NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The Varicella Virus Source Codes -N E- Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu ahh, NuKE PoX viruses will never end... Well I noticed a few flaws and faults in code in the old NuKE PoX virus version 2.0, which I wanted to refine. This time I had a lot of time, and I _fully_ commented the source codes. % Improvements % The most major improvement is the infection routine, I have created a generic method that will always use the same infection/disinfection routine. If you remember NuKE PoX v2.0 you noticed that I copied whole blocks of the code twice, which gave the virus a size of 1800 Bytes! This version hovers at 1483 bytes, and it's far from tight, but it's EXTREMELY reliable! Meaning this baby should never crash for any reason. And it has _many_ added features that N-Pox v2.0 didn't have! % Introduction to the ideology of the Stealth Virus % Like the SVC viruses, this virus will `disinfect' on the fly. And to the DIMWIT that said SVC doesn't disinfect by rewriting the program on disk, GO CHECK YOUR INFO NITWIT. The SVC viruses will disinfect a file when opened, the SVC virus will actually remove the virus from the infected program. It will NOT attempt a disinfection in memory only! It does have the ability to do this to a certain extent, if you execute the file, and if you jump towards the end of the file by Int21h/4202h the SVC virus will fool DOS to think that the file is not infected, whereby it really is. But this method has a MAJOR flaw, one flaw is exercised by F-Prot anti-virus, to defeat this dumb method. The major flaw is that these viruses _cannot_ keep track of file pointers, it would take too much code to exercise this. So if you read a file from the beginning and read sequentially toward the end, surely enough you will encounter the SVC virus, because it does not have the ability to keep track of the file pointer. So in order to fix this, SVC will do a _real_ disinfection of the file on disk. Therefore in all aspects the file will look clean, as it _is_ clean! Also note, that the SVC viruses also infect System Device drivers, this is _rarely_ noted, maybe because people use VSUM as a reference? % Varicella Features % The virus will only infect .com and .exe generic files. I have removed the .ovl infections because of certain crashes that persist with certain large programs. No virus to date successfully does this for some reason. The virus will hide its file length by FCB directory method (Int21h/ah=11h,12h) and by File Handles method (Int21h/ah=4Eh,4Fh). The virus will disinfect the file on opens & extended opens via (Int21h/ah=3Fh,6Ch). The virus will also disinfect files as they are executed, (Int21h/ah=4Bh) and will later reinfect it when it has terminated. The virus will infect on closing (Int21h/ah=3Eh) and it uses the very sophisticated Job File Table method (The List of List). Infection is denoted by the seconds field will equal the day of the month! This method is _a lot_ better than having the seconds field to 60 or 62, because many AV programs flag on invalid seconds field. Therefore now the seconds field will be from a number 1->31 (Days in a month), and only with a 6% chance of an invalid second field stamp. Also in order not to create problems, the last two bytes of the virus _must_ be DBh,DBh. Therefore the virus uses TWO methods of detecting infection, because we wouldn't want to `disinfect' a file that isn't infected, so we must be 100% sure. I found it no use to have a `fake' disinfection routine, whereby it fakes a disinfection, for the reason that this method contains several flaws. And I found that testing this virus on my PC with a 40 Meg MFM 65ms drive, showed _very_ little signs of abnormality. So in speed wise, it's very fast, what is a 1-2 millisecond more, (1/100s of a second). When disinfecting a file, the virus even puts back the original seconds field time stamp, leaving absolutely no trace of its existence! How many viruses do that? huh? % To Come % Well I already have a multi-partition version of this virus, I'm currently tring to add NED polymorphic possibilities to this virus. This will be a nice task, as NED is variable in length, therefore I have to save the original file length, or I will fix NED to be constant in length. Nevertheless you should see it coming soon. % About the Name % Well I didn't want to call this N-Pox, because it has NO code similarities with N-Pox, the only thing they share is the method of going resident. But I called this "Varicella" because, Varicella is the medical term for (Chicken Pox) that adults get! When a child gets the Pox, you call it Chicken Pox, when an adult gets it, you call it Varicella! So I found it appropriate to call this Varicella because it is perhaps the `adult' or later out come of the N-Pox virus.