TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: JOHN ALDRED
date: 1997-06-01 06:31:00
subject: Rusty Bug...
Yo All, How's it goin'?
Everybody!!
Watch out for a file called Rustbug.exe!!! NEW VIRUS!!! KILLER!!!
Here's the info file on it..
--[CUT]----
Virus Author: Casio - Written in April and May 1997
Virus Name  : RUSTY BUG v1.0
Virus Target: DOS and Win95 *.exe / *.com files. START.EXE and COMMAND.COM
              are not infected. Files considered to be bait are ignored.
Target OS...: Win95 and/or DOS.
Virus Info..: Rusty Bug is designed to be able to deal with Win95 executables
              and msDOS executables.
Encryption..: Rusty Bug is fully encrypted at all times. All infected
              files are encrypted during the infection phase. The encryption
              system is variable. The encryption algorithm has been
              coded from scratch to ensure tight encryption.
Stealth.....: HOST stealth - Infected com and exe files will not notice any
              modification during their operation. Self-checking programs
              are easily defeated by Rusty Bug.
Rusty Bug is both dos and win95 compatable. Vsafe and Vscan if found in 
emory
are bypassed. Certain checksum files by certain Anti-Virus software is
destroyed if found. The weed viruses would corrupt files if they were too
small, Rusty Bug does not waste the valuable time. It leaves small files
alone. BAIT files are not worth the coding to overwrite them.
Rusty Bug contains two payloads, each of which has a 1/10 chance of going off
each time an infected program is executed. The first payload is an encrypted
message which is shown decrypted to the user. The second payload is a moving
StarField. If the user presses any key, the original program will continue
running.
Rusty Bug contains a new critical error handler, thereby trapping any 
ossible
IO error. ranging from Sharing Violations to drive not ready errors. 
euristic
Scanners are defeated by Rusty Bug.
Rusty Bug has the following infection system:
1. Search for files inside any directories found via the PATH variable.
2. Search for files in current directory
3. Pass control to host
4. Search current directory again - The host might have made some new ones!
Naturally, checksum files created at any point while Rusty Bug is active are
destroyed. :-)
Rusty Bug will infect a Win v3.x series executable, however, unless the 
program
is run under Win95, it will no longer function. Instead of a nasty error, or
corruption message, Windows will be told the file is not windows based. This
problem only occurs on Win v3.x based systems. Before the user is informed 
that
windows v3.x cannot execute the file, Rusty Bug is given an oppurtunity to
further search and infect.
This virus is well armored against heuristic scanning and repair. Thunderbyte
Anti-virus is tricked into corrupting an infected file if you attempt to
use TBCLEAN. Rusty Bug has been tested against the following anti-virus
programs: FPROT, AVP, FINDVIRU, MCAFEE, TBAV, NORTON, and Integrity Master.
None of those scanners suspected anything when asked to scan Rusty Bug
infected files. The Mcafee scanner was the most pathetic of all of them.
Update:
This is actually a minor revision to the original Rusty Bug virus. The 
original
one had a rather nasty problem. It would sometimes multi infect files...There
was a slight bug in the check code. Sometimes, Rusty Bug would flag a file
as not infected even if it was. I have corrected this error. Many thanks to
those of you who told me about that little  problem! I added a tiny bit
more code to make Rusty Bug semi-poly. But, so far the damn code doesn't do
anything. Oh well.
Another update. :-)
Thanks to a fellow vxer, I have been notified that the encryption algorithm
that was current in Rusty Bug was fairly easy to break. So, At the advice of
a fellow coder, I've gone and changed it. I have also begun work on the poly
routines for the virus and the encryption system. Rusty Bug now contains the
beginning of a Poly Encryption Routine, and support has been added to the
new encryptor/decryptor for an extended variable key. So, stay tuned :-)
I plan on having the encryptor using an extended variable key by the next
version, as well as the poly routines working.
--[CUT]----
Yours Virtually
 [=-- Axe --=] FidoNet - 2:250/609  -  HTPNet - 609:666/1
  ____  |      E-Mail - hackatak@geocities.com
    | _ |_  _  SysOp - THE D’RK CYDE! (01253)396989  10pm-8am.
 (__||_)| )| ) http://www.blackpool.net/axe/index.htm
 [=-- Axe --=] http://www.trailerpark.com/phase2/hackatak
--- FMailX 1.02
---------------
* Origin: THE D’RK CYDE! 01253-396989 KHL & HTPNet WHQ (2:250/609)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.