have my
entire collection archived and available via FTP and WWW, with the exception
of the few files I may have recieved in the last couple of days. What would
I possibly have laying around that they don't already have access to? I am
not running some ELITE service. I have no ratios no nothing. I provide all
of my resources to anyone who wished to aquire them. If you want to send
me something I don't have in e-mail, then send it. But virtually
everything I have is available on the site.
Collection is very easy, and pretty safe as well. There are many
different methods of making sure viruses dont get loose on your system. The
ultimate safeguard is to not store viruses on a system you value. But since
not everyone has multiple computers laying around, there are other ways that
are just as safe.
How safe is safe? Well the entire Virii Heaven Archive is on one of
my hard drives. I use this system every day, and it is the primary system in
my household. I have never once had this system infected as the result of
these viruses being present on the system.
One of the most popular ways people store viruses is with the use of
a compression program, such as PKZIP. A standard ZIP file is completely safe
to store everything in, as the files inside the ZIP cannot be executed on
accident. Some people store thier entire collection in one big zip file,
others store each virus individually.
Another way which people store the viruses, which I am not a big fan
of just because of disk space reasons, is to rename the virus file. The
virus named VIRUS.EXE for example could be renamed to VIRUS.EX_ thus making
so it wont run. This works, but it lacks the compression which PKZIP or a
simmilair compression program might apply, thus wasting disk space. But
alas is another option.
These are probably the most common ways of storing files. Sure
there are many other ways with the technology boom in optical drives and
removable hard drives. I keep mine on tape backup as well. But I am sure
if you already have these other options, chances are you have already thought
to use them for your collection right?
For more on Collecting Viruses, there is a little more advice in the
beginning of the WWW/FTP Site guide in section 6 of this Newsletter in
PhreeX's Site guide.
=============================================================================
Section four - *NEW* Virus Related Newsgroup
Some time ago, PhreeX and I launched a campaign on Virus Heaven to
get some of the Vx scene to be more active in the newsgroup alt.comp.virus.
As we feel the newsgroup should be open to the discussion of the creation of
viruses. However there was quite an opposition from the AV folks in there,
and to be all quite honest, there still is.
There wasn't a whole lot of Vx support in the matters, but there was
other routes in which for all of us to communicate. VBB's web-based message
board was pretty active about that time until it got corrupted, and
Dark Night has been too busy to fix it. And there has always been
alt.comp.virus.source.code, which did pick up some in the last few months.
Well the number of spams is still the same, but at least now there are a
couple of on-topic posts each day, as well as some source and an occasional
dropper is posted there as well.
About a couple of weeks into this whole campaign, PhreeX saw the
futility of fighting for alt.comp.virus. And noted that one of the biggest
arguements the AV people had, was that it wasn't a binaries newsgroup, and
while we had the right to discuss authoring in there, we had no right to
post binaries or source code there.
At about this point, PhreeX applied to have a new newsgroup built.
And a couple of months later, this newsgroup is a reality, and is now
available for those who wish to pursue it. The new newsgroup is called
"alt.binaries.comp.pro-virus". More than likely, your current ISP has not
picked it up. You may wish to contact the appropriate person with your ISP
and request that they make it available to you. I will be doing so when
I switch ISP's here in a week or two, as I am doubtfull that Teleport.com
will pick it up, since run-in's in the past I have had with them were handled
ignorantly and with very little investigation.
Being that this is in the alt hierchy, it will be un-moderated. And
since it is a binaries newsgroup, you will be able to send and recieve
viruses in this newsgroup, both source code and executables, and well,
anything that is PRO-VIRUS goes here.
I hope to be seeing many of you there. I will be there as soon as I
change my primary ISP. (Note: Being that ILF is not my primary ISP, the site
for Virus Heaven will remain the same, as well as my ILF e-mail address.
When my other e-mail address changes, I will let you all know, either by
e-mail, or by way of the Web site itself.
=============================================================================
Section Five - Vx Related Books
This section is going to be somewhat small, as I do not have many
books which will be of much use. More than likely, I will just move this
section in the next issue, into the WWW/FTP site guide.
What you will find below is all the information I have on how to
get ahold of some of these books. You will more than likely see Publisher
contact information on a few of these as not all of them can be found in
your local bookstore. But many bookstores will order for you if you can
provide them with publisher information. Or you can just order them
yourself by contacting the publisher.
CVRL CD-Rom Version 2
Cost= $89.00 (US)
This is a collection CD-Rom by Computer Virus Research Lab. You can
download a listing of everything on the CD as of the current version
available from the site listed below to place your order. This isn't
really a book, but there are collections of E-zines on the CD as well.
Ordering and info - http://www2.spidernet.net/web/%7Ecvrl/
A Pathology Of Computer Viruses
By David Ferbrache
This is said to be available at libraries and what not, so it is probably
available in your local bookstores maybe as well.
Dr. Solomon's Virus Encyclopedia
A printed virus encyclopedia.
Ordering And Info - http://www.drsolomon.com
The Virus Creation Labs - A Journey Into The Underground
By Dr. George C. Smith
In catalog for $12.95
ISBN 0-929408-09-8
Published By-
American Eagle Pub.
PO Box 1507
Show Low, Arizona USA 85901
1-800-719-4957 or 1-520-367-1621
Giant Black Book Of Computer Viruses
Apparently a cult-classic in the Vx world
Sources tell me it is available from American Eagle Pub.
American Eagle Pub.
PO Box 1507
Show Low, Arizona USA 85901
1-800-719-4957 or 1-520-367-1621
Super Technology '96
Put together by the same author that made the "Giant Black Book Of Computer
Viruses". From what was said in the most recent Crypt Newsletter, this is
Selling for $399.00 (US) or so. I have recieved mail via the Usenet advising
me that this book was offered for $99.00 (US) to those who had bought the
"Giant Black Book Of Computer Viruses" in the past.
Basically the book details heavily on everything you need to know about
viruses and Windows 95.
That is pretty much it for now. I have not heard from the author, so I do
not know for sure if there is anything available in Super Technology that
cannot be found on the net, in regards to Win95 viruses. And anyone who
owns this book, I would appreciate a short summary or review on this book,
as well as any additional pertinent information I may have left out.
=============================================================================
Section Six - Vx Site Guide (FTP/WWW) - Revised
The *offical*
.o88b. .d88b. .88b d88. d8888b. db db d888888b d88888b d8888b.
d8P Y8 .8P Y8. 88'YbdP`88 88 `8D 88 88 `~~88~~' 88' 88 `8D
8P 88 88 88 88 88 88oodD' 88 88 88 88ooooo 88oobY'
8b 88 88 88 88 88 88~~~ 88 88 88 88~~~~~ 88`8b
Y8b d8 `8b d8' 88 88 88 88 88b d88 88 88. 88 `88.
`Y88P' `Y88P' YP YP YP 88 ~Y8888P' YP Y88888P 88 YD
db db d888888b d8888b. db db .d8888.
88 88 `88' 88 `8D 88 88 88' YP
Y8 8P 88 88oobY' 88 88 `8bo.
`8b d8' 88 88`8b 88 88 `Y8b.
`8bd8' .88. 88 `88. 88b d88 db 8D
YP Y888888P 88 YD ~Y8888P' `8888Y'
--==[\|/]==-- World Wide Web Site/FTP Site list --==[\|/]==--
[] Version 1.04 []
Compiled by Dr. PhreeX Merian Edited by God@rky
Brought to you by FoRcE, "Taking on the web with full FoRcE"
HUGE thanks to God@rky, this would have not been possiable without you!!
-INDEX-
Disclaimer
A word on safe virus storage
-LINKS-
Part 1: Virus Genrators/engines
Part 2: Some popular viruses
Part 3: Mac viruses
Part 4: Needed tools (Assemblers)
Part 5: Virus related FAQ's/Tutorials
Part 6: Virus INFORMATION Links
Part 7: Computer Virus links
Part 8: Conclusion (By Dr. PhreeX Merin himself!!)
Any comments, questions, or additions can be sent to me: phreex@ao.net or you
can call me directly 24 hours a day at: 1-809-404-5468
Disclaimer:
I (Dr. PhreeX Merian) Can -NOT- nor will I be held responsible for your
stupidity, viruses can destroy your/others computers (that is, the data
within them,) if you execute a virus you just might get fucked. Collect 'em,
study 'em, trade 'em but for god sake do **NOT** execute them.
Note: As of 10/13/96 at 19:38:03 PM EST every one of these links was valid,
however they may die, if so please take it up with the site owner, not me!
A word on safe virus storage:
As your collection of viruses (virii) grows so does the risk of
self-infection, believe it or not you -CAN- safely store viruses on your hard
drive, I have over 3,000 and have NEVER been infected! Here are just a few
things you can do to protect yourself.
1) ALWAYS keep viruses zipped up, I can not stress this enough, keep each
virus in its own .zip with a text describing it (if possible) you can get a
free copy of Pkzip from;
http://www.pkware.com
remember, if its zipped up it can **NOT** be executed!!!
2) Its a good idea to re-name the file extension to something other than .com
or .exe, I use .co_ or .ex_, this way you can NOT accidentily execute the
virus.
3) Put all your viruses in 1 (one) directory, I use c:\VIRUS, you can use
whatever the hell you want.
4) Get a -GOOD- AV scanner! Because everyone thinks theres is the best you
can get reviews and sites at;
http://www.virusbtn.com
I think FProt is the best, you can download a shareware copy (gag) but thats
no fun, I suggest you check the alt.binaries.warez.* groups for a -REAL- copy
(its always posted somewhere).
5) Once you get a AV scanner USE IT!!!, remember, you put all your viruses in
one directory, most all virus scanners allow you to exclude
drives/directories/files when you scan, set your scanner to exclude whatever
directory your viruses are in. If you start to get reports of viruses outside
of that directory you might have a problem.
6) If you really paranoid you can keep all your viruses on floppy disk,
actually, this is a good idea, due to the small size of viruses you can store
TONS of 'em on only a few disk's. ZIP drives are also nice to have, so are
CDR's. If you put your viruses on disk LABEL the disk so others don't infect
you.
7) USE COMMON SENSE! This is really the best protection, don't be an idiot,
don't run anything that you don't know what it does, yadda yadda yadda...
On with the show......
Here is how this file is aranged;
File/Site name
http://www.this.is.the.site
Review of the site/file will go here...
Lets get started!!
Please note the following;
I would like to keep this file somewhat small, for that reason I will not go
into just what each virus/program does, if you wish to know just what one of
these does the go here:
http://www.Europe.DataFellows.com/vir-info/
I also have omited links directly to virus sims (emulators), theses are used
for testing AV scanners and are of little use to the VX community.
(God@rky: Actually according to many of the AV folks, virus sims are
useless. And that only a good test can be performed by an AV expert. As well
as the factoid that the only test they consider a good install test, is the
EICAR test.)
Part 1
[ Virus Generators ]
These are alright, however most of them do not work 100% of the time and the
viruses are easily picked up even the most half assed scanners.
All of the following are located at: http://www.kuai.se/~panik should these
URL's be dead please go directly to the site.
Instant Virus Production Kit v1.7
http://www.kuai.se/~panik/archive/ivp.zip
This is alright, however all of these are picked up.
Mutation Engine 1.00a
http://www.kuai.se/~panik/archive/mte.zip
Not very user friendly, still, its allright.
NuKE Randomic Life Generator v.66b
http://www.kuai.se/~panik/archive/nrlg.zip
This one is cool.
Phalcon/Skism's G2 v.70�
http://www.kuai.se/~panik/archive/g2.zip
I have yet to use this, word is, it sucks.
TridenT Polymorphic Engine v1.4
http://www.kuai.se/~panik/archive/tpe14.zip
A nice polymorphic engine.
Compact Polymorphic Engine
http://www.kuai.se/~panik/archive/cpe-ape.zip
A nice polymorphic engine.
Rajaat's Tiny Flexible Mutator
http://www.kuai.se/~panik/archive/rme11.zip
Not very good, however I believe these are not yet picked up by most
scanners.
NoMut v0.01
http://www.kuai.se/~panik/archive/nomut.txt
Decent polymorphic engine.
SDFE 2.0
http://www.kuai.se/~panik/archive/sdfe20.txt
Nice, however everyone of these is picked up.
The Rickety and Hardly Insidious yet New Chaos Engine v2.0
http://www.kuai.se/~panik/archive/rhince2.txt
The name says it all.
VLAD infinite polymorphic
http://www.kuai.se/~panik/archive/vip.txt
Ya gotta grab this one!!
Small Polymorphic Engine
http://www.kuai.se/~panik/archive/spe.txt
This is a nice polymorphic engine.
Biological Warfare Mutation Engine
http://www.kuai.se/~panik/archive/bwme.txt
This is the *REAL* one.
Mini Mutation Engine v1.0
http://www.kuai.se/~panik/archive/mime1294.zip
I have yet to use this.
Trojan Horse Construction Kit v2.0
http://www.kuai.se/~panik/archive/thck200.zip
My personal favorite when it comes to trojans
TSR Time Bomb
http://www.kuai.se/~panik/archive/tsr_tb.zip
Allright.
Virus Creation Laboratory v1.0
http://www.kuai.se/~panik/archive/vcl.zip
This one is WAY over hyped, only a few of the viruses work and there all
picked up by ANY virus scanner. Skip this one, your not missing a damn thing!
BTW, the password is "Chiba City" (without the " ")
Virus Lab Creations v1.1
http://www.kuai.se/~panik/archive/vlc.zip
A little better than the above.
Virus Creation 2000
http://www.kuai.se/~panik/archive/vc2000.zip
Lame!
Virus Construction Set v1.0
http://www.kuai.se/~panik/archive/vcs10.zip
Lame!
Biological Warfare Virus Creation Kit
http://www.kuai.se/~panik/archive/bw100.zip
Good for a virus generator.
The Nowhere Utilities 2.0
http://www.kuai.se/~panik/archive/nutils20.zip
All of these are picked up
Part 2
[ Some Popular Viruses ]
These are some of the most *POPULAR* viruses, they might not be the most
powerfull however these are the ones you keep hearing about.
Most of these come to us from God@rkys virus heaven located at;
http://www.ilf.net/god@rky/virii.htm
The Hellish Conspiracy Virus
http://www.ilf.net/god@rky/virii/hellish.zip
Sounds pretty cool, but sure wouldn't want it on my system. Does alot of
peculier shit with your PC speaker too.
The CriCri Virus
http://www.ilf.net/god@rky/virii/cricri.zip
Nifty, I have yet to run this.
The HARE Virus
http://www.ilf.net/god@rky/magazines/vbb-3.zip
One of the hottest viruses EVER!! And its a nasty one to!!
NOTE: This zip has several viruses, READ THE INCLUDED TEXT!
The Tentacle Virus
http://www.ilf.net/god@rky/magazines/vbb-3.zip
Another virus that rocked the AV/VX community, does really neat stuff to your
windows icons!!
NOTE: This zip has several viruses, READ THE INCLUDED TEXT!
The Rickdog666 Virus
http://www.ilf.net/god@rky/magazines/vbb-3.zip
This virus got a kid kicked out of school, don't miss this one!
NOTE: This zip has several viruses, READ THE INCLUDED TEXT!
--MACRO VIRUSES--
Macro viruses are .doc files that, when opened, will infect your machine.
HINT: Do not try to open these to veiw them!
The Alliance Word Macro Virus
http://www.ilf.net/god@rky/virii/alliance.zip
Nice virus, brought to you by the alliance.
Colors Macro Virus
http://www.ilf.net/god@rky/virii/colors95.zip
- GREAT* Virus!!! this also comes with source code and a file on making your
own Macro viruses!!! Do *NOT* miss this one!!!
The Outlaw Macro Virus
http://www.ilf.net/god@rky/virii/outlaw.zip
This is pretty new, not sure exactly what it does.
Word.Easyman Macro Virus
http://www.ilf.net/god@rky/virii/wrdesymn.zip
A newer Macro virus, I have yet to see the destruction.
Word.Saver(SEX) Macro Virus
http://www.ilf.net/god@rky/virii/wordsavr.zip
Yet another Macro virus.
Word.Spooky Macro Virus
http://www.ilf.net/god@rky/virii/wrdspook.zip
This is one you do *NOT* want to get infected with!
Part 3
[ MAC Viruses ]
In this era of equality no one is left out, this includes those that fell for
the media ploy and own a Macintosh (Apple). So far I know of only this file,
taken from God@rkys (http://www.ilf.net/god@rky/virii.htm)
Macintosh Viruses (huge file)
http://www.ilf.net/god@rky/mac/macvirii.zip
I know nothing about these, BTW, funny how they are for the mac yet there in
a .zip file 'eh?
Part 4
[ Needed Tools ]
These are all used in compiling virus source code, I have been told that some
of these are *NOT* freeware, IOW there pirated software.
a86 Assembler (Shareware)
http://www.ilf.net/god@rky/tools/a86v402.zip
Shareware assembler, this is a good one for compiling all that .asm code.
d86 Debugger (Shareware)
http://www.ilf.net/god@rky/tools/d86v402.zip
Shareware de-bugger, great to get the source of a compiled virus.
SoftIce for Win95
http://www.kuai.se/~panik/archive/softice.zip
SUPER de-bugger for windows '95 (also good for cracking software)
SoftIce for Windows 3.11
http://www.kuai.se/~panik/archive/m_wice13.zip
The same great program for windows 3.1.
SoftIce for Dos
http://www.kuai.se/~panik/archive/s-ice280.zip
The BEST DOS de-bugger!
Disaster
http://www.kuai.se/~panik/archive/disaster.zip
Dos disassembler.
IBM Assembly Code Generator
http://www.kuai.se/~panik/archive/asmgen.zip
A program that genrates source code from an executable.
Bubble Chamber Disassembler
http://www.kuai.se/~panik/archive/bubble.zip
Really good diassembler (What I use)
Intelligent Disassembler v1.2
http://www.kuai.se/~panik/archive/id12.zip
Good disassembler.
Part 5
[ Virus related FAQ's/Tutorials ]
These are FAQ's all about viruses, both removal and infection. ALso included
are some tutorials on making viruses.
x86 Assembly Language FAQ - a86 & d86
http://www.cis.ohio-state.edu/hypertext/faq/usenet/assembly-language/x86/a86/
faq.html
Well, its not going to make you an assembly programer but its a good start
alt.comp.virus FAQ (This is the FULL current version, very AV)
http://www.ilf.net/god@rky/acv_faq.html
This is the FULL version of the a.c.v FAQ, not the origonal yet its still
very good!
alt.virus FAQ (The origonal a.c.v FAQ, very VX)
http://www.ilf.net/god@rky/acvx_faq.html
This is the *ORIGONAL* a.c.v FAQ, as you can see a.c.v was made as a
pro-virus newsgroup!
VSUMx606
ftp://ftp.germany.eu.net/pub/comp/msdos/mirror.garbo/virus/vsumx606.zip
This is an OK Hypertext. It is said to have lots of errors in it. You know
stuff like dates when a virus first appeared and what not, and in some cases
what the virus does. The AV people regard it as not a very good Hypertext.
It will get the job done in many cases but it is always light years behind
what you will find at any of the Vx sites.
VDAT170
http://www.cyberstation.net/~cicatrix
This is a very good up&coming hypertext. I am impressed with how far it
has come in such little time, and think it has the potential to come along
much further. Keep an eye on this little gem in the months to come, it could
become a valuable asset to those wondering what items in thier collection or
infecting thier system are doing.
Anti-Debugging Tricks
http://www.ilf.net/god@rky/tutorials/antdebug.txt
Really good file on anti-debugging tricks, to bad most of its picked up by AV
scanners.
Black Wolf's Guide To Memory Resident Virii
http://www.ilf.net/god@rky/tutorials/memres.txt
Good file on MRV.
Polymorphic Viruses - Part 1
http://www.ilf.net/god@rky/tutorials/polymorph.txt
REALLY GOOD file on Polymorphic Viruses.
Polymorphic Viruses - Part 2
http://www.ilf.net/god@rky/tutorials/polymrph2.txt
Second part of the above file.
Disinfecting Infected Files
http://www.ilf.net/god@rky/tutorials/rstut001.txt
This should appeal to the AV community, that is the portion of the AV
community thats understands this stuff.
TSR COM Infections
http://www.ilf.net/god@rky/tutorials/rstut002.txt
Good file, complete.
Constructing Kit on Infecting COM's
http://www.ilf.net/god@rky/tutorials/rstut003.txt
Good file on COM infection.
Infection On Closing
http://www.ilf.net/god@rky/tutorials/rstut004.txt
I haven't checked this out yet.
EXE Infections Part 1
http://www.ilf.net/god@rky/tutorials/rstut005.txt
This is something ALL virus coders have to read!
EXE Infections Part 2
http://www.ilf.net/god@rky/tutorials/rstut006.txt
part 2 to the above file.
Directory Stealth
http://www.ilf.net/god@rky/tutorials/rstut007.txt
GREAT file on getting past MS DOS Checksum Checker!
Directory Stealth (Method 2)
http://www.ilf.net/god@rky/tutorials/rstut008.txt
Second method if improving stealth viruses.
Memory Stealth
http://www.ilf.net/god@rky/tutorials/rstut009.txt
Another GREAT file on TSR's
The Dangers of ThunderByte's TBClean Emulation Techniques
http://www.ilf.net/god@rky/tutorials/rstut010.txt
Article on getting past TBClean's methods of dis-infection.
Part 6
[ Virus INFORMATION Links ]
These are all pages that provide information on viruses, not the actuall
viruses.
Dr Solomon's very own personal homepage
http://www.pcug.co.uk/~drsolly/
ITs our very own Dr. Sollys homepage (dude, try a <CENTER> tag) He also
offers the laws on computer viruses, ya gotta check that so you know just
what laws your breaking!
Data Fellows Virus Information Centre
http://www.Europe.DataFellows.com/vir-info/
VERY VERY GOOD site, virus list and information!
Dr Solomon's - Viruses In The Wild
http://www.sands.com/vircen/wild.html
Dr. Sollys virus list (not that complete however)
CIAC Security Site
http://ciac.llnl.gov/ciac
See what the goverment has to say about viruses.
Part 7
[ Computer Virus WEB pages & FTP sites ]
The following are links to WWW pages and FTP sites that offer live viruses
and source code for you to download. WARNING: Up until now all the viruses
and programs have been safe-to-store however some of the viruses on some of
the pages may be in live .exe or .com form, BE CAREFULL!!
Information Liberation Front
http://www.ilf.net/
VERY NICE site, pay these guys a visit!!
The Alliance Virus group
http://www.ilf.net/alliance/
Another nicely done site, these guys got it togther!!
God@rkys Virus Heaven
http://www.ilf.net/god@rky/virii.htm
No list would be complete with out this site, hell, most of the stuff above
come from his site, VXers or AVers CHECK HIS SITE OUT! Cicatrix's Virus
Collection Updates are available here as well, be sure to visit at least
once a month to make sure you have the updates.
Cicatrix's Site
http://www.cyberstation.net/~cycatrix
Yes, thats right. The creater of all the virus collections, is making his
way into the world wide web. This site in the near future will serve all
your mutation engine, construction kit needs and satisfy that urge to collect
your copy of VDAT170.ZIP, and excellent resource for AVers and VXers alike.
Chiba City
http://www.chibacity.com/chibavrc.html
Excellent Site, back in action.
AuRoDrEpH's Cattle
http://www.ilf.net/AURODREPH/virus.htm
A site brought to you from VBB's Macro Virus master! A collection of
macro viruses are available here, as well as some excellent tutorials
and faq's related to many aspects of macro viruses. Be sure to Bookmark
this one, as it will be getting better!
Paniks Page
http://www.kuai.se/~panik/
TONS (TONS!) files!!
RickDoggs Virus page
http://pwp.usa.pipeline.com/~rickdogg96/index.htm
A really good page (he is also the maker of the rickdogg666 virus)
Virus Programing
http://lila.uc.pt:8082/~pedro/virus.html
Good place to start, RARE source and FAQ's
Computer Virus Lab - Home Page
http://www2.spidernet.net/web/%7Ecvrl/
This page is nothing more than a add for a CD ROM, they boast over 13,000
viruses, however I doubt that .. if anyone have this CD e-mail me!
Virus And Other Fine Code Authors
http://www.ntplx.com/~sniper/vofca/index.html
A VERY nice web page!
J & A Virus page
http://www.bocklabs.wisc.edu/~janda/
TONS of stuff here.
Infection Connection
http://pegasus.cc.ucf.edu/~kes65601/
Cool name, wish I thought of that!
virii
http://wwwmbb.cs.colorado.edu/~mcbryan/bb/23/29/summary.html
Well, its a start <g>
Dante's inferno
http://www2.dgsys.com/~dante/virii.html
Only a few viruses.
Virii
http://www2.netdoor.com/~boomn69/virii/
Neat graphics! some good viruses.
Gugi's Virus page
http://www.geocities.com/SiliconValley/Park/4650/
Good page.
The virus and hacking homepage
http://www.cris.com/~Bstock/
Really good site, he gives a description of -EVERY- virus he offers (even has
a Coolio midi)
Virus Authors Information Site
http://members.visi.net/~muja/virus.html
Nice, frams use could be better however you get the viruses so it dosen't
matter. (I like what he says)
Cyber hazzard's
http://www.lafayette.edu/~warendaj/virii.html
mostly source.
Digital hacker alliance homepage
http://www.lochnet.com/client/dha/index.html
You gotta check this out, tons of stuff.
Seths virus page
http://home.webserve.net/~eldritch/virii.html
Not a whole lot here.
virii stuph
http://www.angelfire.com/pages0/goodie/virus.html
Some good stuff
A virus page with no title
http://www.geocities.com/SunsetStrip/3192/breaker.html
Nice layout, need an update on some of the links.
DarkChasms Virus page
http://www.geocities.com/SiliconValley/Heights/1789/
Lots of stuff, to many damn midis!
Virus/Warez/Hack
http://www.agate.net/~krees/virii.html
masses of links, no actuall viruses but there are LINKS!
Dr. PhreeX Homepage
http://www.ao.net/~phreex
Its my page, over 1,000 live viruses and tons of source! (you do need the
password, ask nicely!)
If you have any links to good (or even crappy) virus pages send 'em my way, I
will add to this list later..
Part 8
[ Conclusion (By Dr. PhreeX Merin himself!!) ]
Well, after a few hours of surfing around andtesting ALL THESE links I give
you the "Computer Virus Site List 1.02", this is still a beta, it will be
until I can no longer come accross a new virus page, if you know of anything
VX related please e-mail me (phreex@ao.net).
You might object to this list, many people do, they believe viruses should be
illegal and no one should access to them however if you dislike this then
fine, don't read it or download from the above sites. The problem is lamer
newbie fucks think the internet is like the real world, where there is a
organized legal system to stop anyone that does wrong, well .. welcome to
cyberspace, people like me will always be here!!
For a current copy of this list send a request to phreex@ao.net or looking in
the usenet newsgroup alt.comp.virus
Regards,
Dr. PhreeX Merin, PhD in the cyber underground
=============================================================================
Section Seven - Assembly Language Help For Beginners
I am continually asked via e-mail to help people *learn* to write
viruses and or teach them Assembly language. Usually before this request
comes about I am asked what language most viruses are programmed in. When
I tell them Assembly, and why it is Assembly language that seems to be the
choice of Authors, they ask me "Can you write a virus in (Fill in the blank
with a programming language you know other than assembly language?".
Viruses as many of you know, have been created in many languages,
but for obvious reasons, many people stick with Assembly. Mainly it is the
fast, compact code.
Well as most of you can see, I am pressed for time as it is
maintaining Virus Heaven, let alone teach 50 people a month how to program
in assembly. That in combination with the fact that I am learning myself.
We then get to the common debate between the AV world and the Vx
World, that learning Assembly by writing or studying viruses is a poor way
to learn as most virus programmers write poor, buggy code. Buggy code that
limits some viruses from being destructive by hindering the payload, or by
limiting or crippling it's replication process.
I originally intended to make this section a Beginner's Guide to
writing Viruses and to get authors more comfortable with Assembly. I was
going to start out with a commonly used INT list. But have come to realise
that this was impractical for an E-mail based newsletter. One INT list that
I have found is available in HTML format, as well as a downloadable text
format. Well the text format is zipped, and altogether is around 7mb. It
is supposed to be a complete listing. Little to big for me to be e-mailing
you all.
But I won't leave you high and dry this issue. The Good Dr. Alan
Solomon (of DSAV fame) suggested in alt.comp.virus a good site for learning
Assembly, which is also an excellent reference tool for those who know some
Assembly, but are interested in learning more. There is program samples and
Int lists as well as descriptions examples. It is by far the best I have
found in my searches. Here is the URL:
http://udgftp.cencar.udg.mx/ingles/tutor/Assembler.html
Happy Learning.
=============================================================================
Section Eight - Out With The Old/In With The New - E'zines
Well, with the release of what is said to be the Final issue of
VLAD magazine (#7), we are seeing yet another disappearance of a classic
Ezine die out.
But to re-affirm my statement in the last issue of GVHN, I stated
something to the effect that someone will emerge to take the place of the
Ezines which are disappearing. And the Alliance has proven me right.
The Alliance Virus Group having undergone administrative changes
over the last month or two, with the retirement of Rhys, the adjustments to
fill in the void left by him, as well as the induction of new members.. AVG
is looking the future very seriously and bringing you the Alliance Virus
Group Ezine. For more information about this new creation, Visit thier site
at http://www.ilf.net/alliance
There you will find out the up-to-date nitty-gritty on this Ezine,
as well as how to contribute articles, source codes and anything else which
may be of use to them.
=============================================================================
Section Nine - Virus Collection's Integrity - Questioned
Anyone who has hung around alt.comp.virus very long has seen most of
the arguments against virus collection, and the active front that is mounting
in attempt to stop it. Attempts at oppression in the newsgroup begin with
the "Freedom of Expression and/or Speech" according to George Wenzel. Like
we have our rights to talk in an unmoderated newsgroup about the distribution
and creation (limited) of viruses, George feels that his and other
alt.comp.virus viewers and participants rights of Freedom of Speech and
Expression grant them the opportunity to write your postmaster about your
exercising of your own rights in an unmoderated newsgroup. But it dosn't stop
at it being George's right, he also feels it is his moral and ethical duty to
report your actions and newsgroup postings to your ISP.
This is an attempt to oppress your Freedom of Speech and expression.
This has been brought to George's attention in the last week in the newsgroup,
But I do not remember seeing a response to this claim.
This however isn't only George Wenzel's actions however. There are
many more people who float around this newsgroup who would like to shut you
up. And I have seen a little easing up of people reporting incidents to
postmasters, but then, we don't get to read about all of the incidents of
this that occur.
I have said time and time again that alt.comp.virus is not an Author
or collector friendly medium in which to chat with peers with like interests.
Hopefully the new newsgroup, alt.binaries.comp.pro-virus will be a better
medium for this.
Anyways, the common arguement which leads to this article, is that
Virus collections available VIA the Internet have a poor integrity level and
are probably not what you are expecting to get. To recently quote George
in a post on alt.comp.virus "most likely the files on virus web pages are
not *REAL* viruses and are junk files or duplicates".
While this can be true to some extent, I have to clear a few things
up from this quote, as George has admitted to having little or no programming
knowledge of the x86 Assembly language and that most of what he says
regarding viruses is based on what his peers in and out of the Antivirus
industry claim.
I know a good portion of what is available on Virus Heaven is actual
viruses. My Source Code area is lacking, primarily because I am tired of
weeding out the disassemblies from the source codes. But the executables
area is loaded. I do not currently have the time to test every virus that is
sent to me. I will take the author's word on what it is. I have done alot
of changing in what goes where, as I still do get "viruses" in e-mail which
are in all reality trojans (IE They do not replicate). Or I get viruses that
have replication routines in them, but wreck the media on a hard drive so fast
that there is no real chance for spreading.
Being my current shortage of free time, I publically invite George
Wenzel himself, an independant virus researcher, or an AV researcher of
Dr. Solomon's LTD (DSAV) or Datafellow's (F-Protect) to download and research
my collection for this mass ammount of duplicate files or false viruses.
You see, if my collection, and those of others who keep decent
collections on reputable sites around the net was all crap, like George and
his peers claim, they wouldn't be as concerned with the presence of these
sites on the net. I think regardless of the ethics of these site's existance,
it is a poor claim to make when there is little or no data to back up the
claim. Any Researcher who would like to take on this task, please e-mail me,
so we can chart your findings. After all, this is computer science, and in
science, a hypothesis is nothing but hot air until there is data collected
to prove or disprove the hypothesis.
=============================================================================
Section Ten - A Call For Help With GVHN
Well this concludes this issue of the Virus Heaven Newsletter. Once
again all of the articles appearing were written by myself. I do have a
couple of submissions for the next issue so far, and will be incorporating
them into the 3rd issue.
Due to the large interest in this newsletter, I figured I would be an
idiot not to offer and accept any submissions for The Virus Heaven Newsletter.
So I am hereby making an offer to anyone who wishes to write an
article of any type, regarding anything related to virus writing or the Vx
scene. I will review all submissions and contributions and include those
that are presentable and related in the newsletter, with full credit given
to those who wrote and submitted them.
I'm interested in seeing some of the work of those who are silently
sitting in the corners reading this, as well as your feedback and/or
suggestions.
All submissions, contributions, comments and/or ideas should be
sent to godarky@ilf.net.
- Note* All submissions will be subject to editing at my discression. This
will mainly consist of grammer/spelling editing as well as keeping things
somewhat relavent.
=============================================================================