Copy Link
Add to Bookmark
Report
40Hex Issue 02 File 001
40Hex Volume 1 Issue 2 0001
- HOW TO GET INFECTED FILES INTO LAME BBS's -
Ok, one problem with sending infected files to BBS's is that you never
can tell if they will be detected by SCAN. Or if you are sending bombs
the sysop might use CHK4BOMB to detect code that is data damaging.
I'm gonna tell you how to get around this, what you need is the following-
PKLITE or LZEXE
and
A good hex editor
What you do is this, compress the infected file with Pklite or Lzexe. This
will make change the files checksum and ID strings quite a bit so it can't
be detected by SCAN and damaging data will not be found by CHK4BOMB. The
problem is that now the sysop can use CHK4LITE to detect is the file is
indeed infected. So what you do is this --
Load up the hex editior -
Now look at the file, it will look something like this if you compressed it
with PKLITE.
------------------------------------------------------------------------------
0000 4D 5A 12 01 13 00 00 00-07 00 98 05 4A A4 52 02 MZúúúúúúúúúúJúRú
0010 00 04 00 00 00 01 F0 FF-50 00 00 00 03 01 50 4B úúúúúúúúPúúúúúPK
0020 4C 49 54 45 20 43 6F 70-72 2E 20 31 39 39 30 20 LITE Copr. 1990
0030 50 4B 57 41 52 45 20 49-6E 63 2E 20 41 6C 6C 20 PKWARE Inc. All
0040 52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 00 Rights Reservedú
0050 0A 00 20 00 17 01 48 00-4A 04 4A A4 E2 03 00 40 úú úúúHúJúJúúúú@
0060 00 00 56 11 00 00 1C 00-00 00 00 00 00 00 00 00 úúVúúúúúúúúúúúúú
0070 B8 E3 07 BA 4B 02 8C DB-03 D8 3B 1E 02 00 73 1D úúúúKúúúúú;úúúsú
0080 83 EB 20 FA 8E D3 BC 00-02 FB 83 EB 19 8E C3 53 úú úúúúúúúúúúúúS
0090 B9 C3 00 33 FF 57 BE 48-01 FC F3 A5 CB B4 09 BA úúú3úWúHúúúúúúúú
00A0 36 01 CD 21 CD 20 4E 6F-74 20 65 6E 6F 75 67 68 6úú!ú Not enough
00B0 20 6D 65 6D 6F 72 79 24-FD 8C DB 53 83 C3 2D 03 memory$úúúSúú-ú
00C0 DA BE FE FF 8B FE 8C CD-8B C5 2B EA 8B CA D1 E1 úúúúúúúúúú+úúúúú
------------------------------------------------------------------------------
You see the header? Well what you have to do is overwrite the header with
garbage. Don't write text cause that is to dectectable by a dump program.
Just overwrite the part that says "PKLITE corp....Reserved" with hex bytes.
Also distroy the part of the code that says "Not enough memory", dont kill
the "$" symbol.
This will make the compressed file-
A> Undetectable to virus scanners, and CHK4BOMB type programs
B> Un-Decompressable
C> CHK4LITE wont notice it as a PKLITE file
It's that easy!
Keep in mind however than any file that the virus infects will no longer
be encrypted by PKLITE, so this method is good only on getting your virus
into the front door.
See the article in issue one on making new virus strains.
Forenote
After writing this article SCAN Version 80 came out, It now has the
ability to scan into Pklite compressed files. Just to let you know that
this teqnique still works and SCAN cannot detect the file as being
compressed as PKLITE.
HR
