40Hex Volume 1 Issue 2                                                   0001

             - HOW TO GET INFECTED FILES INTO LAME BBS's -


    Ok, one problem with sending infected files to BBS's is that you never
can tell if they will be detected by SCAN.  Or if you are sending bombs
the sysop might use CHK4BOMB to detect code that is data damaging.

I'm gonna tell you how to get around this, what you need is the following-

                            PKLITE or LZEXE
                                  and
                           A good hex editor

What you do is this, compress the infected file with Pklite or Lzexe.  This
will make change the files checksum and ID strings quite a bit so it can't
be detected by SCAN and damaging data will not be found by CHK4BOMB.  The
problem is that now the sysop can use CHK4LITE to detect is the file is
indeed infected.   So what you do is this --

Load up the hex editior -

Now look at the file, it will look something like this if you compressed it
with PKLITE.

------------------------------------------------------------------------------

0000  4D 5A 12 01 13 00 00 00-07 00 98 05 4A A4 52 02  MZתתתתתתתתתתJתRת
0010  00 04 00 00 00 01 F0 FF-50 00 00 00 03 01 50 4B  תתתתתתתתPתתתתתPK
0020  4C 49 54 45 20 43 6F 70-72 2E 20 31 39 39 30 20  LITE Copr. 1990 
0030  50 4B 57 41 52 45 20 49-6E 63 2E 20 41 6C 6C 20  PKWARE Inc. All 
0040  52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 00  Rights Reservedת
0050  0A 00 20 00 17 01 48 00-4A 04 4A A4 E2 03 00 40  תת תתתHתJתJתתתת@
0060  00 00 56 11 00 00 1C 00-00 00 00 00 00 00 00 00  תתVתתתתתתתתתתתתת
0070  B8 E3 07 BA 4B 02 8C DB-03 D8 3B 1E 02 00 73 1D  תתתתKתתתתת;תתתsת
0080  83 EB 20 FA 8E D3 BC 00-02 FB 83 EB 19 8E C3 53  תת תתתתתתתתתתתתS
0090  B9 C3 00 33 FF 57 BE 48-01 FC F3 A5 CB B4 09 BA  תתת3תWתHתתתתתתתת
00A0  36 01 CD 21 CD 20 4E 6F-74 20 65 6E 6F 75 67 68  6תת!ת Not enough
00B0  20 6D 65 6D 6F 72 79 24-FD 8C DB 53 83 C3 2D 03   memory$תתתSתת-ת
00C0  DA BE FE FF 8B FE 8C CD-8B C5 2B EA 8B CA D1 E1  תתתתתתתתתת+תתתתת

------------------------------------------------------------------------------

You see the header?  Well what you have to do is overwrite the header with
garbage.  Don't write text cause that is to dectectable by a dump program.
Just overwrite the part that says "PKLITE corp....Reserved" with hex bytes.
Also distroy the part of the code that says "Not enough memory", dont kill
the "$" symbol.

This will make the compressed file-

A> Undetectable to virus scanners, and CHK4BOMB type programs
B> Un-Decompressable
C> CHK4LITE wont notice it as a PKLITE file

It's that easy!

Keep in mind however than any file that the virus infects will no longer
be encrypted by PKLITE, so this method is good only on getting your virus
into the front door.

See the article in issue one on making new virus strains.


                                Forenote

After writing this article SCAN Version 80 came out, It now has the
ability to scan into Pklite compressed files.  Just to let you know that
this teqnique still works and SCAN cannot detect the file as being
compressed as PKLITE.

                                                                         HR
