Copy Link
Add to Bookmark
Report
Hexfiles Issue 3 File 000
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ Issue No. ³
³ Û ÛÛ Û Û ÛÛÛ ÛÛÛÛÛÛ Û Û ÛÛÛÛÛ Û Û ³ ³
³ Û ÛÛ Û ÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛ ÛÛÛÛÛ Û ÛÛÛÛÛ ÛÛÛÛÛ ÛÛÜÜÛ ³ ßßßÛ ³
³ Û Û ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛÛÛÛ ÛÛ Û ³ Û ³
³ Û ÛÛ Û ÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛ ÛÛÛÛÛ Û ÛÛÛÛÛ ÛÛÛÛÛßßÛÛ Û ³ ßßÛ ³
³ Û ÛÛ Û Û ÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛ Û Û Û Û ³ Û ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßßßßßßßßßßßßßßßßßßßßßßßÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ ÜÜÜÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Philippines Virus Zine ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ June 1998 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Putoksa Kawayan phvx@hotmail.com Manila, Philippines ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Iniibig ko ang Pilipinas
Ito ang aking lupang sinilangan
Ito ang tahanan ng aking lahi
Ako'y kanyang kinukupkop at tinutulungan
Upang maging malakas, maligaya at kapaki-pakinabang
Bilang ganti
Diringgin ko ang payo ng aking mga magulang
Susundin ko ang mga tuntunin ng aking paaralan
Tutuparain ko ang mga tungkulin ng isang mamamayang
makabayan at masunurin sa batas
Paglilingkuran ko ang aking bayan ng walang pag-iimbot
at buong katapatan
Sisikapin kong maging isang tunay na Pilipino
sa ISIP
sa SALITA
at sa GAWA
Mabuhay!
It is centennial month. What more can I say but...
M A B U H A Y A N G P I L I P I N A S
Need I say more?
<o>
On the Matthew article last issue, I brought forward the idea that
Matthew could have been written by someone from Adamson University. I
also stated that Mathhew.2667 might shed light on the real origin of
the virus. It turned out that I was wrong on the Adamson part and
right on the 2667 variant. However, I still believe that Matthew is
partly based on Possessed.
YeZ sent me a disassembly and a copy of Matthew.2667 virus. Based on
the disassembly, the virus might have been written by someone named
"R.M.O. Ordona" (or do we have another "Hermilito Go" here?) of Saint
Louis University in Baguio City. The place where the virus originated
is indicated in the last line of the virus message:
Matthew 6:25 (Agnes) May 92' IICS-SLU B.C.
Where "IICS-SLU" refers to the Institute of Information and Computing
Sciences-Saint Louis University (now known as College of Information
and Computing Sciences). "B.C." stands for Baguio City.
This firmly proves that Matthew is from the Philippines. Thanks to
YeZ for bringing this to my attention. More on the virus when we
feature YeZ's disassembly in a future issue.
You can visit the web page of St. Louis University at
http://www.slu.edu.ph
<o>
What do we have for this issue? First, we are going to have the works
of friends:
* YeZ * YeZ is a college student in Zamboanga City. He will share
with us his thoughts on stealthing, specifically, hiding an
infection when a program is loaded in a debugger. To further
illustrate his thoughts, a demo virus, *YeZ.1155*, is
included.
Zamboanga City is the only place left in the Philippines where
Spanish is still spoken. It's not really pure Spanish, but
Spanish speaking people would understand it. I don't know if
YeZ speaks Chabacano.
* Mikee * Mikee is from Novaliches, Quezon City. He is the prime
mover of Mikee's World which you would find at
http://members.xoom.com/virmike/
The web site recently had a long-needed facelift and is much
improved now. Mikee's venture to EXE infection with a version
of the *StowAway* virus.
Mikee's World will soon release their zine. Watch out for it.
<o>
Then our usual disassembly of viruses found in the wild but this time
we are going to feature virus families that are flag wavers in
commemoration of the Centennial of the Declaration of Independence of
the Philippines.
* June12 * This nationalistic virus plays the Philippine national
anthem, "Lupang Hinirang", in full and displays the national
flag. Three strains of the virus that I have copies of, is in
this issue.
* Rebolusyon * Another flag-waving virus but is sympathetic to the
Communist Party of the Philippines.
These next viruses from the wild are not flag wavers but boot
infectors.
* Quaint.B * This is the other known variant of Quaint. Quaint.A
appeared on HEX-FILES No. 2. The Quaint dropper was updated to
include Quaint.B.
* Sampo * Sampo is the first confirmed boot virus to have originated
from the Philippines that is able to infect hard disks. Virus
dropper program and disassembly by YeZ.
<o>
And finally, viruses that came from my wildest dreams:
* Kontragapi * A polymorphic COM infector which places the jump to
the virus code several instructions away from the program
entry point. It also has retrovirus functions.
* Duwende 2 * The encrypted and stealth version of Duwende. For
those who do not know it yet, the original Duwende appeared
on HEX-Files No. 1.
* June12.Sentenaryo.1898 * This is my virus to mark the centennary of
the Declaration of Independence of the Philippines. This is
actually a modification of June12.Standard.2660 -- the most
nationalistic virus ever to come out of this 100-year old
republic.
<o>
C O N G R A T U L A T I O N S
to the
people of Indonesia
for your
successful mass actions
to effect changes in your
national leadership
<o>
***********************************************************************
* *
* HEX-FILES does not carry live virus. However, program listings and *
* scripts found in HEX-FILES create first generation viruses, *
* infected programs, virus droppers or other virus related programs *
* when compiled. This was intentionally done to prevent someone from *
* executing these programs without exactly knowing what the programs *
* really are. Believe me, there are people stupid enough to do this. *
* *
* If you create an executable program out of those listed in *
* HEX-FILES, it is taken to mean that you are fully aware of the *
* nature of these programs and the consequences of their use. You *
* also agree that HEX-FILES and/or anybody connected with HEX-FILES *
* in any way are not responsible for any damage that may result from *
* the use or misuse of these programs. *
* *
* You, the person who created the executable program and/or executed *
* the program shall bear full responsibility for your actions. *
* *
* Furthermore, you fully agree that these programs are only to be *
* used for research and/or educational purposes. Last but not least, *
* in no way shall these programs be used to inflict harm and/or *
* damage on another person and/or his property. *
* *
***********************************************************************
<o>
-<{([ Content ])}>-
HEXFILE3.000 ..... Front Page!
HEXFILE3.001 ..... PhVx Register
HEXFILE3.002 ..... 21/4B01 Stealthing by YeZ
HEXFILE3.003 ..... StowAway by Mikee
HEXFILE3.004 ..... Quaint.B
HEXFILE3.005 ..... Sampo
HEXFILE3.006 ..... Rebolusyon.2000.A
HEXFILE3.007 ..... June12.Standard.2660
HEXFILE3.008 ..... June12.Standard.2695
HEXFILE3.009 ..... June12.AntiSPCPD.2660
HEXFILE3.010 ..... June12.Sentenaryo.1898
HEXFILE3.011 ..... Duwende 2
HEXFILE3.012 ..... Kontragapi
HEXFILE3.013 ..... Invitation to all Filipino virus lovers
HEXFILE3.014 ..... Compiling instructions
<o>
I still have not decided on what the next issue would take up. I'll
try to put up something as school time would be starting this month.
But I would like to have an issue that would not include
disassemblies.
<o>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Kalayaan ù Isang Daang Taon ù Kasarinlan
1898 ù Ika-12 ng Hunyo ù 1998
Republika ng Pilipinas
* * *
Republic of the Philippines
1898 ù 12th of June ù 1998
Freedom ù One Hundred Years ù Independence
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
A copy of HEX-FILES can be found at the zine/info page of:
Cicatrix http://www.cyberstation.net/~cicatrix/
Darknode http://www.oninet.es/usuarios/darknode/
Guillermito http://www.pipo.com/guillermito/darkweb/virus.html
Some websites might require something from you before you are allowed
access to files.
<o>
Filipino virus authors on the web:
Mikee http://members.xoom.com/virmike
Zoom23 http://members.tripod.com/~brianjan
-=<HF3>=-
