|Bumblebee is dead.
Don't try to find me, don't send
me mails coz i'm not going to check Bumba's accounts, and
for those that i've trust and know about me more than is
allowed for a VXer: please, let me rest in peace. Today i'm kinda free.
I quit the virus scene due i'm too much public and
seems european laws about our stuff will change. In those
days of haunting, i choose being in the shadows before is too late.
I'm not here for the fame or whatever can repport me being a
well know coder in the virus scene. So i leave.
I'll keep playing it at home, or not. Now is not your business.
Moreover the scene is a shit those days. I'm sad coz
little lamers/kids fuck the scene/theirselves. But is not
my problem anyway (until eu directives became law in spain).
I loose very good friends with the scene. You know i'll
miss you all (yeah, that's the only valuable thing the scene has).
For those not friendly: eat shit and die reading one of my buggy sources.
I've been 29A member, that's important for me as vxer.
But as you can see i left, and i've proved myself there
is life after 29A...
Bumblebee's viruses and worms (all i can remember). I
think they are following date of release, but the order
is not important... Most of them are buggy and only
(a bit) interesting with the source in front of you. Viruses not
released are not here. Sometimes i put the name by the
avers, sometimes the name by the bee ;)
Hail and HKILL family (Endangered species, Fortuna,
These are some viruses that i coded when i was Hail and
Kill member. All DOS viruses, some resident, some not.
Some poly and some not ;) Fortuna it's where i tested my
1st poly: HKPE. It's interesting that only my viruses are
detected. That's why i put them on my website and others
members' viruses where not. 'Fortuna Imperatrix Mundi' i
like this name a lot :)
Demo virus of BUME. Resident EXE infector for DOS. I did
it for Virus Buster's poly engine competition. I won, coz
there was no other competitor :/
My 1st win32 virus. Prepender. An exercise under asm32
and win32 programming. Run-time. Drops over RAR files.
Lame, lame, lame ;) As BillyGay noticed it uses a in-port
to get random value, that's not a win32 virus... but avp
said it was hehehe Published into 29A#4.
My 1st Win9x virus. Appender and encrypted... but damn
buggy. The infection part has a bug :( no matter: i was
learning. Run-time. This sample was very poor released,
but seems to be in the wild. uh?
Coded as UC member. I did it to show how easy can be code
a win32 virus. Run-time and companion hehe. Published
into UC's 1st zine (i don't know the name).
Tiny resident COM infector. Previous work before Bumbee.x.
Worth less releasing but nice to learn.
Bumbee.250 and Bumbee.480 (Aizyrk, DoIt!):
Tiny resident cavity EXE infectors for DOS. Research work.
I'm proud of such little bugs.
MBR/BS infector. Encrypted and full stealth. There is a
'Little Hive' variant that is floppy only. Not very
compatible with win...
Resident poly win9x virus. Uses VxDCall0 backdoor. My 1st
bug coded with SEH. The algo to increase last section or
the poly... i'm not sure, but AVP said this virus
sometimes fails and corrupts the files. It's a pitty it
has a bug :( In all my tests worked fine. Published into
- here starts my production as 29A member -
Coded 100% with asm. I did my own SMTP client for this
and it uses a semi-poly mail generator. I tried to
exploit the poor security levels in the SMTP standard and
the lame implementation of most mail servers using it.
I'm very proud of this bug. It was very hard to test.
Using WinSocks. Published into 29A#4.
Little cavity run-time win9x virus. Using VxDCall0. 431
bytes ;) I did it after 1 day without sleep, when i went
back home after the Valencia meeting of 1999. An infected
Gift sample and MiniR3 appeared both in the supplemental
list of wild list (December '99). I'm proud 'cause it is
my first step into wild list :P Published into 29A#4.
I-Worm.Gift.a,b (Gift of Fury and Rundllw32):
My 1st attempt with MAPI and coded both with C++. These
are 'code it fast' bugs. Not more of 6 hours each one.
Both published into 29A#4.
AOC (Anvil of Crom):
Run-time PE (EXE/DLL) infector adding new section.
Polymorphic. Has it's own routine to calculate check sum
of PE files. Has an interesting anti-debug trick that
uses the CRC32 of a pieze of virus code to encrypt other
part of the virus, i called the engine LENDE and seems
ppl liked it a lot (at least PAV guyz liked it in their
A research specimen, not to spread due problems with DLLs...
Must be seen as way to learn and get experience with DLL
infection. Published into 29A#4.
I-Worm.Plage2000 (aka P2000, Plage, ...):
A nice worm. It's the normal evolution of Gift family.
Includes it's own WinZip Self-Extractor dialog and hides
itself in the task list. Different levels of execution
and a cool dialog as payload. Hitler sucking a gun and
his brain flying arround. All with a 'Follow your leader'
ban. It has been reported in the wild and into july 2000
wild list. That's amazing, coz i didn't spreaded it at
all :? Published into 29A#4.
A generic run-time windows hlp infector. It was a little
exercise. Infects all the hlp files in current directory
adding macros to the system dir of the hlp. Uses the
EnumWindows function to get the control directly from the
hlp. Has a bonus poem by Pablo Neruda. Published into 29A#5.
The Rain Song (Win32.Rainsong.a)
Win32 per-process resident PE infector. Variable
encryption with two layers: first polymorphic and second
static. Infects PE files with EXE and SCR extension
increasing last section. Has a runtime part that infects
windows folder. Uses CRC32 instead of names to find APIs.
Has EPO tech and uses size padding as infection sign.
Uses SEH. Its payload it's a little tribute to Isaac
Asimov that it's activated in the death date of this
great man. This is my first per-process virus and also my
first steps with EPO. Published into 29A#5.
99 Ways To Die (win32.rainsong.b, win32.99ways)
Win32 per-process resident PE infector. Variable
encryption with plymorphism and variable key slide.
Infects PE files with EXE DLL SCR and CPL extension
increasing last section. Has a runtime part that infects
some files in windows folder. Uses CRC32 instead of names
to find APIs. Has EPO tech as unique way of infection and
uses size padding to mark infected files. Uses SEH.
Updates PE checksum and manages relocations at execution
time (infects DLL). Kinda remake/rebuild of RainSong.
Published into 29A#5.
That's a tiny resident (via ring0, that's only win9x)
cavity PE infector of 414 bytes. Has kinda spezial way to
infect, only on disk operations at write (infects PE in
user buffer) in the same way than bumbee.250. Has a nice
payload that does echo of all disk operations with
internal beeper. It won't work. Published into 29A#5.
- Here starts my production after being freelance
BeeFree (aka win32.beef by retarded avers)
That's a little research spezimen. EXE PE resident
infector doing different hooks into explorer. It's very
nice coz hooking explorer stuff isn't trivial at all. Has
2 level hook scheme: hooks load library into explorer and
later hooks create file in all the dlls loaded by
explorer using load library. Works very fine ;) Only
infects overwritting fixups table. 2110 bytes to test
residency method. It's only win9x virus, but avers
insisted to call it win32 :) May be winNt and win2k now
have k32 located at 0bff70000h... ;) Contributed to 29A#6.
Yonggary! (aka win32.younga hahaha)
Per-process resident PE (EXE,SCR) infector via
CreateFileA. Increses last section, avoids self-extractor
and antivirus programs, uses CRC32 self-checksum, anti
SoftICE code, blah, blah Interesting coz i tested a new (for
me) infection algo and some little ideas. Has an active
payload that changes 'Microsoft' string by 'Yonggary!' 6
months after infection in accessed TXT files. I did it
coz a guy asked me for a virus to test av speed reply to
new viruses. Yonggary is the great corean monster like
Godzilla. Coded in two days... ugh! (that's why it's
Published into Matrix#3.
MiniR3b (aka win95.rinim.378)
Little remake of MiniR3. Improved algorithm, this time
only 378 bytes. Using NASM ;) Even it is barely optimized!
No new tricks vx related, just using the stack. Appeared
in the supplemental list of Joe's Wild List after few
days i released it ONLY in my webpage, even i've found a
fucking bug. Quite suspicious :P Published into 29A#6.
Lil'Devil (aka win32.younga.b, nasty avers)
Per-process PE/DOC infector. Trying to code a small
multiplatform virus word/win32 virus. Uses vbs dropper to
infect normal.dot. It's a pitty dot infecction seems to
not be as stable as i spected in all win32 systems (moreover
the infection algo is buggy again). Contributed to 29A#6.
BRSH Worm (aka i-worm.funnypics)
An experimental i-worm using MAPI32. Uses a trick to get
mail addr using a lack of security of win9x swap
implementation. Also includes a nice backdoor that opens
a link on infected machines that allows remote shell
using command.com redirection ;) Published into 29A#6.
DOCWORM (aka i-worm.bumdoc)
An i-worm playing again with DOC infection. This time the
macro part is better than into Lil'Devil. Uses an
improved way to reply un-readed mails using MAPI32 (bug
fix of Plage2000's APIs usage). Contributed to 29A#6.
Solaris (aka win32.aris)
That's a heavy virus. About 4kbs that generates about 40kbs
of nice poly code. Direct action PE infector (EXE, SCR
and DLL). Has lots of features and tricks mainly oriented
to solve the problems that the stack execution and the
DLL infection creates. I'm very proud of this one coz the
poly is nice if we keep in mind my previous coded polys :P
I also tryed to do it as compatible as possible with all
win32 systems. Quite annoying payload, but you won't say:
hey! that's Solaris! :/ From that point i decided to code
only payloads that make the user know which virus is
running, or not code any payload at all. May be next time.
Contributed to 29A#6.
Funny payload ;) This time i got it hehehe You'll say:
Yeah, RedAlert. It's a fast infector. I did it coz i've
never done it before. I ever try to be stealthy and
usualy my viruses are not very fast spreading ones.
That's the oposite (even still i try to be not very much
visible). This virus is pretty small (2.796 bytes), if we
keep into account all its features. Full win32 compatible
it uses common tricks: SEH, CRC32 for APIs, self-checksum,
Infects EXE, SCR and DLL, so it's fully relocatable.
About the payload, changes all bmp and sys (sys that are
bmp, of coz) that are 8 bits bitmaps into red-scale
images ;) Contributed to Matrix#4.
i386 ELF infector for Linux systems. Probably not the
best infection algo. Per-process resident by PLT entry
hooking of 'execve'. Direct action if euid is zero. I've
used several things that are available under linux
similar to win32 viruses: memory mapped files, CRC32
instead of strings, ... Also has lil antidebug stuff, and
other features to make it hard cleaning (even is easy to
detect coz is not encrypted not poly). My 1st step into
If you wanna know... yeah, it's 100% asm.
Simple ring0 resident virus via IFS hook. Uses 0ded0h
port for residence sign and infects EXE, SCR, DLL and OCX
PE files. It increases last section and uses kinda size
padding as infection sign. A simple stable fast spreading
virus. Coded for a spanish security related zine: DFT.
And some steps in the the macro/scripting/stupid stuff
that i did in those strange times of my life:
WM.Bumblebee.a,b (encrypted macros)
VBS.Bumblebee (lame previous work to HTML.lame)
HTML.Disease (pfff js, using onload)
HTML.Lame (hahaha, runtime html infector coded with JS)
BAT.Bumble (coded in ASM ;)
W97M.YAMV (yet another macro virus)
X97M.YAMV (yet another macro virus)
W97M.LaPerra (class infector)
WSHVGEN (Windows Scripting Host Virus GENerator huahua)
About #? viruses. That's not a poor production :) Most
of them are not in the wild (and won't be). I think only
AVP and other av-soft in the war of 'i detect all viruses
under the sun' takes care ;) No matter: i had fun doing
them... and that is the important.
The way of the bee ends here
11 DEC 2001