-main-   -hh86 corner-   -artificial evolution-   -articles-   -viruses-   -LIP-   -online ezines-   -programs-   -links-


Sometime they will give a war and nobody will come!
(by Carl Sandberg)
Viruses:


2013.10: Mycoplasma mycoides SPTH-syn1.0 (also released in valhalla #4)
- Can infect biological DNA, thus spread in the digital and biological world
- Carries (modified) DNA of self-replicating bacteria (Synthetic Mycoplasma mycoides JCVI-syn1.0 clone sMmYCp235-1)
- Infects FASTA files (standard DNA format for sequenced genoms)
- In digital world, worming over removeable disks and shared network disks
- Written in C++ (~400 lines of code plus ~1.3MB of modified bacteria DNA)


2013.07: JS/VBS/MatLab/Ruby/Python.Polygamy (also released in valhalla #4)
- Cross-script infector
- Infects 5 different languages: JS, VBS, MatLab, Ruby, Python
- Uses Meta-Language which is scaleable (adding 5th language is as complicated as adding 2nd language
- Written in JavaScript (~730 lines, generation0)


2012.12: JS.Transcriptase (also released in valhalla #3 - Peter Ferrie: Read the Transcript, in VirusBulletin 05.2013)
- First metamorphic Script-Virus
- Uses its own meta-language, with a self-compiling compiler
- Micro- and Macro-Permutations
- Polymorphic partial encryption
- JavaScript file infector
- Written in JavaScript (~2150 lines)


2012.02: Win32.Filly (also released in valhalla #2 - Peter Ferrie: "LAHF"ing All The Way, in VirusBulletin 09.2012)
- Polymorphic decryptor using shadow of code-flow (flags)
- Semi-deterministic code-reconstructor
- Worming over removeable disks and shared network disks
- Written in assembler (~1950 lines)


2011.11: Win32.Addisco (also released in valhalla #2 - Peter Ferrie: Is Our Viruses Learning?, in VirusBulletin 11.2012)
- Autonomously finds and implements new anti-emulation tricks using blackbox analysis
- Worming over removeable disks and shared network disks
- Written in assembler (~750 lines)


2011.07: Evolus (also released in valhalla #1 - Peter Ferrie: Flibi reloaded, in VirusBulletin 11.2011)
- Second lifeform that took the redpill (after Evoris)
- Takes use of an artificial evolution concept
- Polymorphism, Horizontal Gene Transfere, Start- and Stop-Codons, ...
- Worming over removeable disks and shared network disks
- Written in assembler (virus) and C++ (factory)


2011.07: Win32.Kitti (also released in valhalla #1)
- Mutation engine changes instruction to overlapped code
- Worming over removeable disks and shared network disks
- Fully written in assembler (~2500 lines)


2011.07: MatLab.MicrophoneFever 1/2 (also released in valhalla #1 - Peter Ferrie: Not 'Mifeve'-ourite Thing, in VirusBulletin 03.2012)
- Matlab M-file inserter
- Polymorphism takes use of complex algorithm and functions provided by MatLab
- Partial encryption
- Combines tau-obfuscation and multi-branches at code regeneration


2011.03: Mathematica.Prometheus
- First virus for Wolfram Mathematica
- Infects Mathematica Notebook files
- Kind of EPO (inserts the code into a random Input-Object in the .nb-file)


2010.12: Mimic (also released in Virus-writing Bulletin 2011)
- New mutation technique: Analyses the behaviour of random code and substituates the own code if behaviour matches
- Worming over removeable disks and shared network disks
- Fully written in assembler (~3600 lines)


2010.11: Evoris (also released in Virus-writing Bulletin 2011 - Peter Ferrie: Flibi night, in VirusBulletin 03.2011 and Flibi evolution, in VirusBulletin 05.2011)
- First lifeform that took the redpill
- Takes use of an artificial evolution concept
- Worming over removeable disks and shared network disks
- Fully written in assembler (~4500 lines)


2009.02: eicART
- MS-DOS .com file overwriter
- whole binary representation consists of ASCII human-readable characters (which is also the main feature of EICAR test file)
- Fully written in assembler and encrypted with a c++ subprogram


2006.05: WikiWorm (also released in rRlf #7)
- First worm using Wikipedia to spread
- Searchs random Articles and changes external links to worm-download path
- Fully written in assembler (~550 lines)


2006.05: ArchiveTiger (also released in rRlf #7)
- Highly morphic
- Advanced File-Splitting Technique
- Code-In-Filename Technique (Encrypted)
- WinRAR archive worm
- Fully written in assembler (~1400 lines)


2006.03: InfoPath.iCab (also released in rRlf #7)
- Microsoft Office Infopath Macro virus
- First of its kind
- Fully written in assembler (~900 lines)


2005.07: Monad.Candela-family (also released in rRlf #6 - Peter Ferrie: Criss-Cross, in VirusBulletin 11.2005)
- Very first Monad viruses
- Infects Command Shell Files for Microsoft Windows Vista (Codename: Longhorn)
- Overwriter
- Prepender
- Appender
- EPO-infector
- Cross-Infector


2005.04: SPTH-OS 2.0 (also released in rRlf #6)
- Very first Bootsectorvirus for CD-ROMs
- Works on CD-ROMs and diskettes
- Own FAT32 system support (no INT hooking)
- FAT12 .IMG files infection
- ISO-9660 El Torito .ISO file infection
- Infects all files in Root_Directory of 1st Partition on HD
- Size: 3 Sectors


2005.01: SPTH-OS 1.0 (also released in rRlf #6)
- Bootsectorvirus
- Own FAT12 system support (no INT hooking)
- Bootsectorinfection of FAT12 .IMG files
- Infects all files in Root_Directory of current Disk
- Size: 1 Sector


2004.11: Ruby.Paradoxon (also released in rRlf #5)
- World's very first Ruby virus
- Prepender
- 655 bytes


2004.09: Menuet/COM.Tristesse (Trend Micro | also released in rRlf #5)
- Multi-platform infector
- Menuet (32bit) -> Menuet (32bit - prepending)
- Menuet (32bit) -> COM (16bit - appending)
- COM (16bit) -> COM (16bit - appending)
- COM (16bit) -> Menuet (32bit - prepending)
- Fully 16/32bit assembler written
- KAV warning avoiding via by-hand DOS function encryption


2004.06: Menuet.Oxymoron (also released in rRlf #5)
- World's very first Menuet virus
- Prepender
- Fully 32 bit assembler written
- some parts are optimized


2004.03: BatXP.Nihilist (also released in BATch Zone #5)
- EPO Infection
- Infects 5 bat files every run
- neverused commands


2004.01: JS.Cassandra.a/b - 350 different representations (also released in rRlf #4)
- polymorphic (Add Garbage/Junk code)
- polymorphic (Function Games)
- polymorphic (Body Changing)
- polymorphic (Variable Changing)
- polymorphic (Number Changing)
- sometimes encrypted with changing everything to ASCIIs
- JS Overwriter
- extremly small: 5.060 Bytes



2003.10: PHP.RainBow (~68% detection: also released in rRlf #4)
- polymorphic (Add Garbage/Junk code)
- polymorphic (Varible Changing)
- polymorphic (Number Changing)
- PHP Prepender
- extremly small: 36 lines



2003.07: BAT.Lorelei (also released in BATch Zine #3)
- Infects BAT files
- Finds many directory via Brute-Force
- A nice shorter-your-code-Technique



2003.06: JS.Sinope (also released in rRlf #4)
- Cross Infection: BAT / CMD
- Cross Infection: VBS
- EPO infector in JS
- Very small: 40 lines



2003.06: Bat|BatXP.Iaafe (also released in BATch Zine #2)
- works at every Windows from Win 9x to WinXP
- polymorphic at Win00 and WinXP (21! generations)
- polymorphic at Win 9.x (5! generations)
- encrypted with 'set-encryption'
- spreads via mIRC (spealth spreading from an article by Lord Yup [released in 29A#6])
- made it together with philet0ast3r



2003.04: HTML.Umbriel (also released in rRlf #4)
- shutdowns the computer after a 200sec delay via DOS-command
- finds files via registry
- Autostart via addingto the WindowsXP desktop
- Low polymorphism (adding junk to the code)



2003.03: BatXP.Palindrom.a/b (Symantec | also released in BATch Zine Christmas Edition)
- polymorphic (Variable Changing)
- polymorphic (Body Changing)
- encrypted with a set-encryption
- infects BAT files



2003.02: BAT|JS.Charon
- spreads via eMail using 5 different subjects, bodys and attachment-names. Sometimes the attachment is .BAT, sometimes .JS
- infects .JSes, .BATs and .CMDs
- uses Anti-KAV heuristic technique



2002.11: BatXP.Saturn (Trend Micro | also released in rRlf#3)
- polymorphic (5! different generation)
- encrypt with a set-encryption
- spreading via mIRC