Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 000
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ Issue No. ³
³ Û ÛÛ Û Û ÛÛÛ ÛÛÛÛÛÛ Û Û ÛÛÛÛÛ Û Û ³ ³
³ Û ÛÛ Û ÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛ ÛÛÛÛÛ Û ÛÛÛÛÛ ÛÛÛÛÛ ÛÛÜÜÛ ³ Û Û ³
³ Û Û ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛÛÛÛ ÛÛ Û ³ Û Û ³
³ Û ÛÛ Û ÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛ ÛÛÛÛÛ Û ÛÛÛÛÛ ÛÛÛÛÛßßÛÛ Û ³ Û Û ³
³ Û ÛÛ Û Û ÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛ Û Û Û Û ³ ÛÜÜÛÜ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßßßßßßßßßßßßßßßßßßßßßßßÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ Û ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Philippines Virus Zine ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³November 1998 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ http://www.geocities.com/tokyo/shrine/2073/ phvx@hotmail.com ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Mabuhay!
For this issue, we are going to have....
** A list of virus related mailing lists both pro-av and pro-virus
orignating from the Philippines.
** An encore for Matthew with two articles and a disassembly.
*The Virus Writer's Resume* An article by N.O.Phoenix on his
thoughts about virus authors. It bares little known facts
about Matthew and the identity of its author. If Jonjon Gumba
is EDP head of a hotel in Metro Manila, where would the
Matthew author be? Illegaly cutting pine trees in Baguio City
for the Christmas season? Read on to find out.
*Virus Verse* An article written by Alan C. Robles published in
the February 10, 1995 issue of the Philippine Daily Inquirer.
This article is reprinted WITHOUT PERMISSION AND KNOWLEDGE of
the author or the newspaper.
*Matthew.2667* A disassembly of the seldomly seen, if you have
seen it at all, variant of Matthew. Know why it did not spread
as much as Matthew.3044. Virus program listing was created by
YeZ.
** YeZ of Zamboanga City, shares with us his disassembly of two local
variants of Jerusalem and Danao. Program listings for this three
viruses were created by YeZ.
*Jerusalem.AllSystem9.1818* was made to appear to have been
written by the owner of a computer chain cum training center.
Virus has tricks to make your life terrible.
*Jerusalem.Bad_Illusion.1238.A* This seems to be the first virus
to have come from XED. And, according to form, it intends to
create havoc. The text in the virus says that XED is/was
attending school at University of Cebu.
*Danao.2869* This virus was for a time thriving well in well in
the wild and was giving people a lot of headache. This virus
was written by XED. Text in the virus might mean that he is
from Danao City in the province of Cebu.
Before I forget, Se¤or YeZ hablo Chabacano. Yo no hablo Chabacano
y Espa¤ol. I only used a Spanish-English dictionary for this. :) I
don't know if I got it right.
** We are also going to have something about Wpc_Bats family.
*Payloads of Wpc_Bats* We are going to have a program that
would show you five screen payloads of the virus family,
including one that was disabled by the author.
*Disasembly of Wpc_Bats variants, namely, Wpc_Bats.Ala-Eh.3161,
Wpc_Bats.Ala-Eh.3072, Wpc_Bats.Ala-Eh.3161, Wpc_Bats.Lipa.2793
and Wpc_Bats.Lipa.3207. The program listings of the five
variants would give you an exact copy of these variants if you
would only follow the compiling instructions.
However, AVs, specifically, F-Prot and FindVirus, use values
of far pointers to determine variants. If the values of these
far pointers are not those expected by them, they would say
that the file is infected by a new/unknown virus variant. If
that happens, it is not my fault anymore. It is not right to
assume that bios interrupts vectors found in the IVT always
points to the segment of the bios.
** Lorz is from Albay and is a member of Pinoy Virus Writers. Lorz
submitted three Word macro viruses. These are the only new virus
you would find in this issue.
*Margaret* A multi-language infector with a nice payload.
*Mary* A polymorphic infector and pops a message on a certain
day.
*Mykah* A stealth macro virus with some retro-virus functions.
Watch out! It might format your hard disk!
** Finally, corrections to virus program listings which appeared in
past issues: :(
*Cara.Standard.1024* I made typographical errors on this one. :(
*June12* Because I placed my initials in a data portion of the
virus, F-Prot and FindVirus detected the three June12 variants
in HEX-FILES No. 3 as unknown variants. :(
To humor the AVs, I have here three program listings that
would not make the AVs ask you to send them copies. But if
these two AVs start affixing .A, .B.... to the three June12s
from HEX-FILES No. 3, I would like to remind all lamers out
there that there are still 65,534 other possible two-byte
combinations.
<o>
Starting this issue, executable programs are presented in uuencoded
scripts instead of our usual debug scripts. This was resorted to
because debug scripts jacks up the size of files. It is also too much
for big files like the word document that carries Lorz macro virus. A
script created by uuencode has a low overhead.
However, if you prefer debug scripts over uuencoded scripts, tell me
so that I could make adjustments for the next issue.
A uudecode program is in HEXFILE4.021 in debug script. You could also
look for a copy from shareware archives.
<o>
Whats up in the Philippine virus front?
Mikee's World web page got zapped. However, a member is planning
to revive the group. Mikee is out of the action and Mikee's World
is floundering.
Pinoy Virus Writers main web page has moved after its previous
main web site at tripod got zap. PVW's main web site is now at:
http://sourceofkaos.com/homes/brianjan/
Pinoy Virus Writers would also be issuing the fourth issue of its
zine, PVW, not later than December 1998.
<o>
Well this is all for now. Here's wishing you all an advance
Merry Christmas
***********************************************************************
* *
* HEX-FILES does not carry live virus. However, program listings and *
* scripts found in HEX-FILES create first generation viruses, *
* infected programs, virus droppers or other virus related programs *
* when compiled. This was intentionally done to prevent someone from *
* executing these programs without exactly knowing what the programs *
* really are. Believe me, there are people stupid enough to do this. *
* *
* If you create an executable program out of those listed in *
* HEX-FILES, it is taken to mean that you are fully aware of the *
* nature of these programs and the consequences of their use. You *
* also agree that HEX-FILES and/or anybody connected with HEX-FILES *
* in any way are not responsible for any damage that may result from *
* the use or misuse of these programs. *
* *
* You, the person who created the executable program and/or executed *
* the program, shall bear full responsibility for your actions. *
* *
* Furthermore, you fully agree that these programs are only to be *
* used for research and/or educational purposes. Last but not least, *
* in no way shall these programs be used to inflict harm and/or *
* damage on another person and/or his property. *
* *
***********************************************************************
<o>
-<{([ Content ])}>-
HEXFILE4.000 ..... Indeks!
HEXFILE4.001 ..... The Virus Writer's Resume
HEXFILE4.002 ..... Virus Verse
HEXFILE4.003 ..... Matthew.2667
HEXFILE4.004 ..... Jerusalem.AllSystem9.1818
HEXFILE4.005 ..... Jerusalem.Bad_Illusion.1238.A
HEXFILE4.006 ..... Danao.2869
HEXFILE4.007 ..... Wpc_Bats and its screen payload
HEXFILE4.008 ..... Wpc_Bats.Ala-Eh.2279
HEXFILE4.009 ..... Wpc_Bats.Ala-Eh.3072
HEXFILE4.010 ..... Wpc_Bats.Ala-Eh.3161
HEXFILE4.011 ..... Wpc_Bats.Lipa.2793
HEXFILE4.012 ..... Wpc_Bats.Lipa.3207
HEXFILE4.013 ..... Margaret, a word macro
HEXFILE4.014 ..... Mary, a word macro
HEXFILE4.015 ..... Mykah, a word macro
HEXFILE4.016 ..... Philippine virus related mailing lists
HEXFILE4.017 ..... Errata: June12
HEXFILE4.018 ..... Errata: Cara.Standard.1024
HEXFILE4.019 ..... PhVx Register
HEXFILE4.020 ..... Invitation to all Filipino virus lovers
HEXFILE4.021 ..... Compiling instructions
UUDECODE.COM (debug script)
<o>
Next issue we would not have any disassemblies. We would have
something old and new, but no disassemblies. We might have this
early (?????) next year.
Got to do something first.
Ang pangako ko kay Zoom23 ay napako....
Bubunutin ko muna ang pagkapako nito. :)
<o>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
I oppose the petition of the
Philippine Long Distance Telephone Company
to implement metering of local telephone calls
may flat rate na, may metro pa!
bakit si gretchen sa flat lang
:)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Filipino virus authors on the web:
Lorz http://members.tripod.com/~Lorz/
Zoom23 http://sourceofkaos.com/homes/brianjan/
http://www.zoom23.home.ml.org/
http://members.xoom.com/zoom23/
Mikee is lost in cyberspace
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
who robbed berto of sun rays?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=<{[* HF4 *]}>=-
