💾 Archived View for spam.works › mirrors › textfiles › virus › varicell.txt captured on 2023-06-16 at 21:05:08.

View Raw

More Information

-=-=-=-=-=-=-


            NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
            uK                                                  E-
            KE        "The Varicella Virus Source Codes         -N
            E-                                                  Nu
            -N                                                  uK
            Nu                       By                         KE
            uK                  Rock Steady                     E-
            KE                                                  -N
            E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
          
ahh, NuKE PoX viruses will never end... Well I noticed a few flaws and faults
in code in the old NuKE PoX virus version 2.0, which I wanted to refine. This
time I had a lot of time, and I _fully_ commented the source codes.

% Improvements %

The most major improvement is the infection routine, I have created a generic
method that will always use the same infection/disinfection routine. If you 
remember NuKE PoX v2.0 you noticed that I copied whole blocks of the code twice,
which gave the virus a size of 1800 Bytes! This version hovers at 1483 bytes, 
and it's far from tight, but it's EXTREMELY reliable! Meaning this baby should 
never crash for any reason. And it has _many_ added features that N-Pox v2.0 
didn't have! 


% Introduction to the ideology of the Stealth Virus %

Like the SVC viruses, this virus will `disinfect' on the fly. And to the DIMWIT
that said SVC doesn't disinfect by rewriting the program on disk, GO CHECK YOUR
INFO NITWIT. The SVC viruses will disinfect a file when opened, the SVC virus 
will actually remove the virus from the infected program. It will NOT attempt
a disinfection in memory only! It does have the ability to do this to a 
certain extent, if you execute the file, and if you jump towards the end
of the file by Int21h/4202h the SVC virus will fool DOS to think that the file
is not infected, whereby it really is. But this method has a MAJOR flaw, one 
flaw is exercised by F-Prot anti-virus, to defeat this dumb method.

The major flaw is that these viruses _cannot_ keep track of file pointers, it 
would take too much code to exercise this. So if you read a file from the 
beginning and read sequentially toward the end, surely enough you will 
encounter the SVC virus, because it does not have the ability to keep track
of the file pointer. So in order to fix this, SVC will do a _real_ disinfection
of the file on disk. Therefore in all aspects the file will look clean, as it 
_is_ clean! Also note, that the SVC viruses also infect System Device drivers,
this is _rarely_ noted, maybe because people use VSUM as a reference?

% Varicella Features %

The virus will only infect .com and .exe generic files. I have removed the 
.ovl infections because of certain crashes that persist with certain large 
programs. No virus to date successfully does this for some reason. 

The virus will hide its file length by FCB directory method (Int21h/ah=11h,12h)
and by File Handles method (Int21h/ah=4Eh,4Fh). 

The virus will disinfect the file on opens & extended opens via 
(Int21h/ah=3Fh,6Ch). The virus will also disinfect files as they are executed,
(Int21h/ah=4Bh) and will later reinfect it when it has terminated.

The virus will infect on closing (Int21h/ah=3Eh) and it uses the very 
sophisticated Job File Table method (The List of List). 

Infection is denoted by the seconds field will equal the day of the month! This
method is _a lot_ better than having the seconds field to 60 or 62, because many
AV programs flag on invalid seconds field. Therefore now the seconds field will
be from a number 1->31 (Days in a month), and only with a 6% chance of an 
invalid second field stamp. Also in order not to create problems, the last two 
bytes of the virus _must_ be DBh,DBh. Therefore the virus uses TWO methods of 
detecting infection, because we wouldn't want to `disinfect' a file that isn't
infected, so we must be 100% sure.

I found it no use to have a `fake' disinfection routine, whereby it fakes a 
disinfection, for the reason that this method contains several flaws. And I 
found that testing this virus on my PC with a 40 Meg MFM 65ms drive, showed
_very_ little signs of abnormality. So in speed wise, it's very fast, what is
a 1-2 millisecond more, (1/100s of a second). 

When disinfecting a file, the virus even puts back the original seconds field
time stamp, leaving absolutely no trace of its existence! How many viruses do 
that? huh? 

% To Come %

Well I already have a multi-partition version of this virus, I'm currently
tring to add NED polymorphic possibilities to this virus. This will be a nice
task, as NED is variable in length, therefore I have to save the original
file length, or I will fix NED to be constant in length. Nevertheless you
should see it coming soon.

% About the Name %

Well I didn't want to call this N-Pox, because it has NO code similarities
with N-Pox, the only thing they share is the method of going resident.

But I called this "Varicella" because, Varicella is the medical term for 
(Chicken Pox) that adults get! When a child gets the Pox, you call it Chicken
Pox, when an adult gets it, you call it Varicella! So I found it appropriate
to call this Varicella because it is perhaps the `adult' or later out come
of the N-Pox virus. <hehe>