The infamous email shuffle words virus or something

[Shadow]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I always liked that one because they had to use self-modification to
keep it all within the ASCII character set.

pop eax
xor eax,0x2550214f
inc eax
inc ecx
push eax
pop ebx
xor al,0x5c
push eax
pop edx
pop eax
xor eax,0x5e502834
sub [edi],esi
inc ebx
inc ebx
sub [edi],esi
jnl loc_40
inc ebp
dec ecx
inc ebx
inc ecx
push edx
sub eax,0x4e415453
inc esp
inc ecx
push edx
inc esp
sub eax,0x49544e41
push esi
dec ecx
push edx
push ebp
push ebx
sub eax,0x54534554
sub eax,0x454c4946
and [eax+ecx*2],esp

dec eax
sub ecx,[eax+0x2a]

Yep, pretty convoluted for a "Hello World" program.

I don't count 11 ASCII characters. At best, I count about 7 (e.g,
"0x454c4946" presumably is some ASCII character). then again, none of
these characters repeat, so "HELLO", which has two L's, is not
present.

LOL
That's not the Hello program, it's the eicar virus test
program.
http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html
[]'s

So the program is a bust.

The first one he posted was the Hello program.

 

[FromTheRafters]

@gmail.com> wrote:

OMG, did he just type "basic"? As in Visual Basic? And what OS? No
doubt Windows. So this guy programs in Visual Basic? No further
questions Your Honor, I rest my case.

I wrote stuff in Basic long before there was a program called
"Windows".

Nope. An entire program that runs the London Stock Exchange was
recently written in Visual C#. True, it had to be rewritten in C (at
considerable cost, after it was up and running!) at the lower level
because they were not getting the millisecond performance demanded by
high-frequency traders, but that proves my point: the very fact that
a decision was made to initially write such a massive system in Visual
C# proves that it's an enterprise-worthy higher language. What you are
doing would get you fired at most Level 1, grade A software shops: you
are trying to make yourself indispensable and immune from getting
fired by making your code unreadable and unmaintainable. Typical
Dusty Dustbin Dustin Dunce (D4) tactics.

1) The fact that most everything is written in high level languages
these days doesn't change the need to understand what's going on.

2) There was nothing obscure about his code other than the use of
hardcoded values instead of constants. I have only one gripe with
it--it set up a stack that was not necessary for such a simple
program. The OS-supplied one would be good enough.

For assembly, but it wouldn't be pure.

If you want some cryptic code, consider this:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I always liked that one because they had to use self-modification to
keep it all within the ASCII character set.

pop eax
xor eax,0x2550214f
inc eax
inc ecx
push eax
pop ebx
xor al,0x5c
push eax
pop edx
pop eax
xor eax,0x5e502834
sub [edi],esi
inc ebx
inc ebx
sub [edi],esi
jnl loc_40
inc ebp
dec ecx
inc ebx
inc ecx
push edx
sub eax,0x4e415453
inc esp
inc ecx
push edx
inc esp
sub eax,0x49544e41
push esi
dec ecx
push edx
push ebp
push ebx
sub eax,0x54534554
sub eax,0x454c4946
and [eax+ecx*2],esp

dec eax
sub ecx,[eax+0x2a]

Yep, pretty convoluted for a "Hello World" program.

I don't count 11 ASCII characters. At best, I count about 7 (e.g,
"0x454c4946" presumably is some ASCII character). then again, none of
these characters repeat, so "HELLO", which has two L's, is not
present.

So the program is a bust.

What I meant by 'a hello world program' is a program that simply outputs
a text string to the console.

You are correct in that the string "Hello world!" is not present. the
string in this program is "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" instead
of "Hello world!".

http://mirror.href.com/thestarman/asm/eicar/eicarcom.html

 

[Man-wai Chang]

Ever had an email you send out come back at you as spam? For example,
in your email to a friend, which let's assume is in unencrypted POP
server form, is sent by Outlook and has the words "walk in the park".
Then, in the next hour or so, you get spam that mentions "walk in the
park" along with the usual Viagra spam ad. Your email back at you
with spam in it.

Most likely, your friend's Window$ got infected. It could also be a
problem of the ISP.

 

[RayLopez99]

Most likely, your friend's Window$ got infected. It could also be a
problem of the ISP.

Yes, you are probably correct. Also since it was just one word rather
than a sentence, it may have just been a coincidence.

RL

 

[RayLopez99]

higher level language? Dude, as you can't read asm, you are very
limited in what you actually can program. I won't insult those of us
who are coders by referring to you as one.

Said the resident idiot.

Now below is what a famous website says. Who is right? My money is
on the famous website.

RL

http://mirror.href.com/thestarman/asm/eicar/eicarcom.html

Most programmers today rarely if ever deal with the kind of details
presented in this tutorial. We wrote this page so students and even
the average PC user could appreciate both the complexity involved in
running a very simple program and early programmers of the past.
Programmers today normally use high-level macro instructions and
libraries of pre-assembled code. A single statement in these high-
level languages often produces the equivalent of dozens to even pages
full of assembly instructions compared to the few we'll be examining
here.

 

[Dustin]

My first computer was a TRS-80. It came with it's own OS.

Mine too. I had the color computer 3. I later got the expansion pack,
the vga monitor; the serial cable printer (remember the din5 on the
back?), and the double deck floppy drives.

 

[Dustin]

I always liked that one because they had to use self-modification to
keep it all within the ASCII character set.

pop eax
xor eax,0x2550214f
inc eax
inc ecx
push eax
pop ebx
xor al,0x5c
push eax
pop edx
pop eax
xor eax,0x5e502834
sub [edi],esi
inc ebx
inc ebx
sub [edi],esi
jnl loc_40
inc ebp
dec ecx
inc ebx
inc ecx
push edx
sub eax,0x4e415453
inc esp
inc ecx
push edx
inc esp
sub eax,0x49544e41
push esi
dec ecx
push edx
push ebp
push ebx
sub eax,0x54534554
sub eax,0x454c4946
and [eax+ecx*2],esp

dec eax
sub ecx,[eax+0x2a]

Yep, pretty convoluted for a "Hello World" program.

Does self-modification even work anymore?

Yes. Poly is still in effect.

 

[Dustin]

@gmail.com>  wrote:

OMG, did he just type "basic"?  As in Visual Basic?  And what
OS?  No
doubt Windows.  So this guy programs in Visual Basic?  No
further questions Your Honor, I rest my case.

I wrote stuff in Basic long before there was a program called
"Windows".

Nope.  An entire program that runs the London Stock Exchange was
recently written in Visual C#.  True, it had to be rewritten in
C (a t
considerable cost, after it was up and running!) at the lower
level because they were not getting the millisecond performance
demanded by high-frequency traders, but that proves my point:
 the very fact tha t
a decision was made to initially write such a massive system in
Visual C# proves that it's an enterprise-worthy higher language.
What you are doing would get you fired at most Level 1, grade A
software shops: you are trying to make yourself indispensable
and immune from getting fired by making your code unreadable and
unmaintainable.    Typica l
Dusty Dustbin Dustin Dunce (D4) tactics.

1)  The fact that most everything is written in high level
languages these days doesn't change the need to understand what's
going on.

2)  There was nothing obscure about his code other than the use
of hardcoded values instead of constants.  I have only one gripe
with it--it set up a stack that was not necessary for such a
simple program.  The OS-supplied one would be good enough.

For assembly, but it wouldn't be pure.

If you want some cryptic code, consider this:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+
H*

I always liked that one because they had to use self-modification
to keep it all within the ASCII character set.

pop eax
xor eax,0x2550214f
inc eax
inc ecx
push eax
pop ebx
xor al,0x5c
push eax
pop edx
pop eax
xor eax,0x5e502834
sub [edi],esi
inc ebx
inc ebx
sub [edi],esi
jnl loc_40
inc ebp
dec ecx
inc ebx
inc ecx
push edx
sub eax,0x4e415453
inc esp
inc ecx
push edx
inc esp
sub eax,0x49544e41
push esi
dec ecx
push edx
push ebp
push ebx
sub eax,0x54534554
sub eax,0x454c4946
and [eax+ecx*2],esp

dec eax
sub ecx,[eax+0x2a]

Yep, pretty convoluted for a "Hello World" program.

I don't count 11 ASCII characters. At best, I count about 7 (e.g,
"0x454c4946" presumably is some ASCII character). then again, none
of these characters repeat, so "HELLO", which has two L's, is not
present.

So the program is a bust.

RL

HAHAHAHAHAHA.. ****ing shit man.. You owe me a ****ing keyboard AND a
new monitor. That ehh, pure ascii text is indeed a program. It prints
EICAR-STANDARD-ANTIVIRUS-TEST-FILE! on the screen if you run it and
exists right back to your OS. Mine would print whatever was on the
hello: db line. I garbaged the text "hello ****ing world!" to make you
have to think and not take a quick guess. You couldn't even do that and
you want to compare coding ability with me? I think not.

I've been around a long long time, Ray.

 

[Dustin]

Said the resident idiot.

resident idiot? Who might that be? Didn't google me eh? ;p

Now below is what a famous website says. Who is right? My money is
on the famous website.

Right about what specifically? If you can't read/write/understand
assembler you are not going to be able to develop the same stuff I can,
period. doesn't matter what language(s) you choose to use. I'll always
outcode you. The reason for it is simple. It's that I know how the
hardware is working and you are dependant on whatever functions are
present in your language of choice.

 

[Loren Pechtel]

Mine too. I had the color computer 3. I later got the expansion pack,
the vga monitor; the serial cable printer (remember the din5 on the
back?), and the double deck floppy drives.

I had a Mod IV, I never used the CoCo.

 

[Loren Pechtel]

Yes. Poly is still in effect.

Even if the instruction being modified already got loaded into cache?

 

[Loren Pechtel]

Said the resident idiot.

Now below is what a famous website says. Who is right? My money is
on the famous website.

RL

http://mirror.href.com/thestarman/asm/eicar/eicarcom.html

Most programmers today rarely if ever deal with the kind of details
presented in this tutorial. We wrote this page so students and even
the average PC user could appreciate both the complexity involved in
running a very simple program and early programmers of the past.
Programmers today normally use high-level macro instructions and
libraries of pre-assembled code. A single statement in these high-
level languages often produces the equivalent of dozens to even pages
full of assembly instructions compared to the few we'll be examining
here.

You don't get it! We very rarely *WRITE* it these days but we
certainly do read it on occasion. Memory access breakpoints are prone
to bringing up the CPU window when they fire. These are invaluable if
you're hunting a memory stomp.

 

[RayLopez99]

You don't get it!  We very rarely *WRITE* it these days but we
certainly do read it on occasion.  Memory access breakpoints are prone
to bringing up the CPU window when they fire.  These are invaluable if
you're hunting a memory stomp.

No, you don't get it. If you read this thread carefully, as I did,
you'll see that Dustin's position is different from yours. I actually
agree with you--reading ASM is fine (though frankly I find it of no
use--I've always found a workaround without getting into assembly, but
then again I don't code professionally). But Dustin claims you have
to write ASM, specifically, "Right about what specifically? If you
can't read/write/understand assembler you are not going to be able to
develop the same stuff I can, period. doesn't matter what language(s)
you choose to use. I'll always outcode you. The reason for it is
simple. It's that I know how the hardware is working and you are
dependant on whatever functions are present in your language of
choice. "

That statement by Dustin is pretty extreme, we all can agree, unless
he wants to claim that the "/" in his "read/write/understand" means
"OR". Or unless he claims he writes software drives for graphics
cards. Or if he is claiming "outcode you" means he can do more than me
in a higher level language, which tautologically is true since he
knows assembler and I don't, but that does not make him a more capable
programmer in general.

RL

 

[Dustin]

I had a Mod IV, I never used the CoCo.

Oh... That was a monster...

 

[Dustin]

Even if the instruction being modified already got loaded into cache?

This is where it can get hairy... You have to keep an eye on things and
be able to tell the cpu you changed your mind.

 

[Dustin]

in a higher level language, which tautologically is true since he
knows assembler and I don't, but that does not make him a more capable
programmer in general.

Ray,

I can read AND write assembler. That makes me a coder, slightly more
advanced than your typical run of the mill, ehh, programmer. There is a
difference and it's already been explained to you.

Programmers are limited in ways that coders aren't. You see no use for
it, and that's fine, but I'm not likely to see you replacing me anytime
soon either. [g]

For the most part, I use assembler skills to disect malware executables.
Can you do that, Ray?

 

[RayLopez99]

Ray,

I can read AND write assembler. That makes me a coder, slightly more
advanced than your typical run of the mill, ehh, programmer. There is a
difference and it's already been explained to you.

I don't recall such a distinction. So you concede then that
programmers, rather than coders, don't need to know ASM. Concession
noted. I win that point.

Programmers are limited in ways that coders aren't. You see no use for
it, and that's fine, but I'm not likely to see you replacing me anytime
soon either. [g]

For the most part, I use assembler skills to disect malware executables.
Can you do that, Ray?

No. I rely on my AV suite and firewall to catch and block malware.

RL

 

[Loren Pechtel]

This is where it can get hairy... You have to keep an eye on things and
be able to tell the cpu you changed your mind.

And I don't think the EICAR file does.

Actually, it doesn't really matter as the file isn't supposed to run
anyway.

 

[Loren Pechtel]

in a higher level language, which tautologically is true since he
knows assembler and I don't, but that does not make him a more capable
programmer in general.

Ray,

I can read AND write assembler. That makes me a coder, slightly more
advanced than your typical run of the mill, ehh, programmer. There is a
difference and it's already been explained to you.

Programmers are limited in ways that coders aren't. You see no use for
it, and that's fine, but I'm not likely to see you replacing me anytime
soon either. [g]

For the most part, I use assembler skills to disect malware executables.
Can you do that, Ray?

Given his last reply I'm leaning towards his position now.

These days *WRITING* assembler is a specialty skill that most
programmers will never need.

 

[Dustin]

And I don't think the EICAR file does.

I wouldn't say it's self modifying in the strictest sense, no. The
thing with self altering code vs data re-arrangement tho is that most
resident virus suites/scanners/whatever go ape shit in a hurry now.

Actually, it doesn't really matter as the file isn't supposed to run
anyway.

It's just supposed to demonstrate what you should see when your
protection of choice actually sees something. It's saddening that it
ever had to be created in the first place, but that's the majority for
you.