ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOWWORKS.TXT]ÄÄÄ HOW WRITE YOUR OWN MUAZZIN Muazzins receive control at first byte, and can respond to the following request, passed in the appropriated structure: MT_QUERY - called for all muazzins, used for self identification, should return name, version, and requests it support MT_PROCESSDROPPER - called with the buffer and the current size as parameter, is the place to insert poly over the dropper, change the icon, and all other things that affect the form of the pe exe dropper, that is the traveling form of the virus. MT_BLOCKIP - called with the IP that the user pretend connect and the port, it have several uses. Can block the IP of AV sites in the internet, can save the smtp and nntp server that the user uses, can scan for open machines in these network, etc... MT_APP - generic porpouse, is here the place for payloads, scan for files of different kinds to infect, and all other type of thing. MT_GENTEXT - to avoid suspicion, the text used for sending e-mail is generated by this muazzin. it create the body of msg, the headers, and determine the attachment name. Here, you can put your engine and generate random but still understandable texts about sex, pokemons, jokes, etc... MT_BLOOM - here, the muazzin should try to contact a source of muazzins and retrieve they. Acessing usenet newsgroups, irc, pop3 e-mail account, www/ftp sites, all is done here... MT_BREED - called each full moon, is the time for the muazzin send all muazzins installed in current system to places where others muazzins, by using MT_BLOOM, can retrieve they. Post to usenet, sending emails, etc should be done here. Notice that a single muazzin can respond to more than one type of call. Is a good idea make they work together: a muazzin that generate texts about pokemon in MT_GENTEXT can also change the icon, in MT_PROCESSDROPPER. A muazzin that scan for back orifice backdoor at each MT_BLOCKIP and upload itself to there, should also process MT_APP, coz the dropper, that it will need to upload to backdoor, isnt passed in calls to MT_BLOCKIP. Etc... Also notice that these rules arent written in stone: nothing forbid you to, in a dynamic system as IRC, use MT_BLOOM to receive and also send muazzins, or like. Once you have written your own muazzin, you should encrypt and sign it with the included utility, and should test it lots. They key included in this release isnt the key that the virus carry, so, dont wait for it work with "in the wild" samples. If you think that others infected machines need your muazzin, contact me for a signature. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOWWORKS.TXT]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MUAZZINS.TXT]ÄÄÄ SAMPLE MUAZZIN INCLUDED: /PE - Infect pe exe without increasing the size neither changing the CRC 16/32/48 of the file. Code section is compressed. Write the dropper to disk to /temp directory, then run and delete. Files are searched by special DLL. Win98 specific. /PE2 - Polymorphic pe infector using a modificated version of KME32 by Z0MBiE. Added CALLS/JCC. Increase last section. Write and run dropper. Recursive search. /EXE - Infect DOS EXE files. Infected files check Win32 OS and write and run dropper if positive. Recursive search. /HLP - Search and infect HLP files with Babyloniaïs hlp infection scheme. Recursive search. /RARZIP - Search for ZIP and RAR files, using Z0MBiE library, and add droppers to they. Recursive search. /SPIRALE - Thanks to Spanska. Drop a exe file, and register to always run at boot. Hypnotic spirale then control the mind of the user. Process hard-to-close, making delete hard for user. /HTTP - Connect to several www sites, using WININET.DLL, and tries to retrieve new muazzins. /USENET - Connect to nntp server, retrieve posts, check subjects for special checksum, and read possible muazzin. In full moon nights, it post to usenet via a mail2news gateway. /DOC - Second outsider muazzin contribution, this co-work with Alevirus enable Hybris to infect Microsoft WinWord DOC. /SUB7 - Scan contacted subnet type C for sub7 backdoor, and then upload/run/delete virus dropper to such system. Bypass sub7 server password. To do the manual work ;) ARJ.S - Search and write droppers to ARJ files. Recursive search. AV!INET.S - Block access to the most common AV sites. DDOS.S - ICMP flood weapon. EMAIL.S - Send a email to a hotmail account, for a census. ENCR.S - Encrypt droppers with a semy-polymorphic layer. TEXT.S - Generate "erotic" text for e-mails body. JOKE.S - Generate a joke in english/french/spanish/portuguese mails SERVER.S - Save the users default SMTP and NNTP servers to registry, and return they at virus request. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MUAZZINS.TXT]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GREETS.TXT]ÄÄÄ If I can see fo far, is becoz I am in the shoulders of giants... This virus will not exists if was not by the extreme help and support of several peoples, that helped in all phases of the develpment. Greetz go to Spanska and Mister Sandman, the intellectual co-authors of this virus, to Z0MBiE, the master coder, for all kind of magic routines. Finally, the brazilian crew, my team, with Kamaileon, NBK, Alevirus and Nimbus, that, beside the testings and the help in several muazzins, give me support and made this creation know worldwide. ;-) Greets also go for VirusBuster and Gigabyte, that always give me the emotional support in my dark days, and urgo32, that tried to teach me math. Thanks to all my other friends, be in IRC, be in the vx groups, that, with his chats and codes, inspired me always. I cant name they all here. Vecna, 2000 ps: to contact me, contact somebody named here, and they will make your name and email reach me. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GREETS.TXT]ÄÄÄ