% Pinworm.asm %
~~~~~~~~~~~~~~~

   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
    PiïWéRM v1.00 coded by ûirogen
   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------
       Original Release: 06-03-94
    Source Code Release: 07-05-94

   Welcome to my latest viral creation  -- PiïWérM version 1.00.

   Definition - PINWORM:
      A parasite that crawls out your ass and lays little white eggs ..
      It's amazing what you can learn from Biology class.

   PiïWérM is a memory resident, polymorphic, parastic infector of COM
   and EXE files. Files become infected when they are executed. Eligible
   files are COMs which will not exceed the 64k boundary and EXE files
   smaller than approx 256k and are not "new-format" EXEs such as Windoze
   filez.
   COMMAND.COM may also become infected.

   Original Infection Marker-
   Infected EXE files have their checksum in the header set to random
   value other than 0. This should prevent anti-virus software from easily
   determining if an exe is infected by a simple check of the header.
   Infected COM files will have the fourth byte set to 0.

   Polymorphism-
   This virus has 0 bytes constant and 0 ops in constant locations in
   the decryptor. It's full polymorphic. The garbage code consists of
   randomly retrieved one-byte operands, OR a constant fill of a single
   one-byte operand. The virus selects between these types of garbage code
   randomly in order to prevent scanners from detecting the actual garbage
   code.

   Anti-Anti virus-
   When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted
   in that directory. Also, when the user trys to execute EXE files ending in
   the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory
   requirment in the header is changed to FFFFh. Thus making the file unusable
   whether the virus is in memory or not.
   Pinworm also uses VSAFE and VWATCH's uninstall API as an installation
   check. When pinworm checks itself for residency it also removes these
   shitty programs from memory.

   Anti-Debugging-
   This virus uses a double encryption technique to prevent debugging of the
   code. The first encryptor is ofcourse polymorphic, while the second is there
   only to try and deter debuggers. It's hardly foolproof .. but nonetheless
   will keep out the ignorant.

   Symptoms-
   The user may notice a slight size increase for infected COM and EXE files.
   There may also be a total conventional memory size decrease of approx 5k,
   however the virus randomly decides not to protect its code in memory. As
   stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as
   "Not enough memory" errors when trying to load many anti-virus applications.

   Additonal-
   -Pinworm uses it's own critical error handler.
   -The virus is kept encrypted in memory

   Activation-
   On the 1st of any month, Pinworm will continously play with the keyboard
   lights and create directories named after itself. In these directories will
   be several files that together form a message from ûirogen to the general
   populous.


  Length: Code length -
           Approximatly 1900 bytes
          Added phile size -
           Varies from 1900-2200 bytes
  Detected by: Nothing, nada, nope, kein
          As of SCAN v2.00.0
                F-PROT v2.11
            and TBAV v6.20



  Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--
   Included in this archive should be:
     INFECTED.COM       - Infected phile, second generation
     PINWORM.NFO        - This phile
     PINWORM.ASM        - Assembly language source code