***************************** *** CHAOS-AD by Sepultura *** *** South Australia - '95 *** ***************************** Polymorphic, Full(ish) Stealth, Retro, Anti-Heuristic, Tunneling, COM+EXE. *** IMPORTANT *** This is the OFFICIAL version... due to a bit of a mistake, I sent a few ppl on #virus the wrong version which has a TINY (one line) bug :P ****************** ******** FEATURES: ******** Personal Stuff: - My First Polymorphic Virus. - My First Full Stealth Virus. - My First EXE infector. Retro Stuff: - Deletes CHKLIST.CPS, CHKLIST.MS, ANTI-VIR.DAT files. - Avoids infecting AV programs. - Disables VSAFE. - Avoids VSAFE, and older versions of TBMEM, from reporting changes to System Memory / Environment. Anti-Heuristics:- Uses some fairly heav Anti-Heuristic structures throughout. - TCE generates HUGE, spaced out Decryptors, avoiding # flag. - TBSCAN 6.50 finds 0 flags on DECRYPTED virus. - F-PROT( /paranoid) 2.19 finds nothing on DECRYPTED virus. - AVP 2.2 finds nothing on DECRYPTED virus. - About 10% of decryptors are flagged by TBSAN HR (high heuristics). - No Decryptors (as far as i know) flagged by AVP, F-Prot. Tunneling: - Uses a /<-R4D NEW (I think) method to find the original INT 21 vector.. see the subroutine find_21 for more info.. Polymorphy: - Polymorphy is provided by TCE-0.4 (The Chaos Engine). It can generate decryptors of the form: ADD/SUB/ADC/SBB/XOR [BP/SI/DI/BX(+xx(xx))],reg16 It can move a value to a register as such: MOV reg,VAL or LEA reg,[VAL] or XOR/SUB reg,reg + OR/XOR/ADD reg,VAL or XOR/SUB reg,reg + SUB reg, negative VAL It can test for a zero value, using: OR/AND/TEST reg,reg It can generate the following looping methods: JNZ loopstart or CLC + JA loopstart or LOOP loopstart or LOOPNZ loopstart It can modify the KEY register, using: ADD/SUB/XOR reg,xxxx - Although TCE is a stand alone engine, I do not really expect other people to use it in their virii, mainly because it sux, and there are many better engines around. Stealth: - This is probably the shittiest part of the virus! - I could not get FULL (disinfect on the fly) type stealth working with the variable length poly, and size padding, so for now I am using Disinfect on Open, Infect on Close type stealth. - It also Disinfects files loaded by debuggers. - If an archiver is running, it Infects instead of Disinfect. Other Stuff: - Marks files by padding the size up, so that the Least Significant Byte, of the Size field, is ADh (chaos-AD). This is reliable, and doesn't cause anything suspicious looking.. - Has a Cool Activation Routine (see the sub-routine setup_activator for more info). Things That Delayed This Viruses Progress: - Drugs. - School. - Stupidity. - I couldn't stop playing that 'Dont Touch The Sides' game in VLAD-#3 (and i still cant :P). ;===============================================================================