While creating new viruses DREG uses several variants of code and adds junk instructions sequences. DREG also used several anti-heuristic tricks.
The DREG constructor has several bugs, as a result in some cases it creates buggy viruses that may halt the system or corrupt the files while infecting them.
This generator looks as an enhanced version of the PS-MPC code generator.
This generator looks like a minor version of the PS_MPC code generator, as well as G2 virus constructor.
As info about program it states:
Macro Virus Development Kit v1.0 beta (c) 1996, Wild W0rker /DCIt creates text files containing macros:
C:\FILENEW.TXT C:\FSAVEAS.TXT C:\PAYLOAD.TXT C:\FILEOPEN.TXT C:\FILESAVE.TXT C:\VirusName.TXT C:\AUTOOPEN.TXT C:\AUTOEXEC.TXTIt is able to choose one of the following effects for creating the virus:
The file C:\DROPPER.SCR contains a script with drop file that has to exist before starting virus creation.
The virus uses a standard drop batch file. It create the file: C:\CONVERT.BAT:
@ECHO OFF DEBUG.EXE < C:\DROPPER.SCR > NUL DEL C:\DROPPER.SCRIt adds a line for executing the created virus dropper at the end of C:\AUTOEXEC.BAT
There are two similar versions of this constructor: v1.0 beta and v1.0.
Warning !! You are about to installing the Macro Virus Construction Kit. This Construction can make a working Macro Virus. By clicking AGREE, you are agreeing that YOU UNDERSTAND that any damage by VIRUSES made by this Construction IS NOT OUR RESPONSIBILITY. NOTE :Work only on English version of WINWORD 6.0 above If you do NOT AGREE with the above, click on CANCEL and go to hellThis turns Word into a constructor for macro viruses. The main menu now contains the "Crazy VCK v0.1" button, and there are items to create new viruses as well as "About" and un-installation items.
While creating a new virus the virus constructor requests for file name to infect, virus type (Stealth, Encrypted, 'Semi' Polymorphic), trigger date to display messages, delete files, format the hard drive, launch a DOS virus, e.t.c.
It infects the global macros area on opening an infected document; it writes to documents on closing.
On 11th and 31st it displays the DialogBoxes, on entering the Tools/Macro and File/Templates menus it displays:
Chicken say ......... [pox-poX-pOX-POX-POx-Pox-pox] Hello there......., this command was blocked by Chicken Pox Macro Virii This is sample from Our Generator Virii, we named our generator CVCK V0.2. It's very user friendly !, try it ! This Virii is not Dangerous !, If you want try our CVCK V0.2 email Us on "email@example.com"
It infects the global macros area on opening an infected document - it writes to documents on closing.
On entering the Tools/Macro and File/Templates menus the virus erases the files in the C:\WINDOWS directory. On Fridays it erases the text in the current document.
On 13th of any month it displays the DialogBox:
Visit NoMercy WEB PAGE ! <NoLogo á ¿¡ á> http://www.geocities.com/ReseachTriangle/3996 Welcome Again buddy!. It's nice create a Virus, why you don't try? Like always, We made new If Our Macro Viruses was detectable by famouse AV Visit http://www.geocities.com/ReseachTriangle/3996 for know newest Macro Virus from Us and Indonesian Macro Virus!The virus also contains the comments:
-------------------------------------------- Created using CVCK v.01 b (C)CrazybitS 1997, Yogyakarta, Indonesia -------------------------------------------- greeting to -Cicatrix major collector -D.Giovanni -All Macro virii creator -You that has seen the decription macro
On 1st and 13th of any month it erases the text in current document and displays the DialogBox:
You have fOX'Z in your computer ! Hey, No body can use Microsoft Word Today !! Yogyakarta, Indonesia by : Fox'z,On printing a document the virus inserts the text:
Try to print tomorrow buddy , today your computer want rest (today is a holiday?) --Foxz--
This is macro Word97 virus construction tool. The constructor itself is a Word97 document that contains sixteen modules: CPCK, IntroFrm, Page1, OptionsFrm, PayloadFrm, Export, Done, vsmp, RegFrm, InsultFrm, WDMfrm, PlugInFrm, Class1, About, Main, TriggerFrm.
When run the constructor displays a picture contains the text "Class.Poppy CONSTRUCTION KIT by VicodinES". It then displays the menu with many future virus' settings. The tool allows to choose methods of replicating, polymorphic mechanisms, methods of interception and many effects of different kinds.
Generated effects can operate on calendar days, they display MessageBoxes, dialogs, edit system registry, etc. That is also possible to add "customized" effect that is entered as a Visual Basic subroutine.
The constructor then requests for virus name and creates infected document.
DW97MVCK, frmStartForm, frmVirusSourceName, frmVirusBody, frmStealth, frmRetro, frmPolymorphic, frmPayload, frmPayloadMessageBox, frmPayloadSetPassword, frmPayloadBeep, frmPayloadExitWindows, frmPayloadOfficeAssistant, frmPayloadChangeStatusBar, frmPayloadChangeCaption, frmMacros, frmMakeVirus.When run the constructor displays MessageBox wiÑ the text "DW97MVCK v1.0". The constructor then asks for virus name, output file name for the virus source, virus type, effects, headers for prints and for status bar. There are several effects available:
MessageBox Set Password Beep Office Assistant Change Caption Change StatusBar ExitWindows
The original Demolition Kit is packed together with three sample Macro.Word viruses: Blackk, Blackend, Grunt.
This is a macro word utility for creating Macro.Word viruses. It contains the macros: DAT1, DAT2, DAT3, DAT4, DAT5, DAT6, DAT7, DAT8, DAT9, DAT10, DAT11, DAT12, DAT13, DAT14, DAT15, DAT16, DAT17, DAT18, AutoExec, AutoOpen.
Nightmare Joker´s Word Macro Virus Construction Kit :-() Dieses Programm ist zu reinen Lehrnzwecken entstanden. Die Verantwortung für jeglichen entstandenen Schaden, der durch dieses Programm verursacht wurde, liegt bei dem Anwender! PEACE \/This constructor can create macro viruses containing the following ten DOS virus droppers:
1 = Casino Virus - Casino.2330 2 = Media Markt Virus - VCL.Markt.1533 3 = MTE.Shocker - MtE.Shocker 4 = Sirius.Alive - Sirius.Alive.4608 5 = SMEG.Queeg - Smeg 6 = Tequila - Tequila 7 = Virogen - VICE.05.Code.3952 8 = Uniform [Boot Virus] - Uniform 9 = Bizatch/Vlad - Win95.Boza.c.(intended) 10 = Tremor - TremorThe constructed viruses can also append a text to the end of the document that is printed.
The Phalcon/Skism Mass-Produced Code Generator is a tool which generates viral code according to user-designated specifications. The output is in Masm/Tasm-compatible Intel 8086 assembly and it is up to the user to assemble the output into working executable form. The features of the PS-MPC include the following: - Over 150 encryption techniques, randomly generated during each run of the PS-MPC - Compact, commented code, much tighter than VCL - COM/EXE infections - Both resident and nonresident viruses - Two types of traversals for nonresident viruses - Three types of high memory residency routines for TSR viruses - Optional infection of Command.Com - Critical error handler supportThe PS-MPC constructor was released in 1992 and distributed in the source codes as well as in executable files. That is one of the most popular constructors, and several other constructors G2, IVP were created by using the PS-MPC sources.
That constructor creates source ASM files of the virus. The user can select the virus features: encrypted or not, memory resident or not, COM/EXE/COM and EXE infection, effects etc.
It seems that the viruses from "Arcv" family are based on PS-MPC constructor.
Create your own Windows virus! This is a EASY to use Windows Virus creation kit. Written By Stalker XThese viruses search for NewEXE files, and write themselves to the end of the file. Depending on their "generation" these viruses fill the screen with random data.
DEBUGGING IS VERY ILLEGAL (NOT!) I-EAS Virus Creation Centre v0.19ß [IE-VCC v0.19ß]The viruses display the messages:
IT IS THEM!!!!!!! Hope you like ants! THEM! A Virus Thespian [TA] [TP]"VCC.571":
Your System DNA is mutating! sPeCiEs A Virus pANdEMiC [sA] [HH]
The main properties of VCL-viruses are:
The tool comments each its operation by MessageBoxes. The first MessageBox contains the text:
This installation will make 4 items 1)A directory C:\VIRUDEMO 2)Macro VIRAUTOOPEN in the Global template 3)Macro VIREXEDATA in the Global template 4)An initial virus document WWVIRUS.DOC Whenever asked you must SAVE them.