w32/Divinorum :: SumUp
W32.divinorum is my latest creatures of mine it is Win32 PE executable parasitic infecter, uses appending mode by adding new section to the end of the file, includes two decrypting routines one in the epo section and the other after jumping into virus body.
More information about it:
http://www.sophos.com/security/blog/2007/11/747.html ::sophos blog entry!
http://www.sophos.com/security/analyses/w32divvia.html ::sophos virus description
http://www.f-secure.com/v-descs/virus_w32_divvi.shtml ::f-secure virus description
http://vil.nai.com/vil/content/v_143761.htm ::McAfee virus description(added*)
I played sort of cheap game ! and mentioned aver guy name and asked him to cut his ponytail in order to attract avers analyzing it, and added extra flavors trying to figure out if someone really gonna put that creature in a debugger.
The virus source code will be published in the next e-zine from EOF and DoomRiderz.
I didnt manage to do any harm by coding this virus thats why I directly emailed the sample to AVers.
———————–
*Updated:15th of Dec 07
Cyber Terrorism
As the 11th of November passed, and nothing happened of what is been claimed by e-jihadist, I was curious as I was reading avers’ blog posts about the whole thing.
First I wanted to reach that site “al-jinan.net” but as avers reported it was offline,so I checked the jo-uf.net(from f-secure analyses), and dnsstuff.com showed that that this domain refere to 127.0.0.1 ,localhost so it is not yet activated or not even will be activated.
The funny thing the host was registered to a guy from Iraq, which shows that he registered the domain in 2002!! Iraq was still under Saddam grip,and no internet was there till beginning of 2003,so how on earth would that happen.
Consulting a cyber friend about the dnsstuff.com information he told me that the names of the region supplied doesnt seem to be Iraqi more prone to be Egyptian!
So,what would that supposed to be ,was they really trying to DoS sites using that tool on their site’s users,would the users be that dumb to run a totally suspicious program on their computers?! The guys were so cocky about their site not going to go offline this time! as I found in google’s cached pages,well they were wrong, internet is not Tura Bura! and another thing made me wonder what if such tools worked in fishing style in name of e-(holly-wars), what the legal notice from avers would be! should they(law enforcement) arrest users using that kinda of tool 
Maybe the whole thing was a hoax to get media attention or it might be intelligence way of action from some anti-terrorists fighting countries to get ip of suspects!
Either ways,the e-attacks( I mean DDoS) could still be manageable ,it doesnt need a rocket science to create such a havoc,but would it cause that great impact! see DoS attacks curried in eastern Europe, for that .
Note: These words were written from someone whois so pissed off from religious guys,they suck people will, money,power in name of god to get their fat asses thicker, and that person provided these info as it is.
Hello world!
.586
.model flat,stdcall
option casemap:none
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.incincludelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib.data
sample db “hello world!”,0.code
start:
xor eax,eax
push eax
push offset sample
push offset sample
push eax
call MessageBoxA
ret
end start
