Site hosted by Build your free website today!

~ one VXer was here ~

Bumblebee is dead.

Don't try to find me, don't send me mails coz i'm not going to check Bumba's accounts, and for those that i've trust and know about me more than is allowed for a VXer: please, let me rest in peace. Today i'm kinda free.

I quit the virus scene due i'm too much public and seems european laws about our stuff will change. In those days of haunting, i choose being in the shadows before is too late. I'm not here for the fame or whatever can repport me being a well know coder in the virus scene. So i leave. I'll keep playing it at home, or not. Now is not your business.

Moreover the scene is a shit those days. I'm sad coz little lamers/kids fuck the scene/theirselves. But is not my problem anyway (until eu directives became law in spain). I loose very good friends with the scene. You know i'll miss you all (yeah, that's the only valuable thing the scene has). For those not friendly: eat shit and die reading one of my buggy sources.

I've been 29A member, that's important for me as vxer. But as you can see i left, and i've proved myself there is life after 29A...

Bumblebee's viruses and worms (all i can remember). I think they are following date of release, but the order is not important... Most of them are buggy and only (a bit) interesting with the source in front of you. Viruses not released are not here. Sometimes i put the name by the avers, sometimes the name by the bee ;)

Hail and HKILL family (Endangered species, Fortuna, Desint, ...):
These are some viruses that i coded when i was Hail and Kill member. All DOS viruses, some resident, some not. Some poly and some not ;) Fortuna it's where i tested my 1st poly: HKPE. It's interesting that only my viruses are detected. That's why i put them on my website and others members' viruses where not. 'Fortuna Imperatrix Mundi' i like this name a lot :)

Demo virus of BUME. Resident EXE infector for DOS. I did it for Virus Buster's poly engine competition. I won, coz there was no other competitor :/

My 1st win32 virus. Prepender. An exercise under asm32 and win32 programming. Run-time. Drops over RAR files. Lame, lame, lame ;) As BillyGay noticed it uses a in-port to get random value, that's not a win32 virus... but avp said it was hehehe Published into 29A#4.

Win95.Bumble (Becoming):
My 1st Win9x virus. Appender and encrypted... but damn buggy. The infection part has a bug :( no matter: i was learning. Run-time. This sample was very poor released, but seems to be in the wild. uh?

Win32.Bee (3x3Eyes):
Coded as UC member. I did it to show how easy can be code a win32 virus. Run-time and companion hehe. Published into UC's 1st zine (i don't know the name).

Tiny resident COM infector. Previous work before Bumbee.x. Worth less releasing but nice to learn.

Bumbee.250 and Bumbee.480 (Aizyrk, DoIt!):
Tiny resident cavity EXE infectors for DOS. Research work. I'm proud of such little bugs.

The Hive:
MBR/BS infector. Encrypted and full stealth. There is a 'Little Hive' variant that is floppy only. Not very compatible with win...

Resident poly win9x virus. Uses VxDCall0 backdoor. My 1st bug coded with SEH. The algo to increase last section or the poly... i'm not sure, but AVP said this virus sometimes fails and corrupts the files. It's a pitty it has a bug :( In all my tests worked fine. Published into 29A#4.

- here starts my production as 29A member -

I-Worm.Anap (Anaphylaxis):
Coded 100% with asm. I did my own SMTP client for this and it uses a semi-poly mail generator. I tried to exploit the poor security levels in the SMTP standard and the lame implementation of most mail servers using it. I'm very proud of this bug. It was very hard to test. Using WinSocks. Published into 29A#4.

Win95.Rinim (MiniR3):
Little cavity run-time win9x virus. Using VxDCall0. 431 bytes ;) I did it after 1 day without sleep, when i went back home after the Valencia meeting of 1999. An infected Gift sample and MiniR3 appeared both in the supplemental list of wild list (December '99). I'm proud 'cause it is my first step into wild list :P Published into 29A#4.

I-Worm.Gift.a,b (Gift of Fury and Rundllw32):
My 1st attempt with MAPI and coded both with C++. These are 'code it fast' bugs. Not more of 6 hours each one. Both published into 29A#4.

AOC (Anvil of Crom):
Run-time PE (EXE/DLL) infector adding new section. Polymorphic. Has it's own routine to calculate check sum of PE files. Has an interesting anti-debug trick that uses the CRC32 of a pieze of virus code to encrypt other part of the virus, i called the engine LENDE and seems ppl liked it a lot (at least PAV guyz liked it in their desc heheh).
A research specimen, not to spread due problems with DLLs... Must be seen as way to learn and get experience with DLL infection. Published into 29A#4.

I-Worm.Plage2000 (aka P2000, Plage, ...):
A nice worm. It's the normal evolution of Gift family. Includes it's own WinZip Self-Extractor dialog and hides itself in the task list. Different levels of execution and a cool dialog as payload. Hitler sucking a gun and his brain flying arround. All with a 'Follow your leader' ban. It has been reported in the wild and into july 2000 wild list. That's amazing, coz i didn't spreaded it at all :? Published into 29A#4.

WinHLP.Pluma (Hlp.AYUDA!):
A generic run-time windows hlp infector. It was a little exercise. Infects all the hlp files in current directory adding macros to the system dir of the hlp. Uses the EnumWindows function to get the control directly from the hlp. Has a bonus poem by Pablo Neruda. Published into 29A#5.

The Rain Song (Win32.Rainsong.a)
Win32 per-process resident PE infector. Variable encryption with two layers: first polymorphic and second static. Infects PE files with EXE and SCR extension increasing last section. Has a runtime part that infects windows folder. Uses CRC32 instead of names to find APIs. Has EPO tech and uses size padding as infection sign. Uses SEH. Its payload it's a little tribute to Isaac Asimov that it's activated in the death date of this great man. This is my first per-process virus and also my first steps with EPO. Published into 29A#5.

99 Ways To Die (win32.rainsong.b, win32.99ways)
Win32 per-process resident PE infector. Variable encryption with plymorphism and variable key slide. Infects PE files with EXE DLL SCR and CPL extension increasing last section. Has a runtime part that infects some files in windows folder. Uses CRC32 instead of names to find APIs. Has EPO tech as unique way of infection and
uses size padding to mark infected files. Uses SEH. Updates PE checksum and manages relocations at execution time (infects DLL). Kinda remake/rebuild of RainSong. Published into 29A#5.

Noise (win95.noise)
That's a tiny resident (via ring0, that's only win9x) cavity PE infector of 414 bytes. Has kinda spezial way to infect, only on disk operations at write (infects PE in user buffer) in the same way than bumbee.250. Has a nice payload that does echo of all disk operations with internal beeper. It won't work. Published into 29A#5.

- Here starts my production after being freelance again -

BeeFree (aka win32.beef by retarded avers)
That's a little research spezimen. EXE PE resident infector doing different hooks into explorer. It's very nice coz hooking explorer stuff isn't trivial at all. Has 2 level hook scheme: hooks load library into explorer and later hooks create file in all the dlls loaded by explorer using load library. Works very fine ;) Only infects overwritting fixups table. 2110 bytes to test residency method. It's only win9x virus, but avers insisted to call it win32 :) May be winNt and win2k now have k32 located at 0bff70000h... ;) Contributed to 29A#6.

Yonggary! (aka win32.younga hahaha)
Per-process resident PE (EXE,SCR) infector via CreateFileA. Increses last section, avoids self-extractor and antivirus programs, uses CRC32 self-checksum, anti SoftICE code, blah, blah Interesting coz i tested a new (for me) infection algo and some little ideas. Has an active payload that changes 'Microsoft' string by 'Yonggary!' 6 months after infection in accessed TXT files. I did it coz a guy asked me for a virus to test av speed reply to new viruses. Yonggary is the great corean monster like Godzilla. Coded in two days... ugh! (that's why it's buggy).
Published into Matrix#3.

MiniR3b (aka win95.rinim.378)
Little remake of MiniR3. Improved algorithm, this time only 378 bytes. Using NASM ;) Even it is barely optimized! No new tricks vx related, just using the stack. Appeared in the supplemental list of Joe's Wild List after few days i released it ONLY in my webpage, even i've found a fucking bug. Quite suspicious :P Published into 29A#6.

Lil'Devil (aka win32.younga.b, nasty avers)
Per-process PE/DOC infector. Trying to code a small multiplatform virus word/win32 virus. Uses vbs dropper to infect It's a pitty dot infecction seems to not be as stable as i spected in all win32 systems (moreover the infection algo is buggy again). Contributed to 29A#6.

BRSH Worm (aka i-worm.funnypics)
An experimental i-worm using MAPI32. Uses a trick to get mail addr using a lack of security of win9x swap implementation. Also includes a nice backdoor that opens a link on infected machines that allows remote shell using redirection ;) Published into 29A#6.

DOCWORM (aka i-worm.bumdoc)
An i-worm playing again with DOC infection. This time the macro part is better than into Lil'Devil. Uses an improved way to reply un-readed mails using MAPI32 (bug fix of Plage2000's APIs usage). Contributed to 29A#6.

Solaris (aka win32.aris)
That's a heavy virus. About 4kbs that generates about 40kbs of nice poly code. Direct action PE infector (EXE, SCR and DLL). Has lots of features and tricks mainly oriented to solve the problems that the stack execution and the DLL infection creates. I'm very proud of this one coz the poly is nice if we keep in mind my previous coded polys :P I also tryed to do it as compatible as possible with all win32 systems. Quite annoying payload, but you won't say: hey! that's Solaris! :/ From that point i decided to code only payloads that make the user know which virus is running, or not code any payload at all. May be next time. Contributed to 29A#6.

Funny payload ;) This time i got it hehehe You'll say: Yeah, RedAlert. It's a fast infector. I did it coz i've never done it before. I ever try to be stealthy and usualy my viruses are not very fast spreading ones. That's the oposite (even still i try to be not very much visible). This virus is pretty small (2.796 bytes), if we keep into account all its features. Full win32 compatible it uses common tricks: SEH, CRC32 for APIs, self-checksum, etc.
Infects EXE, SCR and DLL, so it's fully relocatable. About the payload, changes all bmp and sys (sys that are bmp, of coz) that are 8 bits bitmaps into red-scale images ;) Contributed to Matrix#4.

i386 ELF infector for Linux systems. Probably not the best infection algo. Per-process resident by PLT entry hooking of 'execve'. Direct action if euid is zero. I've used several things that are available under linux similar to win32 viruses: memory mapped files, CRC32 instead of strings, ... Also has lil antidebug stuff, and other features to make it hard cleaning (even is easy to detect coz is not encrypted not poly). My 1st step into ELF parasites.
If you wanna know... yeah, it's 100% asm.

Simple ring0 resident virus via IFS hook. Uses 0ded0h port for residence sign and infects EXE, SCR, DLL and OCX PE files. It increases last section and uses kinda size padding as infection sign. A simple stable fast spreading virus. Coded for a spanish security related zine: DFT.

And some steps in the the macro/scripting/stupid stuff that i did in those strange times of my life:

WM.Bumblebee.a,b (encrypted macros)
VBS.Bumblebee (lame previous work to HTML.lame)
HTML.Disease (pfff js, using onload)
HTML.Lame (hahaha, runtime html infector coded with JS)
BAT.Bumble (coded in ASM ;)
W97M.YAMV (yet another macro virus)
X97M.YAMV (yet another macro virus)
W97M.LaPerra (class infector)
WSHVGEN (Windows Scripting Host Virus GENerator huahua)

About #? viruses. That's not a poor production :) Most of them are not in the wild (and won't be). I think only AVP and other av-soft in the war of 'i detect all viruses under the sun' takes care ;) No matter: i had fun doing them... and that is the important.

The way of the bee ends here

11 DEC 2001