ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ PiïWéRM v1.5 Beta A coded by ûirogen ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ Welcome to my latest viral creation -- PiïWérM version 1.5. Definition - PINWORM: A parasite that crawls out your ass and lays little white eggs .. It's amazing what you can learn from Biology class. PiïWérM is a memory resident, polymorphic, parastic infector of COM and EXE files. Files become infected when they are executed. Eligible files are COMs which will not exceed the 64k boundary and EXE files smaller than approx 256k and are not "new-format" EXEs such as Windoze filez. COMMAND.COM may also become infected. Original Infection Marker- Infected EXE files have their checksum in the header set to random value other than 0. This should prevent anti-virus software from easily determining if an exe is infected by a simple check of the header. Infected COM files will have the fourth byte set to 0. Polymorphism- This virus has 0 bytes constant and 0 ops in constant locations in the decryptor. It's full polymorphic. The garbage code consists of randomly retrieved one-byte operands, OR a constant fill of a single one-byte operand. The virus selects between these types of garbage code randomly in order to prevent scanners from detecting the actual garbage code. Anti-Anti virus- When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted in that directory. Also, when the user trys to execute EXE files ending in the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory requirment in the header is changed to FFFFh. Thus making the file unusable whether the virus is in memory or not. Pinworm also uses VSAFE and VWATCH's uninstall API as an installation check. When pinworm checks itself for residency it also removes these shitty programs from memory. Anti-Debugging- This virus uses a double encryption technique to prevent debugging of the code. The first encryptor is ofcourse polymorphic, while the second is there only to try and deter debuggers. It's hardly foolproof .. but nonetheless will keep out the ignorant. Symptoms- The user may notice a slight size increase for infected COM and EXE files. There may also be a total conventional memory size decrease of approx 5k, however the virus randomly decides not to protect its code in memory. As stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as "Not enough memory" errors when trying to load many anti-virus applications. Additonal- -Pinworm uses it's own critical error handler. -The virus is kept encrypted in memory Activation- On the 17th of any month, Pinworm will continously play with the keyboard lights and create directories named after itself. In these directories will be several files that together form a message from ûirogen to the general populous. Version history: v1.0 - Original Release v1.5 - (several months later - delayed because of computer confiscation) Improved polymorphic engine Fixed possible bug in polymorphic engine after maybe 50 generations