Virus Constructors

Macro.Word97.Constructor.DW97Mvck

DREG constructor

DREG (Digital Hackers' Alliance Randomized Encryption Generator) is a virus constructor. It creates virus source codes (ASM files), then runs TASM and TLINK to compile these source to executable files. DREG creates nonmemory resident encrypted COM viruses. They search for COM files in the current directory and write themselves to the end of files.

While creating new viruses DREG uses several variants of code and adds junk instructions sequences. DREG also used several anti-heuristic tricks.

The DREG constructor has several bugs, as a result in some cases it creates buggy viruses that may halt the system or corrupt the files while infecting them.

G2 Constructor

G2 ('the second Generation in Virus Creation') is a virus creator. It produces viral assembler source of different virus types. The characteristics of the G2-based virus are selected by editing a configuration file. There are several options: infect COM, EXE or both; resident or nonmemory resident; encrypted or not; INT 24h hooking or not; COMMAND.COM infection or not; anti-debugging tricks or not; and other.

This generator looks as an enhanced version of the PS-MPC code generator.

IVP Constructor

IVP ('INSTANT VIRUS PRODUCTION KIT') is a virus creation kit. It produces viral assembler source of different virus types. The characteristics of the IVP-based viruses are selected by editing a configuration file. There are several options: infect COM, EXE or both; encrypted or not; INT 24h hooking or not; COMMAND.COM infection or not; and other.

This generator looks like a minor version of the PS_MPC code generator, as well as G2 virus constructor.

Macro Virus Development Kit Constructor

This is a macro word tool for creating Macro.Word viruses. It contains the following macros: Install, MVDKMain, MVDKAbout, UnInstall, MVDKPayLoad.

As info about program it states:

Macro Virus Development Kit
v1.0 beta
(c) 1996, Wild W0rker /DC

It creates text files containing macros:

 C:\FILENEW.TXT
 C:\FSAVEAS.TXT
 C:\PAYLOAD.TXT
 C:\FILEOPEN.TXT
 C:\FILESAVE.TXT
 C:\VirusName.TXT
 C:\AUTOOPEN.TXT
 C:\AUTOEXEC.TXT

It is able to choose one of the following effects for creating the virus:

Set Password
Erase System Files
Drop File

As condition it is possible to chose: Day/Second.

The file C:\DROPPER.SCR contains a script with drop file that has to exist before starting virus creation.

The virus uses a standard drop batch file. It create the file: C:\CONVERT.BAT:

 @ECHO OFF
 DEBUG.EXE < C:\DROPPER.SCR > NUL
 DEL C:\DROPPER.SCR

It adds a line for executing the created virus dropper at the end of C:\AUTOEXEC.BAT

There are two similar versions of this constructor: v1.0 beta and v1.0.

Macro.Word.Constructor.Cvck

This is a macro Word viruses constructor. When executed it displays the MessageBox and installs itself into NORMAL.DOT in case of clicking the "Agree" button:

 Warning !!
 You are about to installing  the Macro Virus Construction Kit. This
 Construction can make a working Macro Virus.  By clicking AGREE, you are
 agreeing that YOU UNDERSTAND that any damage by VIRUSES made by this
 Construction IS NOT OUR RESPONSIBILITY.  NOTE :Work only on English
 version of WINWORD 6.0 above If you do NOT AGREE with the above, click on
 CANCEL and go to hell

This turns Word into a constructor for macro viruses. The main menu now contains the "Crazy VCK v0.1" button, and there are items to create new viruses as well as "About" and un-installation items.

While creating a new virus the virus constructor requests for file name to infect, virus type (Stealth, Encrypted, 'Semi' Polymorphic), trigger date to display messages, delete files, format the hard drive, launch a DOS virus, e.t.c.

Cvck.a

This is a CVCK-based virus. It contains 11 macros: AutoExec, AutoOpen, Action, Action2, stdClose, HelpAbout, Organizer, ActionDate, ToolsMacro ( Ñ½ ), FileTemplates, ToolsCustomize.

It infects the global macros area on opening an infected document; it writes to documents on closing.

On 11th and 31st it displays the DialogBoxes, on entering the Tools/Macro and File/Templates menus it displays:

 Chicken say .........
 [pox-poX-pOX-POX-POx-Pox-pox]
 Hello there......., this command was blocked by Chicken Pox Macro Virii
 This is sample from Our Generator Virii, we named our generator CVCK V0.2.
 It's very user friendly !, try it !  This Virii is not Dangerous !, If you
 want try our CVCK V0.2 email Us on "nomercy12@hotmail.com"

Cvck.b

This is a CVCK-based virus. It contains six macros: AutoExec, AutoOpen, Action, Stealth, StlhClose, ActionDate. In the NORMAL.DOT the virus has three additional macros: ToolsMacro, ToolsCustomize, FileTemplates.

It infects the global macros area on opening an infected document - it writes to documents on closing.

On entering the Tools/Macro and File/Templates menus the virus erases the files in the C:\WINDOWS directory. On Fridays it erases the text in the current document.

Cvck.c

On 13th of any month it displays the DialogBox:

 Visit NoMercy WEB PAGE !
 <NoLogo  á  ¿¡ á>
 http://www.geocities.com/ReseachTriangle/3996
 Welcome Again buddy!. It's nice create a Virus, why you don't try?
 Like always, We made new If Our Macro Viruses was detectable by famouse AV
 Visit http://www.geocities.com/ReseachTriangle/3996   for know newest
 Macro Virus from Us and Indonesian Macro Virus!

The virus also contains the comments:

 --------------------------------------------
  Created using CVCK v.01 b
 (C)CrazybitS 1997, Yogyakarta, Indonesia
 --------------------------------------------
 greeting to
 -Cicatrix major collector
 -D.Giovanni
 -All Macro virii creator
 -You that has seen the decription macro

Cvck.d

This is a CVCK-based virus. It contains ten macros: AutoExec, AutoOpen, Action, stdClose, FilePrint, ActionDate, ToolsMacro, EditAutoText, FileTemplates, FilePrintDefault.

On 1st and 13th of any month it erases the text in current document and displays the DialogBox:

 You have fOX'Z in your computer !
 Hey, No body can use Microsoft Word Today !!
 Yogyakarta, Indonesia by :
 Fox'z,

On printing a document the virus inserts the text:

 Try to print tomorrow buddy , today your computer want rest (today is a
 holiday?) --Foxz--

Macro.Word97.Constructor.CPCK

This is macro Word97 virus construction tool. The constructor itself is a Word97 document that contains sixteen modules: CPCK, IntroFrm, Page1, OptionsFrm, PayloadFrm, Export, Done, vsmp, RegFrm, InsultFrm, WDMfrm, PlugInFrm, Class1, About, Main, TriggerFrm.

When run the constructor displays a picture contains the text "Class.Poppy CONSTRUCTION KIT by VicodinES". It then displays the menu with many future virus' settings. The tool allows to choose methods of replicating, polymorphic mechanisms, methods of interception and many effects of different kinds.

Generated effects can operate on calendar days, they display MessageBoxes, dialogs, edit system registry, etc. That is also possible to add "customized" effect that is entered as a Visual Basic subroutine.

The constructor then requests for virus name and creates infected document.

Demonstrations of the virus effects:

Macro.Word97.Constructor.DW97Mvck

This is a macro Word97 virus construction tool. The constructor itself is a Word97 document that contains seventeen modules:

DW97MVCK, frmStartForm, frmVirusSourceName, frmVirusBody, frmStealth,
frmRetro, frmPolymorphic, frmPayload, frmPayloadMessageBox,
frmPayloadSetPassword, frmPayloadBeep, frmPayloadExitWindows,
frmPayloadOfficeAssistant, frmPayloadChangeStatusBar,
frmPayloadChangeCaption, frmMacros, frmMakeVirus.

When run the constructor displays MessageBox wiÑ the text "DW97MVCK v1.0". The constructor then asks for virus name, output file name for the virus source, virus type, effects, headers for prints and for status bar. There are several effects available:

 MessageBox
 Set Password
 Beep
 Office Assistant
 Change Caption
 Change StatusBar
 ExitWindows

Nightmare Joker - The Demolition Kit

The Demolition Kit is another Word macro virus creation kit. It can create macro viruses and macro word trojan horses. This tool exists in several versions.

The original Demolition Kit is packed together with three sample Macro.Word viruses: Blackk, Blackend, Grunt.

Nightmare Joker´s Word Macro Virus Construction Kit Constructor

Text (c) Michal A. Egler

This is a macro word utility for creating Macro.Word viruses. It contains the macros: DAT1, DAT2, DAT3, DAT4, DAT5, DAT6, DAT7, DAT8, DAT9, DAT10, DAT11, DAT12, DAT13, DAT14, DAT15, DAT16, DAT17, DAT18, AutoExec, AutoOpen.

 Nightmare Joker´s Word Macro Virus Construction Kit
 :-()
 Dieses Programm ist zu reinen Lehrnzwecken entstanden.
 Die Verantwortung für jeglichen entstandenen Schaden,
 der durch dieses Programm verursacht wurde, liegt bei
 dem Anwender!
 PEACE \/

This constructor can create macro viruses containing the following ten DOS virus droppers:

  1 = Casino Virus         - Casino.2330
  2 = Media Markt Virus    - VCL.Markt.1533
  3 = MTE.Shocker          - MtE.Shocker
  4 = Sirius.Alive         - Sirius.Alive.4608
  5 = SMEG.Queeg           - Smeg
  6 = Tequila              - Tequila
  7 = Virogen              - VICE.05.Code.3952
  8 = Uniform [Boot Virus] - Uniform
  9 = Bizatch/Vlad         - Win95.Boza.c.(intended)
 10 = Tremor               - Tremor

The constructed viruses can also append a text to the end of the document that is printed.

NRLG constructor

NRLG (NuKE Randomic Life Generator) constructor creates encrypted memory resident COM/EXE DOS viruses. While creating a virus, the user may select the en/decryption code - the virus generates random selected codes and displays them on the screen.

PS-MPC Constructor

PS-MPC (The Phalcon/Skism Mass-Produced Code Generator) is the second most known virus constructor, after VCL. The features of that constructor are described in the documentation that is distributed in the main PS-MPC package:


The Phalcon/Skism Mass-Produced Code Generator is a tool which generates
viral code according to user-designated specifications. The output is in
Masm/Tasm-compatible Intel 8086 assembly and it is up to the user to
assemble the output into working executable form. The features of the
PS-MPC include the following:

 - Over 150 encryption techniques, randomly generated during each
   run of the PS-MPC
 - Compact, commented code, much tighter than VCL
 - COM/EXE infections
 - Both resident and nonresident viruses
 - Two types of traversals for nonresident viruses
 - Three types of high memory residency routines for TSR viruses
 - Optional infection of Command.Com
 - Critical error handler support

The PS-MPC constructor was released in 1992 and distributed in the source codes as well as in executable files. That is one of the most popular constructors, and several other constructors G2, IVP were created by using the PS-MPC sources.

That constructor creates source ASM files of the virus. The user can select the virus features: encrypted or not, memory resident or not, COM/EXE/COM and EXE infection, effects etc.

It seems that the viruses from "Arcv" family are based on PS-MPC constructor.

StalkerX Constructor

StalkerX is a virus constructor that generates simple NewEXE (Windows) viruses. The viruses are named after the text that is included in the distribution package:

 Create your own Windows
 virus! This is a EASY
 to use Windows Virus
 creation kit.
 Written By Stalker X

These viruses search for NewEXE files, and write themselves to the end of the file. Depending on their "generation" these viruses fill the screen with random data.

VCC Constructor

The viruses that were written with VCC (Virus Creation Centre) virus constructor are parasitic not dangerous, nonmemory resident and encrypted. They search for .COM files and write themselves to the end of the file. The viruses contain the text strings:

 DEBUGGING IS VERY ILLEGAL (NOT!)
 I-EAS Virus Creation Centre v0.19ß
 [IE-VCC v0.19ß]

The viruses display the messages:

"VCC.438":

 IT IS THEM!!!!!!!
 Hope you like ants!
 THEM! A Virus Thespian
 [TA] [TP]

"VCC.571":

 Your System DNA is mutating!
 sPeCiEs A Virus pANdEMiC
 [sA] [HH]

VCL Constructor

The virus constructor utility VCL.EXE (Virus Creation Laboratory) seems to be the most well known virus creation tool. This constructor can generate source assembler files of the viruses, the OBJ modules and infected master files. VCL contains the standard pop-up menu interface. By using VCL menus it is possible to choose the virus type, enable or disable self encryption, anti-debugging code, internal text strings. It also is possible to choose up to 10 effects which are called upon virus execution, e.t.c. VCL-based viruses can use standard way of infection (they append their code to the files while infecting them), they can overwrite the files or use companion technology.

The main properties of VCL-viruses are:

they are nonmemory resident;
they scan the subdirectory three or the current directory of the current drive while infecting the files;
they are appending to COM files, or create new COM files or overwrite COM and EXE files.

WMTools.Demo

This is a utility to insert executable binary files to Word macros. This utility itself is a template with only one AutoOpen macro inside. When run this macro creates the new document WWVIRUS.DOC in the newly created C:\VIRUDEMO directory, creates the VirExeData in this document, gets a EXE file, converts it to text data by using a filter, then puts this data into VirExeData macro. Then this document is able to convert the text data back to EXE file and execute it. As a result, the new document is an EXE file dropper.

The tool comments each its operation by MessageBoxes. The first MessageBox contains the text:

 This installation will make 4 items
 1)A directory C:\VIRUDEMO
 2)Macro VIRAUTOOPEN in the Global template
 3)Macro VIREXEDATA  in the Global template
 4)An initial virus document WWVIRUS.DOC
      Whenever asked you must SAVE them.