ZipDevil 0.1
WARNING: ZipDevil is a virus. However, its only goal is to replicate and
spread itself. It does no damage to data or files!
ZipDevil is an attempt to reinvent the companion file virus. It takes
several somewhat elaborate measures to encourage its continued existance.
The author takes one here by posting this code.
ZipDevil is a non-resident spawner. After the infection (or infection
attempt), it runs the file the user intended along with the command
line arguments. It infects .EXE's using the companion file method. It is
capable of internally infecting .ZIP's as long as it can find PKZIP on the
host system.
When infecting a ZIP file, it chooses an .EXE file within the .ZIP to infect.
If there aren't any internal .EXE's or the .ZIP is already infected, ZipDevil
aborts the infection.
ZipDevil examines C:\AUTOEXEC.BAT for calls to executables. It infects these
files, and (if necessary (and possible)) modifies AUTOEXEC.BAT to ensure it
is run upon every bootup. In general, ZipDevil can only use .EXE's as host
programs, .COM files are not susceptable to the companion file method of
infection.
Unfortuantely for the 'Devil, in this day and age of Windows based programs,
the companion file method is of limited virulence. In response to this,
the virus specifically targets the call to Windows 3.1 found in most
AUTOEXEC's on systems running Windows 3.1. AUTOEXEC.BAT is modified to call
WIN.EXE instead of WIN.COM, and of course WIN.EXE is the file containing the
viral code; Unbeknownst to the user, ZipDevil does its business before
loading Windows as normal.
With Windows 95 systems, ZipDevil is only prolific if the user makes frequent
shells to DOS. It seems unlikely that ZipDevil will spread very far on most
Windows 95 machines. Future enhancements to alleviate this drawback are
expected. If you'd like to improve on the code, this is a prime area to do
so. (See the author's modification request below.)
The virus also has a self-cleaning mechanism. Create an empty file with path
and filename C:\EX.BAT. ZipDevil checks for this file and if it finds it, it
appends the DOS commands necessary to eradicate all the infections it makes
on your drive. For EX.BAT to work, PKZIP.EXE must be in your DOS path.
If EX.BAT does not exist, the virus makes no record of its work, and it will
probably be a tedious task to fully remove it from your system. (If
PKZIP.EXE was is your DOS path, then ZipDevil found it and you will have to
look in every ZIP file on your drive!)
Remember, ZipDevil can and will modify your AUTOEXEC.BAT file. Make a backup
before installing the virus. To fully remove all work the virus has done,
simply restore the backed up version of AUTOEXEC.BAT that you've made, and
run C:\EX.BAT.
ZipDevil is its own dropper. Compile and link the code, then simply run the
resultant .EXE executable. On a typical hard drive, there is a good chance
than one execution as a dropper will establish it.
The author encourages the spread of this virus to both knowing and unknowing
others either in the form of source code or as an executable. Modifications
are encouraged, but take the following to heart. Make modifications
carefully, and test the code. Never cause damage or disruptiveness out of
laziness. If your going to add a trigger mechanism to ZipDevil, do it
deliberately and soulfully. Think about what your doing and who you're
affecting.
------------------------------------------------------------------------
Of course, the author accepts no liability for the use or misuse of this
code. There is no copyright or legal restrictions on this code.
------------------------------------------------------------------------
Comments and bug reports can be posted to the usenet newsgroup
alt.comp.virus
And if you feel you've improved ZipDevil, please post the modified code to
alt.comp.virus.source.code