Name: Access Macro Generator
Creator/Origin: Ultras / Russia
AKA : AMG
Type: Virus Creation ToolKnown versions:
AMG 1.0 - November 1998
Features:
An Access 97 macro virus generator by the creator of the UCK and MUCK kits.
Author's note:
Features:
Message Box - Shows message Kill Files on C: - Deletes all files on disk C:\ Kill Dll - Deletes DLL files in directory C:\Window\System Kill Program Files - Destroys Folders C:\Program Files Kill Files - Deleting the files in folders Kill Windoze Files - Destroys Folders C:\Program FilesInstructions: After you include the constructor choose the options and name of virus. Hereon start access97 and create the module having named by its name of virus put all from generated file with finishing a name of virus.bas and module is ready. Hereon create macros "Autoexex" in which choose the function of start the program and deliver start a module of your virus.
Name: Ade Virus Construction Center
Creator/Origin: Thanathos / Darkness Sons
AKA : AVCC
Type: Virus Creation ToolKnown versions:
AVCC 1.0b - March 1999
Features:
Simple, generic virus creation kit that produces Pascal companion viruses. Several user selectable features are available. A beta of a 32-bit version has been released as AVCC32.
Name: Ade Virus Construction Center 4 Win32
Creator/Origin: Unknown / Italy
AKA : AVCC32
Type: Virus Creation ToolKnown versions:
AVCC32 - December 1999
Features:
AVCC32 is beta release of a 32-bit version of AVCC.
Name: Annihilator Virus Construction Set
Creator/Origin: Unknown / Germany
AKA : AVCS
Type: Virus Creation ToolKnown versions:
AVCS 1.00 - Unknown
Features:
Like a few others this kit asks annoying "virus knowledge" questions as "access control". It looks very similar to AWVCK (it uses the same access control questions and has a similar look) but the differences could indicate that the product is from the same author and probably is not a hack or clone. The demo virus that is distributed with the kit scans as a VCS variant with F-Prot but as AVCS.270 with AVP.
Name: Anti Windows Virus Creation Kit
Creator/Origin: Unknown / Unknown
AKA : AWVCK
Type: Virus Creation ToolKnown versions:
AWVCK 1.01 - March 1994
AWVCK 1.10 - 1994Features:
Simple, generic virus creation kits that create overwriting viruses.
These are very dangerous nonmemory resident overwriting viruses. They search for .EXE and .INI files, then overwrite them, display the message and return to DOS:"AWVCK.156": Packed file is corrupted!
"AWVCK.182": This program requires Microsoft WindowsThe viruses also contain the text strings:
"AWVCK.156":
NoName
*.ini *.exe
Packed!-Virus [AWVCK 1.10-94]"AWVCK.182":
Innocent
*.ini *.exe
Frisk is a lamer!-Virus [AWVCK 1.01-94]
Name: Black Knight Macro Virus Construction Kit
Creator/Origin: Black Knight / Philippines
AKA : BKMVCK
Type: Virus Creation ToolKnown versions:
LWMVCK 1.0 - May 2000
BKMVCK 1.0 - June 2000
BKMVCK 2.0 - August 2000A macro virus creation kit with many similarities to LiME and other macro generators. Release 1.0 is created as a Word template (written using VBA) and has many user selectable payloads, infection settings, stealth settings, anti-virus techniques, triggers and miscellaneous features. For polymorphism it can use SOPS or APMRS. It creates Word 97 and Word 2000 compatible viruses. An early version is known as the Lucky Warrior Macro Virus Construction Kit (LWMVCK).
Release 2.0 is a major revision of the virus creator, it is written using VB. It is password protected and comes with an online Help feature explaining its functions. In addition to APMRS and SOPS version 2.0 also supports UMP. Like 1.0 it has many user selectable payloads, infection settings, stealth settings, anti-virus techniques, triggers and miscellaneous features. Release 2.0 also supports MIRC, PIRCH and Outlook infections using VBS and it creates Word 97/2000, Excel 97/2000 and Access 97/2000 compatible viruses. It is protected by a username/password combination.
Future versions will support cross and class infection.Author's Note (version 1.0):
"BKMVCK is a macro virus construction kit for MS Word 97 and MS Word 2000. There's something new with this kit, the ability to change the windows background (8 nude images to choose from) and the ability to to change the mouse cursor (10 good images to choose from). There's also 4 new funny payloads, the ability to hide the start button, taskbar icons/system tray, to put your name in the system tray and to rename the recycle bin."
Infection settings ~~~~~~~~~~~~~~~~~~ AutoOpen AutoExec AutoClose AutoExit Edit|Find File|Close File|Exit File|Print File|Save File|SaveAs Tools|Options Tools|Macro File|Templates View|VBCode Print image of a woman to File|PrintStealth settings ~~~~~~~~~~~~~~~~ Basic stealth hooks Stealth hooks with infection Stealth hooks with a payload and an infection routine Kill and disable the stealth menu options -Tools|Macro -Tools|Templates and add-ins... -Tools|Customize... Add a fake error message to stealthPayload trigger settings ~~~~~~~~~~~~~~~~~~~~~~~~ Triggered by invoking a stealth menu Triggered by counter Stealth hooks/activated Triggered by random number Triggered by date Payload settings ~~~~~~~~~~~~~~~~ Shutdown Windows Hide Windows Start Button Hide Windows Taskbar Icons / System Tray Disable keyboard Hide mouse cursor Swap mouse button Make mouse cursor go wild Nail mouse cursor Launch internet site Insert password Disable MS Word menu - File - Edit - View - Insert - Format - Tools - Table - Window - Help Replace text Insert text while printing Encrypt text of active document Kill active document Quit MS WordPolymorphism settings ~~~~~~~~~~~~~~~~~~~~~ APMRS SOPSDisplay messages settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Rename recycle bin Put name on the taskbar / system tray Change volume label Change MS Word caption Change MS Word status bar Insert text to active document Add a random message box Add a Help|About message box change windows username Add a MS Word assistant Add a Windows nag screenGraphics display settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Change Windows background - 8 nude images to choose from Change Windows mouse cursor - 10 images to choose fromDangerous payload settings ~~~~~~~~~~~~~~~~~~~~~~~~~~ Format drive c:\ Delete drive c:\ (include subfolders) Delete drive c:\ (w/out subfolders) Delete Windows (include subfolders) Delete Windows (w/out subfolders) Delete system files Defeat Anti-Virus settings ~~~~~~~~~~~~~~~~~~~~~~~~~~ McAfee Dr. Solomon Norton Anti Virus Pro (AVP) PC-Cillin F-Prot F-Macro F-Win Quick Heal Thunder ByteMiscellaneous settings ~~~~~~~~~~~~~~~~~~~~~~ Change document properties Change MS Word user information Hide Windows Start Menu - Favorites - Documents - Settings - Find - Run - Log Off - Shutdown Hide all items on desktop
Name: Bayros Virus Creation Kit
Creator/Origin: Bayros / Unknown
AKA : BVCK
Type: Virus Creation ToolKnown versions:
BVCKIT 1.0 - October 1999
BVCKIT 2.0B - October 1999Features:
A virus creation kit that is distributed as "shareware", which is a novel idea since viruses can be considered the ultimate in "shareware". The kit asks annoying "virus knowledge" questions as "shareware nags" and "access control".
Name: Batch Virus Generator
Creator/Origin: Wavefunc / USA
AKA : BVGEN
Type: Virus Creation ToolKnown versions:
BVGEN 1.1C - October 1995
BVGEN 1.2A - December 1995Features:
These batch programs generate a multitude of replicating virus-like batch programs from user-specified parameters. Since they are written using the MS-DOS batch language they are rather easy to find and disable, but at the same time, depending on the payload, they can be just as dangerous as assembly viruses.
See also:
Batch Viruses #2 by Wavefunc
Batch Viruses #3 by Wavefunc
Name: Biological Warfare
Creator/Origin: Mnemonix / USA
AKA : BW
Type: Virus Creation ToolKnown versions:
BW 0.90B - April 1994
BW 1.00 - June 1994Biological Warfare is a program that will generate assembly source code for a fully functional virus according to the specifications that the user gives it. When Biological Warfare is run, it will give the user a menu with a list of options pertaining to the virus. The user can manipulate the options as directed to create the virus to his specifications.
Following are the options of version 0.90B :
A) Text - Any text that has to appear within the virus, up to 60 characters.
B) Resident - Specifies whether virus will be resident in memory or not.
C) Infect - Either COM, EXE, or both.
D) Encryption - Specifies if the virus will feature encryption.
E) INT 24 Handler - Specifies if the virus will steal DOS's critical error handler to avoid write protect errors.
F) Anti-Trace - Specifies if the virus will includes routines to thwart trivial debugging or tracing.
G) Maximum Size - If selected, the virus will not infect any .COM file too large for it.
H) Traversal - Specifies if the virus will move upwards in the directory tree.
I) Infections/run - Maximum number of files to infect each run.
J) Avoid COMMAND - Specifies if the virus will infect COMMAND.COM.
K) EXE Marker - Two characters used to indicate an infected .EXE file.
L) Overlay check - Specifies that the virus will not infect .EXE files with internal overlays.
M) DirStealth - Hides the file size increases from a directory listing. All infected files have their seconds field set to the given number. Absence of this number indicates that no directory stealth function will be included. (Resident viruses only)
N) Infect on - Specifies if the virus has to infect when opening a file, executing a file or both.
O) Activate - Virus will include space for an activation routine in the code.
P) More directory stealth - In conjunction with directory stealth this will make the increase in file size invisible from any file managing programs in addition to a DIR command.Version 1.00 added the following:
- Encryption, both standard and basic polymorphic (via the Biological Warfare Mutation Engine)
- Time stamp - This is used by either directory stealth or polymorphism.
- Biological Warfare Mutation Engine (BWME):The BWME is a very basic polymorphic encryption engine that will make the virus more difficult to scan. It's size is 609 bytes.
Name: Class Macro Kit
Creator/Origin: jackie twoflower / Austria
AKA : CMK
Type: Virus Creation ToolKnown versions:
CMK 1.0b - August 1999
Features:
A class macro virus generator by the author of LiME, W97MVCK. Version 1.0b offers the option of including the PiE polymorphic engine.
Name: Class.Poppy Construction Kit
Creator/Origin: VicodinES / USA
AKA : CPCK
Type: Virus Creation ToolKnown versions:
CPCK 1.0a - November 1998
Features:
A creation tool specifically aimed at making MS Word for Windows 97 VBA/Class viruses. It allows for integration of several payloads and the use of VSMP, a polymorphic module by the same author (also known for VMPCK, VWIS, VAMP and VVSC.
Name: China Town Macro Word Virus Construction Kit
Creator/Origin: Duke / Russia
AKA : CTMWVCK
Type: Virus Creation ToolKnown versions:
CTMWVCK 0.1 - April 1999
CTMWVCK 0.1a - May 1999
CTMWVCK 0.1b - May 1999Features:
Another creation tool specifically aimed at making MS Word for Windows .DOC and .DOT macro viruses. Released as a .DOT file it basically is a macro to create macro viruses. Several payloads and triggers conditions are user selectable. Versions 0.1a and 0.1b claim some Word 97 compatibility even though the kit is Word 6.0 based. Created by the author of DPOG, DPVG, SBVM and DVL. A hacked version of this kit is known as DPVCK.
Name: Crazybits Virus Construction Kit
Creator/Origin: CrazyMan / Indonesia
AKA : CVCK
Type: Virus Creation ToolKnown versions:
CVCK 0.1B - April 1997
Features:
Another creation tool specifically aimed at making MS Word for Windows .DOC and .DOT macro viruses. Released as a .DOC file it basically is a macro to create macro viruses. Several payloads and triggers conditions are user selectable. It adds an extra menu called "CrazyVCK v0.1" to the Word menu bar.
Name: CVEX Virus Maker
Creator/Origin: Golden Cicada / Taiwan
AKA : --
Type: Virus Creation ToolKnown versions:
CVEX 1.0 - October 1995
Features:
This virus maker is probably responsible for the large number of CVEX variants floating around. It requires a little more knowledge on programming from its user and is a little less user friendly than for example VCL or PS-MPC.
Name: Dead_Bytes Virus Generator
Creator/Origin: Dead_Byte / Russia
AKA : DBVG
Type: Virus Cloning ToolKnown versions:
DBVG 1.0 (Russian) - June 2000
DBVG 1.1 (Russian) - August 2000
DBVG 1.1 (English) - August 2000Features:
This generic virus cloning tool creates source codes that can be compiled with Turbo Pascal. It offers Companion, Overwriting and Appending functionality.
Name: Ding Lik's C Virus Generator
Creator/Origin: Ding Lik / Indonesia
AKA : DLCVG
Type: Virus Creation ToolKnown versions:
DLCVG - December 1999
Features:
Author's note:
"Ding Lik's Millenium C Virus Generator, DLCVG for shorten, is a tool for everyone - C programmers specially - to learn how to program a virus in C language. DLCVG will produce a virus template, so you can easily modify it. DLCVG has menus, so you can use it easily.
There are three menus : File, Edit and About. File menu contains Go & Exit menus. Go menu's function is to create a virus. Exit menu's function is to exit from DLCVG. Edit menu contains Author, Vir name & Vir ID menus. Author menu's function is to enter author of the virus. Vir name menu's function is to enter name of the virus. And Vir ID menu's function is to enter signature of the virus. Just fill each edit menus and then File | Go to create a C virus."
Name: DarkByte Macro Virus Generator
Creator/Origin: DarkByte / Philippines
AKA : DMVG
Type: Virus Creation ToolKnown versions:
DMVG 0.9b - February 2000
Features:
Macro virus generator with user selectable features (activation routines, payloads, trigger timing).
Name: DarkChasm's Word 97 Macro Virus Construction Kit
Creator/Origin: DarkChasm / USA?
AKA : DW97MVCK
Type: Virus Creation ToolKnown versions:
DW97MVCK 1.0 - June 1997
Features:
This is the 'next generation' macro virus creator it being specifically made for Word 97 (VBA) macro viruses. The generator itself is, like most other macro virus generators, a big macro. Several options like stealth, retro (severely limited due to target directory selection), payloads, what macros to use etc. are user selectable. To support a polymorphic function the use of Pyro's APMRS is incorporated and is also user selectable.
From the author:
"There are plenty of features DW97MVCK can make viruses with:
Features:
+ 4 Stealth macros to choose from
+ 8 Retro features to choose from
+ Polymorphic (currently only one engine)
+ 7 Payloads to choose from
+ 7 Infection Macros to choose fromOf course you can mix and match any combination, so there are well over 100 combinations."
Name: Dirty Nazi Virus Generator
Creator/Origin: Dirty Nazi / SGWW / Ukraine
AKA : DNVG
Type: Virus Creation ToolKnown versions:
DNVG 1.0B (Russian) - April 1997
DNVG 1.0B (English) - February 1998Features:
This Ukrainian virus maker was released with Issue #11 of the Infected Voice e-zine. It is operated through a DOS based user interface and produces .PAS source codes. It comes with 1 example virus. A translated version is also available.
Name: Duke's Pascal Overwriting Generator
Creator/Origin: Duke / Russia
AKA : DPOG
Type: Virus Creation ToolKnown versions:
DPOG 0.01 - November 1998
DPOG 0.02 - July 1999Features:
Version 0.01 of this simple Russian virus maker was released with Issue #2 of the DVL e-zine. It is a CLI operated generator that creates HLLO (overwriting Pascal) viruses through a user configurable .CFG file. It was subsequently followed by DPVG and SBVM of the same author. Version 0.02 of this simple Russian virus maker was released with Issue #8 of the DVL e-zine.
Name: Diesel Power Virus Creation Kit
Creator/Origin: Xarabas / Italy
AKA : DPVCK
Type: Virus Creation ToolKnown versions:
DPVCK 1.0 - April 1999
Features:
This is a hacked version of CTMWVCK by Duke. Some dialogs were changed but remain similar to the original dialogs and the 3 selectable payload viruses were swapped with 3 viruses by members of Darkness Sons.
Name: Duke's Pascal Virus Generator
Creator/Origin: Duke / Russia
AKA : DPVG
Type: Virus Creation ToolKnown versions:
DPVG 0.1 - December 1998
DPVG 0.2 - January 1999Features:
Version 0.1 of this Russian virus maker was released with Issue #3 and version 0.2 with Issue #4 of the DVL e-zine. It is a CLI operated generator that creates HLLO, HLLW or HLLC viruses through a user configurable .CFG file. It was created by the same author as DPOG, DVL and SBVM.
Name: Digital Hackers' Alliance Randomized Encryption Generator
Creator/Origin: Gothmog / USA
AKA : DREG
Type: Virus Creation ToolKnown versions:
DREG 0.01.0047 - March 1997
DREG 0.01.0049 - March 1997Features:
From the author's .DOC file:
The Digital Hackers' Alliance Randomized Encryption Generator (DREG) was created primarily as a programming excercise of sorts, to see how difficult it would be to create a program which could make working viruses from a single template which share a minimum of code, and as a result, can not be detected by signature scanning but rather by algorithmic scanning only. This too may prove difficult, for DREG has several unique code- randomization features:
- Randomized instruction sequences - DREG will place register assignments, etc. in random order.
- Anti-heuristic code - most DREG viruses are 100% undetectable by TBAV w/ high heuristics enabled and F-PROT with the /analyse /guru and /paranoid command-line switches enabled. Some are undetectable by AVPLITE v3.0 build 107's heuristics and by Dr. Solomon's FindVirus v7.69, others will trigger generic heuristic alarms. Oh well, so it goes...
- Random register selection - when executing a lea reg16, [bp+address] / call reg16 sequence, for example, a register will be randomly chosen from those not containing data to be saved.
- Complex register assignment code - when mov reg, constant is necessary, DREG will do one of the following: mov reg, constant; mov reg, random number / add reg, constant - random number; mov reg, random number / sub reg, random number - constant; mov reg, constant xor random number / xor reg, random number; mov regHi, constantHi / mov regLo, constantLo; mov regLo, constantLo / mov regHi, constantHi. You get the picture...
- Complex register zeroing - when a register needs to be cleared, DREG will alternately choose between: xor reg, reg; sub reg, reg; mov reg, 0; mov reg, random number / xor reg, random number; mov reg, random number/ sub reg, random number. NOTE: this routine will call the complex reg. assignment code when necessary. Also note - the two complex register routines are recursive; there shouldn't be any real risk of any stack overflows, but keep this fact in mind if the code appears to freeze or proceed slowly during the virus generation phase.
- Multiple encryption keys - Generated viruses can have up to ten random encryption keys. Generated keys will be assigned by calling one of two random number generator routines and by using a different call/pop sequence each time.
- Variable size increase - some generated viruses will arbitrarily and randomly add several extraneous bytes to the end of each infected file to confuse scanners/disinfectors. This is done through a sequence of inc cx instructions or through a single add cx, random number statement.
- Variable heap code offset - Generated viruses will copy the infection routine in memory to a random offset in the heap, different each time.
- Randomly placed data items - Currently, there are 5 separate data items that can be placed into 5 different positions within the code.
- Randomly placed heap data positions - Stored in the heap in a random order, and often with empty "placeholder" spaces, are the file attributes/time/date/size block, and the original code segment and offset of the original interrupt 24 handler.
- Random filemask capitalization - DREG will randomly capitalize '*.COM'; to create, for example, '*.CoM' '*.COM', '*.com', '*.cOM', etc.
- Junk code generation - This feature is one of DREG's best randomization features. Intersperced between the instructions of its generated viruses, DREG will include one or more junk instructions. Currently, the junk instructions DREG supports are: nop; sub reg, 0; add reg, 0; or reg, 0; xor reg, 0; mov reg, reg; inc reg / dec reg; dec reg / inc reg; add reg, random number / sub reg, random number; sub reg, random number / add reg, random number; push reg / pop reg; push reg / mov reg, random number / pop reg; jmp random_address / random_address:; cmc / cmc; cli / sti; int 03h (one- and two-byte opcodes); push ax / lahf / pop ax; xchg reg, reg; neg reg / neg reg; not reg / not reg. NOTE: This routine is recursive; there shouldn't be any real risk of any stack overflows, but keep this fact in mind if the code appears to freeze or proceed slowly during the virus generation phase.
As DREG is coded to illustrate the randomization engine itself, the viruses it creates, while difficult to detect, are rather simple technologically speaking. They are .COM infectors that infect files in the current directory only, hooking interrupt 24 to disable any write-protect messages. Infected files preserve date, time, and attributes. Read-only files CAN be infected. EXE files that are misnamed purposefully or otherwise as COM files are NOT infected. Files that start with a near jmp instruction are not infected; this serves as both an anti-goat file measure and an infection marker. This means as well that DREG viruses will not infect files infected by other DREG viruses without modification. The viruses will be encrypted with a xor encryption loop which will vary with each generated virus; see the featurelist above for more on this. All in all, a simple affair, but then again, this program is only a demonstration of virus engine technology.
See: Interviews (Gothmog)
Name: Dark Slick's Virus Generator
Creator/Origin: Dark Slick / Unknown
AKA : DSVG
Type: Virus Cloning ToolKnown versions:
DSVG 1.0 - July 1996
Features:
Basically this program is just a user shell to compile and generate around 40 older and well known viruses. This program uses three .DAT files that are ASCII collections of ASM listings of those wel known viruses. Most, if not all, of the viruses created by this generator should be found by your average AV tool.
Name: Deinonychus Virus Generator
Creator/Origin: Candyman / Argentina
AKA : DVG
Type: Virus Creation ToolKnown versions:
DVG 1.35 - July 1995
DVG 1.35D - November 1995
DVG 1.35E - November 1995Features:
Generic VCL-like virus generator from Argentina. It has several selectable payloads. The following is a quote from the .DOC file:
FUCK HDD.(Destruye HDD)
DISPLAY STRING.(Imprime mensaje en pantalla)
FUCK HDD Y DISPLAY STRING.
STOP PC.(Cuelga Pc)
REBOOT.
BEEPS.
FUCK T.P. (Destruye Tabla De Particion )
PRINT SCREEN (Imprime Pantalla Actual <LPT> )
KILL RND SECTOR (Destruye un sector al azar del drive default <new>)
NINGUNA.It also has several selectable time triggers: day of the month, month of the year, time of the day and day of the week.
The user has the have Borland's TASM.EXE and TLINK.EXE in the path for compiled viruses to be created succesfully.
Name: Duke's Virus Labs
Creator/Origin: Duke / Russia
AKA : DVL
Type: Virus Cloning ToolKnown versions:
DVL 1.0 - June 1998
Features:
Similar to DSVG and Genesis this cloning tool reproduces 14 known viruses from a database of source codes. It needs TASM and TLINK to function. Created by the author of DPOG, DPVG, SBVM and CTMWVCK.
Name: Demolition Kit
Creator/Origin: Nightmare Joker / SLAM / Germany
AKA : --
Type: Virus Creation ToolKnown versions:
Demolition Kit 1.0 - December 1996
Features:
Based on Nightmare Joker's first creation tool, WMVCK, this one was released in 5 different versions (WFW 95 7.0 VGA/SVGA, WFW 95 6.0 VGA/SVGA & WFW 3.1 6.0). Further info to be determined.
Name: Excel Macro Virus Construction Kit
Creator/Origin: Anti-State Tortoise / Unknown
AKA : EMCVK
Type: Virus Creation ToolKnown versions:
EMVCK - September 1999
EMVCK bugfix - December 1999Features:
Virus generator by the creator of PIAPP that creates macro viruses for Excel 97/2000. It generates .BAS source codes that can be imported into Excel.
Name: Ejecutor Virus Creator
Creator/Origin: El Ejecutor / Argentina
AKA : EVC
Type: Virus Creation ToolKnown versions:
EVC 1.0 - December 1993
Ejecutor Virus Creator is a very basic virus creation tool only capable of making one basic 161 byte long overwriting virus. The user has the option to enter a text the virus has to display and the date when the virus has display the text.
Only a few viruses produced by EVC are known.
The same author created the EVI virus insertion/dropping tool.
Name: Executioner's Virus Generator
Creator/Origin: Executioner / Canada
AKA : EVG
Type: Virus Creation ToolKnown versions:
EVG 1.00B - December 1995
EVG 1.30B - Unknown
EVG 1.40 - UnknownFeatures:
Unknown. Never publicly released, several of its products are known. Discontinued end 1996.
Name: Evil Zone Virus Construction Kit
Creator/Origin: Xabaras & Xander16 / Italy
AKA : EZVCK
Type: Virus Creation ToolKnown versions:
EZVCK - January 2000
Features:
Tool with a bilingual (Italian and English) Windows GUI and capable of producing Assembler or Pascal virus source codes. Possibly an evolution of AVCC32. Several features are unavailable and planned for subsequent releases.
Name: Fake Virus Creation Lab
Creator/Origin: The Bughunter / Germany
AKA : FVCL
Type: Pseudo Virus Creation ToolKnown versions:
FVCL 1.0 - December 1999
Features:
This tool does NOT produce any viruses. It inserts messages in selected .COM files. It has been included for sake of completeness.
Name: G2 (G Squared)
Creator/Origin: P/S / USA/Canada
AKA : G2
Type: Virus Creation ToolKnown versions:
G2 0.70B - January 1993
Features:
It appears that the Dark Angel was not wholly satisfied with the PS-MPC generator he had written, and so he published a program called Phalcon/Skism G2 on the turn of the year 1993. The name derives from its creator's opinion that G2 is a second-generation virus generator.
The functioning of G2 very much resembles that of PS-MPC. They have certain notable differences, however:
G2 will create a different virus every time, even though the values in the configuration file remain unchanged. G2 is also supplied with a smallish file, G2.DAT, which contains the actual intelligence of the program. The Dark Angel has announced that he will supply update versions of this file, which will completely change the functioning methods of the program.
The documentation of G2 tells of its features as follows:FEATURES
The target audience of G2 includes both novice and advanced programmers alike who wish to learn more about virus programming. A revolutionary tool in virus generation, G2 is both easy to use and unparalleled in performance. As a code generator, it has a number of features including:
o Easy updates via data files.
o Accepts MPC-compliant configuration files.
o Different viruses may be generated from identical configuration files.
o Small executable size, allowing for speed during load and execution.
o Still no IDE - edit the configuration file in your favorite editor and rapidly generate new code; no need for lengthy wait while IDE loads, allowing you to work faster and have results quicker. A definite productivity bonus!
o Rapid generation of code, once again allowing for fast results.
o Low memory requirements.As a virus creation tool, it has the following features:
o Generates compact, easily modified, fully commented, source code.
o COM/EXE infectors.
o Resident and nonresident viruses.
o Supports multiple, semi-polymorphic encryption routines (full polymorphism coming soon).
o Easily upgraded when improvements are needed.G2 is one of the most advanced virus code generator available today!. Many viruses made with G2 are known. Anti-virus products today detect most of the G2 products.
Name: Genesis (ASM)
Creator/Origin: Virii God/Stormmaker / Unknown
AKA : --
Type: Virus Cloning ToolKnown versions:
Genesis 1.0 - September 1998
Genesis 2.0 - September 1998
Genesis 3.0 - March 1999Features:
Generic, batch file based virus compiler/dropper. Version 1.0 comes with eight well known virus source codes, version 2.0 and 3.0 are compiled batch file based compilers of thirty and forty source codes respectively. All versions include the TASM/TLINK files necessary to compile the code.
Author's note (version 1.0):
"Genesis is a simple program that will automatically create viruses. I chose to write it in Batch for two reasons:
- I'm one of those OLD folk that actually like Batch ;-)
- I'm just getting back into Virus Writing and my assembly is a little rusty.
This Version of GENESIS will create 8 well known viruses automatically using a menu interface. I thought about writing it to create more than 8 viruses but I want to see the reaction I get to Version 1.0 first before I go all out. Personally, I don't condone these type of virus creation programs. I feel that one should learn to write their own viruses. But I also feel that programs like this creator can help beginners in a way by showing them how viruses are put together. It seems like the virus scene has slowed down in terms of original ideas lately, (People using Virus Creators to create old/known viruses) and this is a shame. I encourage people to start learning assembly and writing their own NEW viruses. As I stated, I wrote this program and intended it to be somewhat of an indirect learning model. TAKE apart the Virii it creates. EXAMINE the ASM files. FIGURE OUT how TASM and TLINK work. LEARN!"
Name: Genesis (Batch)
Creator/Origin: PhreakX / Unknown
AKA : --
Type: Virus Creation ToolKnown versions:
Genesis 0.01 - July 1999
Features:
This tool with a Windows GUI (programmed using Visual Basic) will create batch viruses with user selectable features.
Name: GenVir
Creator/Origin: J.Struss/France
AKA : GV
Type: Virus Creation ToolKnown versions:
GV 1.0 - 1991/3
GV 1.5 - 1991/3
GV 1.5 (NuKE) - March 1993
GV 2.0 - June 1993Features:
GenVir was marketed by a Frenchman called Struss as a tool to evaluate the performance of anti-virus products and its documents included an order form. In 1993 members of NuKE released a cracked version 1.5. Later in 1993 Struss released version 2.0 which boasted MS-DOS 5.0, 6.0 and Doublespace compatibility.
More than 10 viruses produced by GenVir are known.
Name: Incredible Batch Bug Maker
Creator/Origin: Wavefunc / USA
AKA : IBBM
Type: Virus Creation ToolKnown versions:
IBBM - VLAD AF
IBBM - Nightmare Joker
IBBM - bugfixed
JBM - Jany Batch Maker - August 1999Features:
Initially released in VLAD zine #AF this creator uses a HTML and Java capable browser to create batch file viruses. The initial release had a one byte infection counter bug which would cause the virus to keep infecting an unlimited number of files. Early 1997 this creator evolved into RBM which uses HTML frames.
Jany Batch Maker is a hack of the original tool, created by the_L3D.
Name: IRC Batch Worm Kit
Creator/Origin: GzR / Unknown
AKA : IBWK
Type: Worm Creation ToolKnown versions:
IBWK 1.0 - August 2000
Features:
Generic creation tool that produces batch files with IRC worm functions. By the creator of TPOK.
Name: Immortal EAS Virus Creation Centre
Creator/Origin: Hacking Hell / Netherlands
AKA : IE-VCC
Type: Virus Creation ToolKnown versions:
IE-VCC 0.09B - June 1995
IE-VCC 0.19B - June 1995Features:
A recent addition to the the virus creation market this package claims:
"Anti-Trace / Anti-TBAV / Anti-MSAV / Encryption / Traversal / Etc."
It was coded by Hacking Hell of Immortal EAS a new and shortlived Dutch virus writing group. More than 25 viruses produced by this tool are known.
Name: Italian Pascal Virus Construction Kit
Creator/Origin: Tex / Darkness Sons
AKA : IPVCK
Type: Virus Creation ToolKnown versions:
IPVCK 1.0 - February 1999
Features:
This simple, generic virus creation kit produces assembler source codes and comes with 1 test virus and TASM/TLINK.
Name: Instant Virus Production Kit
Creator/Origin: YAM / USA
AKA : IVP
Type: Virus Creation ToolKnown versions:
IVP 1.0 - December 1992
IVP 1.7 - January 1993Features:
YAM (Youngsters Against McAfee), a group founded in the USA, has contributed the Instant Virus Producer, or IVP, to the competition for the best virus generator. IVP has not, however, attracted popularity to speak of.
IVP does not feature the amount of functions VCL and PS-MPC do, it cannot, for example, create memory resident viruses. In the same vein, the encryption algorithms of IVP are really very simple in comparison with, let's say, PS-MPC. To top it all, IVP frequently produces dysfunctional code.
More than 120 viruses produced with IVP are known to exist.
Name: Indonesian Virus Source Creator
Creator/Origin: Henry Yonathan (Sentot) / Indonesia
AKA : IVSC
Type: Virus Creation ToolKnown versions:
IVSC 0.0.1B - 1998
IVSC 0.1.1B - February 1998
IVSC 0.1.1 - March 1998Features:
A generic virus creator with minimal features.
From the author:
"Welcome to Indonesian Virus Source Creator (IVSC) version 0.1.1ßeta. We (RHA PC Club) had created IVSC version 0.0.1ßeta for private release. IVSC is a simple generator that create a virus. It has a simple interface, similar to Biologycal Warfare (BW). We created this generator is to make a contribution in Virii's World, specialy in Virus Creation Kit. The other reasons are for the future virii's writer, learning virii programming and learn to make an AV program. The virii's source code produced by IVSC commented in Indonesian (that's what IVSC for). The virus is not programmed to restore the infected file's date and time. Viruses produced by IVSC just a virus template, so you can make it better and better. If your IVSC is orginal, you can find a virus exampled named BITLEZZ.ASM, a virus created by IVSC modified and developed by Ding Lik."
Name: Javascript Virus Dropper
Creator/Origin: Ruzz / Unknown
AKA : JVD
Type: Virus Creation ToolKnown versions:
JVD - July 1999
Features:
Author's note:
"JVD "transports" viruses into the user's system via the web. A file is created on the user's harddisc which contains all the information needed to create and run the virus . The Autoexec.bat and Config.sys are amended to create and run the virus on next bootup. The Win.ini, System.ini, User.dat, Win.com and contents of Autoexec.bat and Config.sys are destroyed. The code then inserts a command to execute the written file on next bootup when Autoexec.bat calls the written file which creates and runs the virus. Because most AV progs load using the Autoexec.bat, the Config.sys, the Win.ini, the System.ini or the Windows registry, they cannot be executed because these files have been modified or destroyed. The Win.ini, System.ini, Win.com and User.dat files have been removed just incase the virus is not run. This guarantees that the user cannot get into Windows to run any AV programs or diagnostic prog to rectify the problem. This forces the user to perform a total rebuild of their system. This will result in a loss of data and time. "
Name: Laboratorio Argentino de Virus
Creator/Origin: Candyman - Popol / Argentina
AKA : LAV
Type: Virus Creation ToolKnown versions:
LAV 1.20 - October 1995
Features:
Virus creation kit from the same author as the Deinonychus Virus Generator (DVG). It creates DOS viruses and has similar features as DVG.
Name: LAboratorio de VIrus
Creator/Origin: Father Mac / Argentina
AKA : LAVI
Type: Virus Creation ToolKnown versions:
LAVI 1.0 - Unknown
LAVI 1.2 - Unknown
LAVI 1.3 - January 1994Features:
LAboratorio de VIrus is an Argentinian virus creation tool released by someone who calls himself Father Mac. Generally based on Nowhere Man's VCL it also uses destructive routines released by an American called Evil Avatar in his Mass Destruction Library.
More than 40 viruses produced with LAVI are known and most of today's popular anti-virus products detect them.
Name: Liberation of Anarchists Nationwide Macro Virus Generator
Creator/Origin: VEiN / USA
AKA : LANMVG
Type: Virus Creation ToolKnown versions:
LANMVG 1.5b - August 1998
LANMVG 1.5a - August 1998Features:
A macro virus generation tool that is capable of making viruses using either WordBasic or Visual Basic for Applications. The source code for this generator is heavily based on VicodinES' creator VMPCK. It comes with the W97/Core virus. Release 1.5a is a bugfixed version of 1.5b.
Name: Liberation of Anarchists Nationwide Virus Lab
Creator/Origin: VEiN / USA
AKA : LANVL
Type: Virus Cloning ToolKnown versions:
LANVL 1.1b - July 1998
Features:
A generic virus creation tool that, like a few other programs in this category, drops well known viruses from .DAT files. The viruses that come with this kit are:
Ambulance
Anthrax
AntiCMOS
Cascade
Casino
Earthday
Green Caterpillar
Jerusalem
Pox 2
Tiny-163From the author:
"This is a program that I wrote a long time ago when I was learning QBasic (THE Ancient Computer Language!!). I found it on my 80386 and decided to finish it. I fixed all of the bugs (I think) and it works very similar to DarkSlick's Virus Creation Kit. It reads data and compiles it to binary code. The shitty part is I didn't have time to put in a routine to delete the *.MAP and *.OBJ files that are produced.
Oh well, I'm only human. Have fun and don't NuKE yourself!! =)"
Name: LineZero Macro Engine
Creator/Origin: jack twoflower / Austria
AKA : LiME
Type: Virus Creation ToolKnown versions:
LiME 1.0 - May 1999
LiME 1.2 - May 1999Features:
Macro virus creation kit capable of creating viruses for Word, Excel and Access. Many user selectable features (infection techniques, payloads, stealth techniques) are available. The kit creates .BAS VBA source codes that need to imported into one of the three applications to make the final virus. By the author of W97MVCK. In version 1.2 the language used is user selectable (German or English) and the viruses for Word and Excel are produced in both the .BAS source code as the "compiled" product. There are 18 payloads for Word, 12 for Excel and 6 for Access.
Name: Lord Of Navan's Invasion Generator
Creator/Origin: Lord Of Navan / Unknown
AKA : LONIG
Type: Virus Creation ToolKnown versions:
LONIG 1.0 - June 1997
Features:
This generator was released in issue #3 of SLAM magazine. It creates source codes of Pascal viruses and was released with several demo viruses.
From the author:
LoNIG is a VCK that generates Pascal Companion viruses, which are 100% not found by any AV prog at the moment. Anyway, it was coded in Pascal of coz, and I avoided any ASM routines since my project was to write a proggy that generates REAL PAS-viriis and not only parts consisting of Pascal.
You can choose from the payloads:
* Displaying your own messy (random colors)
* Let the compy beep
* Only replicate (no special payload)
* Generate thousands of garbage philes
* Fake autoexec.bat --> endless boot-looping
* Give your virii Retro-abilities
Name: MacrEngine
Creator/Origin: Deviator / Ukraine
AKA : ME
Type: Virus Creation ToolKnown versions:
ME 1.0 - July 1999
Features:
This simple macro virus generator uses the WordBasic (Word 6/95) and was released with DVL #8.
Name: Mass O Shit Code Generator
Creator/Origin: Digital Anarchist / DSD
AKA : MOS
Type: Virus Creation ToolKnown versions:
MOS v.2c - July 1997
MOS v.7c - July 1998
MOS v.7d - July 1998Look here for the expanded history/background of this virus generator. The source code to this virus generator and a modified web version was released with Codebreakers Zine #4.
From the author:
It's based on an idea that Unknown/LT and Gothmog/DHA started but never completed. For every section of code there is more than one way to part the cat from it's coat. Or there is more than one way to get the results you desire. This takes some of the more basic section of code and explores a few of the options. v.2c has 5 sections of code with 6 possiblities/section s easy math tells you that this will produce 15,625 variations.
Name: Macro Virus Development Kit
Creator/Origin: Wild W0rker / Russia
AKA : MVDK
Type: Virus Creation ToolKnown versions:
MVDK 1.0B - August 1996
MVDK 1.0 - September 1996Features:
The first creation tool specifically aimed at making MS Word for Windows .DOC and .DOT macro viruses. Released as a .DOC file it basically is a macro to create macro viruses. The final 1.0 release has several more payload features than the beta version.
Name: Macro Virus SCS 97
Creator/Origin: Alevirus & RickCrazy / Brasil
AKA : MVSCS97
Type: Virus Creation ToolKnown versions:
MVSCS97 1.1 - April 1998
Features:
A Brasilian hack of the Dark Chasm's macro virus generation kit (DMVCK) this template for Word 97 creates Word 97 compatible viruses. Also released the Molotov Class Virus Maker (MCVM).
Name: Mini Ultras Construction Kit
Creator/Origin: Ultras / Russia
AKA : MUCK
Type: Virus Creation ToolKnown versions:
MUCK 1.0 - September 1998
Features:
Word 97 macro virus generation tool by the creator of UCK, AMG and UMP.
Author's note:
This be second my constructor it generates the viruses under Word97 - Word98. I has done its Mini version that it there was suitable. Creates viruses for word97-word98. In this constructors are done forgiven macro viruses. In menu
of constructor you are able to choose any deskside of your virus afterwards in directory of constructor you will find the file with name of your virus import in document word and your virus is ready. If work this constructor
you will find error please report me: ultras2@usa.net. Below I has described all functions of this constructor.Infection: AutoOpen AutoClose AutoExec FileSaveStealth: ToolsMacro ViewVBCode ToolsCustomize FileTemplatesPolymorphic: UMP Payload: Message Box
Set Password
ViriiPrint
Kill Files
Assistant
StatusBar
Change User
Cunning Password
Random Password
New CaptionKillAV: Anti Virus Pro (AVP) Dr.Solomon F-Prot Norton AntiVirus McAfee Quick Heal ThunderByte (TBAV) ViruSafe
Name: Molotov Class Virus Maker
Creator/Origin: Rick Crazy & Alevirus / Brasil
AKA : MCVM
Type: Virus Creation ToolKnown versions:
MCVM Beta - February 1999
Features:
An initial and limited beta version of an intended Class virus creation kit. The posted version was "infected" with Back Orifice. Also released Macro Virus SCS 97 (MVSCS97).
Name: Magic Macro Virii Creator
Creator/Origin: Rincewind / Austria
AKA : MMVC
Type: Virus Creation ToolKnown versions:
MMVC 1.0a - March 1999
Features:
This kit was created by the author of the LiME VCK using a different handle. The graphics look similar and it is also written in the German language.
Name: Mafia's Shit Creation Center
Creator/Origin: Xarabas / Italy
AKA : MSCC
Type: Virus Creation ToolKnown versions:
MSCC 1.0b - April 1999
Features:
This is a hacked version of release 0.02d of SBVM by Duke. Some dialogs were changed but remain similar to the original dialogs. Like SBVM it creates a batch virus.
Name: Mister Spocks Virus Generator
Creator/Origin: Mister Spock / Germany
AKA : MSVG
Type: Virus Creation ToolKnown versions:
MSVG 1.0 - May 2000
Features:
Word macro virus generator with several user selectable features (infection methods, payloads)
Name: Macro Virus Generator
Creator/Origin: e [ax] / Bosnia Herzegovina
AKA : MVG
Type: Virus Creation ToolKnown versions:
MVG 1.0 beta - July 2000
Features:
One of many this tool generates macro viruses for Microsoft Word. It has many user selectable features but all selections are displayed using the Yugoslav language. The program will support use of OIE, and RCJ.