---------------------------------------------------------------- * DataRape! v1.1 Documentation * - (C) 1991 RABID, International ---------------------------------------------------------------- DataRape! v1.1 is the second in a new-line of RABID viruses produced in the United States by Zodiac of RABID, USA. It is a memory-resident stealth-brand virus that attaches onto Interrupt 21h. This documentation will cover the features of v1.0, and not simply the additions for that version shall hence be regarded as a "beta-test" version of the skeleton of this virus code. Upon loading, DataRape! will load itself in high-memory, and no apparent memory loss will be visible. This is accomplished by allocating a portion of the "free" memory control block that is at the end of the memory chain by changing its PSP so it can not be allocated by another program. Program execution then continues normally. Upon file execution, DataRape! will infect .COM files if they are above 1000 bytes and below 63000 bytes in length. It preserves file date and time settings, with the exception of the seconds stamp. This second stamp marking is new to this version. The justification for this modification shall be provided below. Upon a common directory listing("DIR"), all .COM files listed will be infected. This is a NEW form of file infection NEVER implemented by ANY OTHER virus EVER. This technique, though somewhat tedious in implementation, should be cloned by all virus writers for it has proved to be very effective. Also during directory listings, the increase in size of infected files is not visible. In order to speed-up directory listings, the second stamp of infected files is modified, as was mentioned above. The save second stamp as in the Vienna Virus(62 Seconds) is utilized, for a non-occuring second stamp is necessary, and 60 seconds is used far to often by many viruses. Since the Vienna Virus is rather archaic, and the majority of Vienna "Hacks"( Grither, Violator ) use different time stamps, 62 seconds seems most appropriate. There have been several skeleton code modifications in this version. A somewhat insignificant change was the implementation of a relative call in order to provide the pointer("$") to the virus code, as opposed to retrieving it from the original call. Also, the time-stamp is used to detect whether a file has been infected as opposed to calculating the virus code's existence from the original jump. This method was generally good, but when .EXE infection is implemented it would have been required as would the relative call. Also, the encryption base for the strings contained has been changed. The same FAT table destruction is contained as in the first version, but is now more effective. It occurs with a frequency of 2% when files are attempted to be infected, and will render all disks unusable. This HAS been tested, and does work. Such tends to be the major cause of bugs for virus writers, but some nice person unknowingly yet graciously accepted to beta-test this code, and found it quite effective. A feature that I know we were all looking forward to was finally implemented. Whenever any LoL(Legion of Lucifer(Lamers)) files are located, the FAT table destruction mentioned above is automatically issued. This is due to the spite RABID holds towards one Michael Turner(Captain Swashbucker) who runs a BBS in the 213 area code called H.M.S. Queen Mary's Revenge. It is believed he is 15 years old and attends Le Lycee, a PRIVATE school in the Beverly Hills area. This information will be verified and released more confidently with the Militia Virus and the Turner Virus are publically released, though they are now under development. The source to this virus will be publically released 6 months from the release of this documentation. A word now to RABID members. Keep up the good work, and make sure this spreads. I'll have .EXE infection within a month or so, I wish to make a few more 1.X versions of this virus first. Encryption, timer-grabbing, message-flashing, and a more artistic "You've been.." screen will be the up-coming features. EXE infection will require a major re-write of this code, but it will definetely be worth it. We could totally ruin the image of a certain egotistical pirate group, featuring our good friend Ken Sallot(The Slavelord). But I am no longer in the "scene", and may not be for quite a while. See you all at Comdex, I hope. -- Zodiac, 04/08/91