Story of Ghauri2 (W97M.Piece.A)
What is Ghauri2
Ghauri2 is the name of Pakistan’s Nuclear War Head Carrier. I selected this name because it scared the hell out of many at least here in Pakistan.
Spread of Ghauri2
I don’t know what should I say…. I like to spread the virus……….. J I think spreading a virus is also a nice exercise and experience. After all one can also call it as part of VX Scene. OK! So enough of it.
How did I spread Ghauri2. Let me see.
Norton AntiVirus Heuristic Analyzer (BloodHound) had given me serious problems while I was writing my 1st ever virus a .COM infector GHAURI. Anyway who cares about DOS nowadays.
In Macros things were changed. I tried different things like writing encryption key to a Basic’s binary file and reading it in another variable, using log and other engineering formulas but one way or another it did get hold of it. I started commenting all the lines one by one to see which is the most sensitive line which I can cover. It came out to be the names of files that I used to export and import my code to. So what I did I set the filenames like: -
Fname$ = Chr$(58) + Chr$(92) + Chr$(119) + Chr$(105) + Chr$(110) + Chr$(105) + Chr$(111) + "2." + Chr$(118) + Chr$(120)
File$ = Chr$(Asc(Chr$(Asc(Chr$(Asc(Chr$(A + 2))))))) + Fname$ + Chr$(100)
Guess what ? It worked. Just a small action and there goes all the artificial intelligence of Mr. Norton. ;-)))))
At that time (somewhere in Sep 1999) I tested it with NAV 2000 to make sure it is not detected. McAfee failed badly as I think it doesn’t have any heuristic scanning ability at all. I send the virus copy to different people. It passed away all the channels except that of IEEE (Institute of Electrical & Electronics Engineering). As their Anti-Virus got hold of it and cleaned it on spot. I am still not sure which AV they used. Most probably AVP because it’s not available here in Pakistan (at least 1 drawback of Pirated software that you won’t find all the nice stuff). Otherwise maybe I would have stepped over AVP as well.
Nearly all of my friends know about my…… should I say hobby. There was a software competition being held in my university. As there are different software competitions being held in Pakistan time and again, so in order to have a different thing they asked me to write something different. It was 9th Bit. Thanks to "Lord Julus" (one of the most versatile programmers I think !!) who helped/ guided through it.
I made the front end in VB6 which created a complete Win32 ASM file, compiled it and linked it in the form of a Virus infected file. Asking the user multiple options like Payloads, user code insertion, Encryption, Polymorphic and Metamorphic Effects (it’s effects by inserting garbage or do nothing effect code). Giving it slight a touch of floating skulls and things like that.
3 judges were to come and grade each of the software. The 1st judge gave me 88/100 (the highest the 1st day) and left saying that I m too complicated for him. As I got the highest score, there was a lot of hue and cry from the other programmers side as they didn’t know anything about it themselves.
The next 2 days there were bunches of students and teachers from different universities of the other participant approached and sort of went into arguments. Quite often at times the Organizing committee was to be called to control the situation.
Then something went drastically wrong. The other 2 judges didn’t know anything about ASM and didn’t understand even a single bit of what I said. They behaved as if they were understanding everything what I was trying to explain, but I can bet they didn’t understand even a single bit of it. Anyway to my surprise one of them gave me 24/100 and other gave me 6/100. God Damn it! I don’t believe it.
Anyway for those 3 days it really shudder the universities environment and the exhibition went on fairly well…… ;-)
Unlucky for me after that I joined the Mil Academy.
1 nice thing about 9th bit or any WIN32 ASM virus that I noted is that u write the simplest virus and u would be the unluckiest person in the world if ur virus get caught by AVs heuristics. They surely fail badly in Win32 Environment.
Last Macro Release in the Future
Nowadays I m in the Mil Academy. Most often applying mud and wet grass on my face for camouflage and concealment. J . What to talk of using the computers. Anyway I have been learning different things. Reading different Ezines and other stuff.
The experience of Gahuri2 was great.
I was writing an encrypted, polymorphic virus powered by some metamorphism when the computer crashed and all my effort went to waste. Maybe when I’ll pass out from the academy I will rewrite it once as that I think will be a true virus.
A Software Engineer's Valentine Poem
I was full of erroneous statements
On the DOS and on NT
My life was full of bad commands
Not even A single access given.
But now that you are with me
My heart's data type is known
You turn my integer pointer
Into a character pointer.
You download things from my memory
Onto my new folder
My life was once an assembly code
Now it's in C++
I love the way you program things
My NT server that you can fix
With the arrays and pointers.
You have built a software of my life
I cannot survive without you
You are just like my mouse.
You have programmed my life.
Increased the size and made it recursive
And now I'll end my poem
Don't press Control, Alt, and Delete