*****************************
*** CHAOS-AD by Sepultura ***
*** South Australia - '95 ***
*****************************

Polymorphic, Full(ish) Stealth, Retro, Anti-Heuristic, Tunneling, COM+EXE.

*** IMPORTANT ***

This is the OFFICIAL version... due to a bit of a mistake, I sent a few ppl
on #virus the wrong version which has a TINY (one line) bug :P

******************

********
FEATURES:
********
Personal Stuff: - My First Polymorphic Virus.
                - My First Full Stealth Virus.
                - My First EXE infector.

Retro Stuff:    - Deletes CHKLIST.CPS, CHKLIST.MS, ANTI-VIR.DAT files.
                - Avoids infecting AV programs.
                - Disables VSAFE.
                - Avoids VSAFE, and older versions of TBMEM, from reporting
                  changes to System Memory / Environment.

Anti-Heuristics:- Uses some fairly heav Anti-Heuristic structures throughout.
                - TCE generates HUGE, spaced out Decryptors, avoiding # flag.
                - TBSCAN 6.50 finds 0 flags on DECRYPTED virus.
                - F-PROT( /paranoid) 2.19 finds nothing on DECRYPTED virus.
                - AVP 2.2 finds nothing on DECRYPTED virus.
                - About 10% of decryptors are flagged by TBSAN HR
                                                         (high heuristics).
                - No Decryptors (as far as i know) flagged by AVP, F-Prot.

Tunneling:      - Uses a /<-R4D NEW (I think) method to find the original
                  INT 21 vector.. see the subroutine find_21 for more info..

Polymorphy:     - Polymorphy is provided by TCE-0.4 (The Chaos Engine).

                It can generate decryptors of the form:
                   ADD/SUB/ADC/SBB/XOR [BP/SI/DI/BX(+xx(xx))],reg16

                It can move a value to a register as such:
                   MOV reg,VAL
                or LEA reg,[VAL]
                or XOR/SUB reg,reg + OR/XOR/ADD reg,VAL
                or XOR/SUB reg,reg + SUB reg, negative VAL

                It can test for a zero value, using:
                   OR/AND/TEST reg,reg

                It can generate the following looping methods:
                   JNZ loopstart
                or CLC + JA loopstart
                or LOOP loopstart
                or LOOPNZ loopstart

                It can modify the KEY register, using:
                   ADD/SUB/XOR reg,xxxx

                - Although TCE is a stand alone engine, I do not really
                  expect other people to use it in their virii, mainly
                  because it sux, and there are many better engines around.

Stealth:        - This is probably the shittiest part of the virus!
                - I could not get FULL (disinfect on the fly) type stealth
                  working with the variable length poly, and size padding,
                  so for now I am using Disinfect on Open, Infect on Close
                  type stealth.
                - It also Disinfects files loaded by debuggers.
                - If an archiver is running, it Infects instead of Disinfect.

Other Stuff:    - Marks files by padding the size up, so that the Least
                  Significant Byte, of the Size field, is ADh (chaos-AD).
                  This is reliable, and doesn't cause anything suspicious
                  looking..
                - Has a Cool Activation Routine (see the sub-routine
                  setup_activator for more info).

Things That Delayed This Viruses Progress:
                - Drugs.
                - School.
                - Stupidity.
                - I couldn't stop playing that 'Dont Touch The Sides' game
                  in VLAD-#3 (and i still cant :P).

;===============================================================================