/-----------------------------\ | Xine - issue #4 - Phile 007 | \-----------------------------/ ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± THE SHORT MONOLOGUE OF VIRUS WENDELL FROM HIS SMALL 120 MEGABYTES WORLD ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Written by Int13h/IKX Translation: Sharon K. W. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yes, virus. This is the generic term in which we are boxed-in by those being that are our natural enemies: the anti-virus. They call us virus, and they kill us and because of that, they are called anti-virus. In other words, I am a virus, yes, a virus and my name is Wendell. When I think it unprepared, it sounds strange to me, but it shouldn't, since inside my code are the instructions that say that I am named Wendell. By using the DB instruction, an unknown variable served as my baptismal font. I am a runtime COM, EXE and SYS files infector. Although I must confess that as regards the device drivers, I only verify the payload, that is to say, I ask for a random number between 0 and 255 (a simple one IN AL,40H) and if the byte returned in AL is 66, then I print a message ont he screen. The message is a presentation message: in the top part of the monitor appears my origen, my name and that of the being that gave me life, the name of my god. I come to life every time a file that I have previously infected is executed. I've already gotten tired of this matter of living in flashes, only when a program in which I am lodged is executed. I would like to be like Virus Alicia or like the Zhengxi in order to be able to infect many different kinds of files, and to be able to reside in memory, and not have to live in short installments as I am now, existing only for two or three seconds while the program in which I am situated is running. I would like to be a virus that resides in memory and allocates myself in the COMMAND.COM in order to exist whenever the machine is turned on and my cycle of life beings. Or I would like to be a Boot Sector and Master Boot Record in- fector. Although it does not escape my awareness that it would be too much work to be like Kuarahy Virus and have to infects disks and diskettes and diverse executable files. It would be too heavy of a task for my strength, and in addition, I would be permanently alive, and it is already very well known that there is nothing so unbearable as eternal life. How bitter would be life if there were not the hope of death! Yes, it would be too unbearable, because all the time I would have to attend to some request to open a file by means of the INT 21h, or a request to read a Sector 1, Cylinder 0, Side 0 of the diskette using a INT 13h. I wouldn't like to be a overloaded work, but yes, I would be delighted to at least be a resident COM, EXE and SYS file infector. Perhaps some people don't know that viruses have a collective consciousness, a common spirit. Whenever an anti-virus eliminates a virus from the warmnook that it occupies at the end of some executable file, all of us viruses feel a common pain, since a member of our community has died. It is sad but it is true, due to it being so true it is sad. It is the struggle of good against evil; virus and anti-virus, it is always difficult to ascertain preceisely who are the good and who are the bad. We, the virus, stick ourselves to the programs in order to exist and we preserve their functioning; more than parasitism I believe that is a symbiosis. A friend of mine, Virus Galindo, thinks about the existence of an Absolute Creator that endowed us with life, someone who he calls EXECUTOR, he believe this and also believes that the Executor is superior to the particular gods that gave life to each one of the virus. I believe that everything always existed, that everything was, is and will be always the same, that everything is static. Some viruses die and others are born, some are eliminated from all of the hard disks and others are born to ocuppay their place, and yet others are endowed with greater capacities for survival in this savage world of bytes. This is what I think, it is not my intention to influence anyone about religion, let is be perfectly clear that is what I think and I alone. It would not be bad to repeat now that I would like to be a TSR. Well, I was saying that all of us virus have a kind of invisible thred that unites us and we can feel it when pain or happiness enters the life of other beings of our species. Futhermore, in this moment moment I am perceiving the sensation of happiness radiated by Virus Hemlock who has just placed a copy of himself in an .EXE file. At the same time, I recieve the dying signal of Virus Cerebrus who was recently expelled from his warm hidding place by some killer program. It is always like this, something good, something bad, sometimes all bad, sometimes some good news. One has to be strong in order to stand all this flood of sensations, of pleasant and dismal news. There are times when the unfortunate news arrives repeatedly, my colleagues die in mass in far-away hard disks. It is something that one has to get accostumed to. I am living now. Now I must look for .COM, .EXEs and .SYS for me to situate myself inside of them. The first thing that I do is call the 4eh function of the INT 21h, here it brings up the name of a .COM, let's see, let's open it up, let's move AX into BX; now let's move the pointer to the end, and compare. NO! I am not able to infect it -it measures only 145 bytes- and my morality code prohibits me to touch files that are so small, it would be rape, they should have at least 1000 bytes. Well, let's see now about the .EXE... nothing, and nothing so far as the .SYS also. There are not more infectable files in this directory. It would be better if I continued. Some of my friends carry instructions in their codes in order to eli- minate our natural enemies: the burnable anti-viruses. I ask myself, why are they our natural enemies? What harm do we do to them? Well, in the case that we are lodged in them, we usually preserve their functionality without any problems, but this was before; everything went along just fine until it occurred to them to become more complex, due to those issues related to the natural evolution of the species and they came all equipped with their CRC routines and self-check modules. And then, wheneverone of ours looked for asylum inside of them, the alarm would ring and indicate that the file had been modified, and the execution would be ended suddenly, in drastic fashion. They were the ones that decided to run with their eyes blindfolded in a mined field. Why is it so difficult to live in peace with them? The hosts, on the other hand, are not aggressives. They all so tamely are ready to give us lodging, there are not protest, no agression. Everything is kindness. Well, one has to tell the complete truth; there are some that refuse to receive us... Generally speaking, they are those that also self-test theirselves to see if they haven't grown some. Those are the one that will atrophy, because one needs to grow and improve oneself each day. That which is stagnant must perish. This life is good, but I find myself to be quite alone and I can think on my own (as I have already said) only during fractions of a second. I would like to be a TSR in order to be able to think all the time, until the darknesses of the non-being return, when the forces are exhausted, when the energy that impulses of small universe ceases and the gigantic sun that is the hard disk ceases to spin around, and its arms lose the gyrating force that it usually brags so much about. But, neither is it good when there are a lot of us; I remember a former occasion when another colleague of mine was in this machine. He was a competitor, he infected COM and EXE files and I had to dispute host sites with him. There were times in which he placed a copy of himself inside of a file and then I likewise did the same, and then he would lodge in the host and I couldn't find my own lodging and we would make the file grow with inflationary numbers. The problem lay in the seconds, due to the fact that both of us used the seconds field of the hour of the last modifi- cation of the program, the only problem being that we employed different values. Each virus has its god, the being that gives it life. I was progra- mmed by some such CJC; I don't know him. I accuse him of irrespon- sable parenthood, because he has never presented himself. As the son and creation of his that I am, he should come up to me someday and say to me "I am your father, son". The god that made Win32.Xine is named JHB, and the one that gave the breath of life to Padania_Libera was named B0z0. There are viruses that do not bear the name of their creator-god within their own code. I feel a little bit sorry for those viruses because it's as if they were orphens. It must be sad not knowing who gave you your life. This is my home, this is where I ac- quire consciousness, in this small 120 megabytes universe of mine, this hard disk that is the star in which I undergo the development of my existence. And thanks to this diskette unit I am able to prolong my offspring toward other parallel universes, on other planes. I know this because there have already been times in which I have had the emotion of feeling other colleagues situating theirselves in other files in faraway universes, and the strangest thing about this was I knew with all certainty that "they were me", or in other words that it was I who was infecting the files, but that they were copies, perhaps. It was like a prolongation of my consciousness. Describing this is very difficult. Even and overwriting virus knows that routines are our ruin, that they kill our wellbeing and creativity. I get bored doing the same thing all the time. Always repeating the same script. When the file in which I will take up lodging is a .COM, I read the first three bytes, situate myself in the end of file and write a jump instruction to the start of the host so that it will turn the control over to me upon execution of the command. When dealing with an .EXE file, I put myself at the end and I modify the header, the CS:IP, SS:SP, size, etc. And as regards the treatment of .SYS files, I position myself at the end and change the strategic routine offset so that I myself can take control first, when the CONFIG.SYS is read and processed. It's always the same. I would like to be as polymorphous as the Uruguay or Marburg viruses. Those colleagues of mine surely know how to change their appeaance; they never are the same and each time they take on a different form. This is good in order to avoid routine and boredom, that one should be able to manage different bodies each and every time is masterful. I have already since once before that I would like to see a virus residing in memory. The Camilo virus is also a runtime virus like myself. Everyone knows that the Dark Avenger virus was the first one to utilyse the Fast Infection Technique. This is very fine indeed, because, why should one wait until the programs whenever they are opened or copied? Take the instance of DIR-II, who is one member of our community that lives in COM and EXE programs in a very special manner. My friend ByWay also uses this method, except that he is better equiped for survival, with more advanced tools. There are some collea- gues of mine that die on a certain date; they are like kamikazes, they die, but they carry with them the entire hard disk. When the progra- mmed date arrives and being situated within the memory, they write random trash all over the hard disk, leaving it unusable but at the same time they write random characters all over their own bodies, mutilating themselves or disappearing completelly. I would like to be a virus residing in memory in order to tunnel and to find the original entry point of the 21h interruption and to thus mock the anti-viruses. It sounds like tremendous fun. I know of colleagues of mine from the virus community that find the original driver of the INT 21h through tracing the PSP. Doing a runtime, my technique is extremely slow; I can't really recommend it to anyone. Speaking of time, I believe that I have tarried enough. It's now time to return the control to the host, since I have finished verifying this entire directory. At the beginning of my execution I already returned the first three original bytes to the host (which is a .COM). I put them back to the CS:100h position and I am already ready to make my leap and jump there, but first I must restore the Critical Error Handler to its original handler and I must repoint the DTA to 80h... Right, check; I clear the registers, everything is all fixed, now I just want to make it quite clear that I would like to be a virus resident in memory, I want to be a TSR, I hope someday some programmer will get up the courage to modify me and add on the skills to live in memory control blocks, I hope that this will happen already in my next consciousness, because now, I must die again, and wait in the darkness for the return of life... MOV AX,100H PUSH AX XOR AX,AX RET Post Scriptum: I want to be a TSR virus! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Paraguay, November, 1998