ZipDevil 0.1 WARNING: ZipDevil is a virus. However, its only goal is to replicate and spread itself. It does no damage to data or files! ZipDevil is an attempt to reinvent the companion file virus. It takes several somewhat elaborate measures to encourage its continued existance. The author takes one here by posting this code. ZipDevil is a non-resident spawner. After the infection (or infection attempt), it runs the file the user intended along with the command line arguments. It infects .EXE's using the companion file method. It is capable of internally infecting .ZIP's as long as it can find PKZIP on the host system. When infecting a ZIP file, it chooses an .EXE file within the .ZIP to infect. If there aren't any internal .EXE's or the .ZIP is already infected, ZipDevil aborts the infection. ZipDevil examines C:\AUTOEXEC.BAT for calls to executables. It infects these files, and (if necessary (and possible)) modifies AUTOEXEC.BAT to ensure it is run upon every bootup. In general, ZipDevil can only use .EXE's as host programs, .COM files are not susceptable to the companion file method of infection. Unfortuantely for the 'Devil, in this day and age of Windows based programs, the companion file method is of limited virulence. In response to this, the virus specifically targets the call to Windows 3.1 found in most AUTOEXEC's on systems running Windows 3.1. AUTOEXEC.BAT is modified to call WIN.EXE instead of WIN.COM, and of course WIN.EXE is the file containing the viral code; Unbeknownst to the user, ZipDevil does its business before loading Windows as normal. With Windows 95 systems, ZipDevil is only prolific if the user makes frequent shells to DOS. It seems unlikely that ZipDevil will spread very far on most Windows 95 machines. Future enhancements to alleviate this drawback are expected. If you'd like to improve on the code, this is a prime area to do so. (See the author's modification request below.) The virus also has a self-cleaning mechanism. Create an empty file with path and filename C:\EX.BAT. ZipDevil checks for this file and if it finds it, it appends the DOS commands necessary to eradicate all the infections it makes on your drive. For EX.BAT to work, PKZIP.EXE must be in your DOS path. If EX.BAT does not exist, the virus makes no record of its work, and it will probably be a tedious task to fully remove it from your system. (If PKZIP.EXE was is your DOS path, then ZipDevil found it and you will have to look in every ZIP file on your drive!) Remember, ZipDevil can and will modify your AUTOEXEC.BAT file. Make a backup before installing the virus. To fully remove all work the virus has done, simply restore the backed up version of AUTOEXEC.BAT that you've made, and run C:\EX.BAT. ZipDevil is its own dropper. Compile and link the code, then simply run the resultant .EXE executable. On a typical hard drive, there is a good chance than one execution as a dropper will establish it. The author encourages the spread of this virus to both knowing and unknowing others either in the form of source code or as an executable. Modifications are encouraged, but take the following to heart. Make modifications carefully, and test the code. Never cause damage or disruptiveness out of laziness. If your going to add a trigger mechanism to ZipDevil, do it deliberately and soulfully. Think about what your doing and who you're affecting. ------------------------------------------------------------------------ Of course, the author accepts no liability for the use or misuse of this code. There is no copyright or legal restrictions on this code. ------------------------------------------------------------------------ Comments and bug reports can be posted to the usenet newsgroup alt.comp.virus And if you feel you've improved ZipDevil, please post the modified code to alt.comp.virus.source.code