VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Interview with JPanic

hh86, SPTH
Valhalla #4
November 2013

[Back to index] [Comments]

JPanic is a viruswriter who started his career in the 1990. He was member of VLAD and Immortal Riot, two legendary virus-writing groups from the early times :) In the late 1990s he went to sleep.

He woke up now, and has already showed his skill by creating a fantastic crossinfector for Windows, Linux and MacOS. More to come...

You can reach him via [email protected]

The interview was done in two sessions via email in September/October 2013.

Have fun :)

Hey JPanic! Thanks alot for agreeing to talk with us. First - could you please describe yourself a bit. Where are you from, how old are you, what are your hobbies, what’s your favorite music and your favorite movies?

Ok. I am JPanic (J-K-Panic, J-FUQING-PANIC), who likes to be called 'Panic'. I am a programmer and on-and-off-again virus writer from Australia. I was born 1979. My hobbies are limited: Programming, viruses, bible study, and some reading of prose/poetry. I am very interested in all things mental health related. I am also very interested in the old world cultures.. Egypt, sumarians, Mayans, Incas, Hindus etc. I love all things God. I like "body art" but have not had any tattoos done for a while now.

Favorite novels include "The Bell Jar" by Sylvia Plath, "1984" by George Orwell.

Favorite movies include "Fortress" - an Australian movies mad 1986 starring Rachael Ward - any one who wants to seed a high-quality rip of this movie contact me. "Leon: The Professional" - I wish I was Leon ;). Maybe "Ali G - In Da House" is my favourite comedy.

Music Artists I listen to consistently include: Garbage, Front 242, Guns N Roses, Kirsty MacColl, Sonic Youth, Nirvana, The Church (Australian band). N.W.A, Cypress Hill, Transvision Vamp, Pantera, Rollins Band + Black Flag. Hilltop Hoods are good too.

All time favorite songs:

All time favorite music videos:

Pantera "Vulgar Display of Power" is an album everybody should listen to once in their life time.

How does a usual day in your life look like?

Ha! I wish you hadn't asked me this. I have some health problems. I have not worked as a professional coder for a long time. I mainly leave the home for medical appointments only and to see family once a week or so. I can not sit at a monitor/screen for more than 2 or 3 hours without building up to seizure, so I do not code much per day. I drink too much and chain smoke.

You have used several aliases - like Sepultura or now JPanic. Can you tell us why you changed your handle, and what they mean?

I do not know why I change aliases - maybe when I change aliases it is because the new handle reflects me more accurately at that time. I would like the name "persona non grata" - a legal term in Latin for "an unwelcome person", but this name is taken by a member of "TridenT" (early 1990s Netherlands VX group).

I started with "Sepultura" in 1993.. I liked the band, but I liked the meaning of the word - "some one who puts in the grave".

From 1997 to 1998 I used the name "The Soul Manager" on 3 viruses. This comes from the Front 242 song "Soul Manager" (see

Now I am using 'JPanic' - This comes from the short story by Sylvia Plath "Johnny Panic and The Bible Of Dreams". I do not like the story that much, but the name seems apt.

When did you for the first time heard about the possibility of self-replicating computer codes? What did you think about that?

1992 - MtE came out, there was the "Michaelangelo" scare. There was also an interview with The Unforgiven (head of Immortal Riot) in a local magazine. This is when I became fascinated with computer viruses.

Why did you decide to code a virus yourself? What was the story behind that? Did you had alot of source codes to study?

I started writing computer viruses in 1993 because I looked up to the virus writers that I read about - like they were rock stars. The documentation from the MS-DOS anti-virus "F-Prot" mentioned that viruses were written in assembler. I got a book "DOS: The Complete Reference" by Kris Jamsa from the local library. This taught me some assembler code and DOS internals. I did not have a modem or know any programmers at the time, so I had no tools or access to viruses. I had to write and disassemble code in MS-DOS ''.

Like other virus writers, I also got into virus-writing for the sex and the money that comes with being a VX'er :P.

I did not have any source code to study, but I had samples of three viruses I found in the wild (trading warez with school friends). These were 'Stoned' (I do not know what strain), 'Michaelangelo' (Stoned.March6), and Slow.1721 (An encrypted 'Jerusalem' variant that was common in Australia at the time).

Can you please tell us about some viruses that you have been written in the past, and what they did?

I will list the first two, and some that were less trivial (they are mainly stone aged MS-DOS viruses).

Sepultura Boot - My first virus in 1993, a boot sector virus similar to Stoned written in MS-DOS DEBUG. This escaped and became quite widespread in my city for a while. There is a '.b' strain - the same virus but ported to A86 assembler, published in VLAD#5.

Resvir1 - (aka Disillu.341) My first file infector written in 1993, also in MS-DOS DEBUG. A memory-resident MS-DOS .COM file prepender.

Disillusionist - (aka Disillu.1108). An encrypted, tunnelling, fast infecting prepender of MS-DOS .COM files in 1994, with an activation routine.

H8YourNMEs - (aka H8.1171) - 1994, Similar to Disillusionist but without encryption and with size-stealth and some other added functionality. My first virus published (in VLAD#5)

2FU (Too Fucked Up) - A 199 byte full stealth infector of the MBR and all floppy formats, written 1995 and published in IR#7.

Chaos-AD - Used my first poly engine TCE (The Chaos Engine). Not the best written virus, some sloppy code. Full stealth (disinfect on open), polymorphic, retro (anti-anti-virus) fast infector of MS-DOS .COM/.EXE files. Had some interesting features and anti-tunnelling code. Written 1995 and published in IR#7.

TotalTrash.2169 - One of my favorite of my own viruses. Full stealth (read-on-the-fly stealth) and mirror infector of MS-DOS .EXE files. Had some retro and anti-heuristic code. By "mirror" I mean when certain programs were running the viruses modified findfirst/next, read, and lseek calls to make clean files look uninfected - without ever writing to disk. You could PKZIP or RAR a file from a write-protected floppy for example and the copy in the archive would be infected. Inspired by Mirror.4130 by Bit Addict/TridenT, Kaspersky got his description of this virus wrong. Written 1996, published in IR#7.

Win16.RedTeam - Written 1997. My other favorite of my own viruses, perhaps the one that got the most press/media attention. The first Windows email infector, infecting NE (Win16) files and the Win16 kernel as well as the 'Eudora' outbox. Used very reliable infection techniques. The ".a" strain had a bug (one-letter typo :/) that was fixed in the .b strain. This bug affected the virus under Win32 OS's like NT and 9x/ME. Published in SGWW Infected Voice.

CSV (C Startup Virus) aka TSM.5536 - Written 1998. This viruses tricked AV scanners of the time by making them think infected files were Borland Turbo C executables and skipping them. The virus started with standard Turbo C code, with polymorphic routine in 'main' function. Kaspersky got his description wrong - the virus was written in ASM to like like a Turbo C compiled binary, but he wrote it was written in C using inline ASM. A polymorphic memory-resident fast infector of MS-DOS .EXE files. Most of the 5536 bytes were taken by Turbo C start/library code.

RTP (RedTeam Polymorphy) - An overly large but complex and effective (for its day) polymorph - See "SoulManager.4838". Published in iKx Xine Issue 3.

CAPZLOQ TEKNIQ 1.0 (CLT10) - A small cross-platform Win32/Linux infector written 2006. This virus would be trivial except for its cross-platform ability. I was happy with the size - 1.2k for a Win32/Linux PE/ELF infector. Published in rRlf#7.

CAPZLOQ TEKNIQ 2.0 (CLT20, Clapzok) - An advanced version of CLT10 above written 2013. i386 OSX FAT/MACHO support was added along with some other features. Published in Valhalla Issue 4.

What do you think about polymorphism? Especially, in your interview in 1999 in asterix#1-zine, you said "Traditional polymorphism (with a static virus wrapped in a highly variable decryptor) is a dying concept in my opinion. With the advent of generic decryption, polymorphism is not really much of a threat to the scanners any more." Do you still think that’s true? :)

Not as true. Of course, poly engines have to be smarter now to dodge heuristics and such. EPO technology makes a difference. Who knows if virus writers will ever run out of EPO ideas? There are more platforms and architectures - as polymorphic viruse come out for them the AV will have to update and extend their emulators. There are more known anti-emulator tricks now. Ofcourse besides emulation there are other methods such as cryptanalysis (not that useful now), statistical analysis and geometric analysis of the file.

You have been an active virus writer in the 1990s. Can you tell us about something about the spirit and the people from that time? How many active people were around these days?

I can think of about 30 virus writers at least that were around in those days. Virus writing culture was flourishing I thought the spirit of the scene was good in those days, lots of people writing viruses and talking to each other sharing ideas. Now I have changed my mind. I think they were not good times. People were judged on social status, not code. If you were a great coder, but from the wrong country or not in an 'elite' group, you were put down - even by lesser coders. There was back-stabbing as well. people ripping other coders off, for "fame".

You have been member of VLAD and member+organiser of Immortal Riot. Can you tell us something about the groups in the 1990s? How did you communicate, did you plan projects together etc?

I was only a member of VLAD for a week (:P). The rule was all members had to vote you in, but one was on holiday - when he returned he objected. I never had much respect for this persons technical abilities anyway.

Immortal Riot became "Immortal Riot/Genesis" soon after I joined - Genesis was a new, but talented VX group. Maybe Immortal Riot had the looks and Genesis had the brains.

Communication was pretty much by IRC and e-mail. There was not much planning of projects together, a little bit but not much. The majority of viruses were by a single author. There was more collaboration on the Zines than the viruses. There were some 'closed' circle for sharing of ideas.

Groups in the 1990s included: Phalcon/SKISM, NuKe, TridenT (great coders from the Netherlands), Immortal Riot, VLAD, iKx (international Knowledge exchange), SGWW (Russian/Ukrainian Stealth Group World Wide), SVL (Slovakian Virus Labs), TPVO (Taiwanese Power Virus Organisation), SLAM. There were groups that called themselves virus writers that didn't do much like ARCV. 29A started in the latter half of the 90s.

Have you ever met other virus writers in person?

I have met 'DV8', the author of Win95.MrKlunky - the first memory resident Win95 virus, and some other viruses. But only once.

Are you involved in some other computer-security projects, such as hacking?

I am not involved in hacking.

In the 90's when I could not get legitimate internet access, I used such things as 'carding', key loggers (which I wrote myself) and exploit scripts to get access. But that’s about it.

I could once dial out on certain types of payphones and ride the bus for free (problems with our public transport ticketing system). I can not do these things now.

I still sometimes crack my own warez.

Can you tell something about the "Ruxcon 2012 CTF"? I read some funny Storyline: " JPanic, rumoured to herald from the trumpets of the digital gods, who incarnated this mythical beast to dominate the digital underground. Upon this immaculate conception he ruled over the 90s VX #Scene, sprinkling his magic, 16 bits at a time. [...]" (see :D

Ok. Every year Chris (organiser of the conference), chooses a different Australian infosec person to be the centre of the CTF plot (I think it was 'andrewg' of The Feline Menace the year before - 2011). 2012 Chris suggested me and I was happy with that. Some different ideas were pitched, and I suggest me writing a super-virus and my cat 'Thomas' betraying me and trying to leak the source to Buo. That is how Buo entered the story, but the cat wasn't used. Chris is the one who wrote the story.

Just FYI - 'Buo' is my favourite malware analyst. If you want to know why Buo - "You wouldn't understand" ;).

Did you have contact with people from the anti-virus scene? If so, how was that?

I had some contact with certain AV'ers in the old days. It is a great feeling when you point out a flaw in their product and they compliment you for it. It is also a great story when they do a great analysis of one of your works.

After Insane Reality#8, you seemed to disappear (except on an internet in 1998 or 1999 for asterix#1). What was the reason? Why did you leave?

The interview for asterix#1 was in 1996 - I was still using the handle 'Sepultura'.

Things went wrong in my life around then - physical and mental illness, narcotics abuse, periods of detention, homelessness. That is why I had to drop out of the "scene", I was in no position to be coding. Anyone who would like to disrespect me for these things or hold them against me... feel free.

You released an awesome multiplatform infector (CAPZLOQ) in rRlf#7 in 2006. Did anybody recognised that you are the coder from the 1990s?

CAPZLOQ TEKNIQ 1.0 was hardly awesome. I wrote it because I thought I would not write another virus again.

I am sure people recognised I am the coder from the 1990s because the text strings said so. I suspect certain AV'ers only published analysis of it because they remembered me.

In 2013 you came back - what made you come back? Or didn’t you ever leave but just coded very very slowly? :-)

I did leave. I do code slowly now, but not that slowly.

Some things have improved in my life, so I can code; but my brain is rotting. For this reason I decided to make use of my brain while I still can. That is why I have returned. I do not know how long for.

Your CAPSLOQ v2 in 2013 (source released in this magazine Valhalla#4) got quite some attention. There have been reversed codes and description in VirusBulletin. What did you think about it? Did you expect that?

I expected some attention because a Win32/Linux/OSX infector (albeit limited) opens the door for more cross-platform malware. I did not expect that much attention, especially from the OSX corners of the world - there was already Roy G Biv's 'macho man'.

CAPSLOQ is able to infect binaries on/for windows, linux and MacOS. It uses a very special and unique design. Can you explain the idea briefly. What is the difference to other multi-platform infectors?

There is an article in Valhalla 4 describing the technique. Personally I do not see the big deal about it.. It is something coders have been doing for a long time. Basically all calls to the operating system (whether Win32, Linux or OSX) have a standard interface, as do the routines to infect the different file formats. This eliminated repetition of code for different OS's and binary formats, making things smaller.

I guess the difference from most (but not all) cross-patform infectors is the lack of repeated code. It is not a virus for operating system 'A' and the same virus for operating system 'B' re-written and bundled together.

Did you still have contact to VXers over all the years? Did you follow VX-news?

I am not in contact with the old virus writers, but a couple of AV'ers. I have not really kept up with the virus/malware related news much. I try to be in contact with the current breed of virus writers.

What are your favorite viruses of all the time and why?

I am a 16-bit man living in a 64-bit world, but I will try and list more modern viruses first:

SQL.Slammer, IIS.CodeRed, Conficker family: These spread far and wide. In my opinion remote code execution vulnerabilities are the way to mass-propogate these days (if you can get your hands on one).

MetaPHOR family by Mental Driller - Excellent metamorphy, clean efficient code. Strain '.1d' added linux support too.

EfishNC family and ACDC by Roy G Biv: EfishNC really was efficient as the name said, fitting a huge amount of functionality in to a small amount of code. As for ACDC.. I am not into script viruses, but I think a cross-platform VBScript and JScript virus is a great idea in this day and age.

Mistfall/ZCME/RPME/SETG/KME engines by Z0mbie. Great engines.

I think Win32.Crypto and Happy99 were great.

As for older viruses..

I love Neurobashers work. He was ahead of his times, and seem to be the only person who really reverse engineered all the AV products of the time to find ways to bypass them. Tremor (1992) was the first virus to be both polymorphic and full-stealth (plus a bunch of new tricks), and all his viruses were common in the wild. His viruses were: Tremor, Alphastrike, Neuroquilla (Havoc) and the Nightfall (n8fall) family.

Dark Avenger: The 'Eddie' family laid down the ground work for the classic DOS virus. Most MS-DOS viruses used engineering introduced in this family. MtE and Commander Bomber had very complex yet optimised code. Phoenix family was interesting for a lot of reasons. Their encryption engines generated 204 decryptors from a tiny engine.

DIR-II: A new paradigm in viruses: modifying the directory entry, not the file. Very stealthy, spreading amazingly quickly.

Dark Slayer: DSME and DSCE engines - DSCE introduced some new idea. I really like the 'DS' (Dark Slayer) family, DOS16/Win16 full-stealth MBR/Boot Sector/MZ/NE (Win16)/EXE (MZ) in 3.5k.

Q the Misanthropist was good, especially 'Goldbug'.

Zhengxi, Nutcracker family, SSR, MAD were great. I wish Zhengxi didn't use 'single stepping' (INT 01h) to find the DOS kernel - it is its weak spot.

'Natas' by Priest was good.

What do you think are the most influential techniques that have ever been developed for self-replicators?

Polymorphy and polymorphic engines. Stealth in the MS-DOS days. Residency as opposed to direct action. More and more attempts at EPO methods. Internet worms: first email worms, than others such as SQL.Slammer and IIS.CodeRed. Macro viruses that made the move away from just binary infectors, so we have script viruses and such now. Metamorphy is considered a big thing - but not many viruses have done it, in the scheme of things.

What do you think about code optimisation? Do/did you use it alot in your codes?

I think code optimisation is a good thing and a good skill to have - but not the most important feature of a virus. I consider features and reliability (no bugs) more important.

I think the best optimisation comes when you can write optimal code as you go along, not writing code than optimising when you are done.

I got good at writing optimised code, but have been out of the game. I find x64 code especially hard to optimise, because I am not used to it.

What do you think about machinal learning in self-replicators? How could that work - any wild guess? What would be worth to learn for a self-replicator?

I do not know about these things. All I can think is that for a replicator to "learn" about a new OS, it has to be able to run under that OS first anyway. Catch 22. If you want to analyse glibc you have to be able to open glibc in the first place, etc.

How would you imagine the most fantastic digital self-replicator? Be creative! (Bonus question: What is missing to get that done? Would it be possible some day?)

I would like to see a self-replicator become pandemic using remote exploits for multiple OS's.

Maybe a metamorphic virus that spreads quickly but can infect many different file formats and rebuild itself not just for many OS's but many architectures (x86,x64,ARM,IA-64 etc). Able to work with any combination of executable format, OS and architecture. More infection methods and EPO methods than you can pull out of a hat, maybe code integrating ZMist style. Able to infect every platform under the sun. Active over the local network on all platforms and maybe the internet via email attachments, network shares, etc. Back-dooring the infected machine. MBR or BIOS infecting, loading before AV programs to disable them.

What were the most surprising self-replicators that you have ever seen? Which techniques made you think "crazy shit this is"? :)

MtE amazed me at the time. The code of Bomber did too. One-half by Vyvojar and "Tremor" and "Neuroquilla" by Neurobasher. Tequilla and Gingerbread Man. Ply. Dark Paranoid, Stainless Steel Rat (SSR). Happy 99 and the word macro "Concept". MetaPHOR, ZMist (Mistfall engine), Lexotan, Z0mbies plugin project virus. Definately Hybris. Win95.SK, Inca. EfishNC amazed me for its feature to size "ratio". CyberGOD's "Tracer" engine. Definitely IIS.CodeRed.

Do you know the work of academic researchers such as Eric Filiol and Mark Stamp, and what do you think about that?

I do not know anything of their work. My interest is 95% in 'real world' viruses.

What are future projects that you want to work on?

More complex Linux and OSX viruses than we have seen so far. More x64 infectors. Worms using remote code execution vulnerabilities. Escalation of Privilege exploits (I find it hard to get my hands on these last 2). Kernel mode viruses. More and better multi-platform viruses.

Now let's be creative and and think about the future: How would self-replicators look like in 5 years from now? What about 15 years? And what’s your long-term prognosis for the self-replicators in 50years?

5-years: More viruses and worms using remote execution exploits to spread rapidly around the net, and escalation of privileges to have more access to resources.

Hardware infectors - we already have 'BIOS kits', now we have BIOS kits that can survive a BIOS update and people working on hard drive firmware infection that can survive an Operating System re-install. See, and

More multi-platform and multi-architecture malware. Multi-platform libraries to facilitate development of multi-platform malware.

More and more file formats infected, more script viruses.

Viruses running in kernel mode on different OS's. Rootkit like technology that used to be called 'stealth in VX terms' - hiding the viruses presence.

Viruses/Worms for portable devices such as Android, iOS and Windows.

Viruses/Worms facilitating data theft, cyber-espionage and so on.

More clever use of crypto.

15-years, 50-years: I have no idea. God knows what computing will look like than.

Imagine a good ghost offered you three wishes - what would it be? :-)

WISH NUMBER ONE: I would like to be a more friendly, helpful, Godly person reducing peoples suffering.

WISH NUMBER TWO: I would like to be of good health.

WISH NUMBER THREE: I would like the following people destroyed:

  1. Nations who's media makes the people hate every person and every society different from theirs. Creating massive social-cleavage, poverty, crime and drug problems to control their people. Carrying on about how bad other governments are while their own government takes what their own government wants. Nations with the most wealth and power, with the least educated people and the least accountability for their actions. This means you 'America' - a nation that usurped the name of an entire continent.
  2. People who traffic people for slavery, sexual exploitation, war and child soldiers.
  3. Drug Dealers - They sell the seeds of misery.
  4. Everyone from judges and doctors to paedophiles and criminals and abusive care takers who prey on the most vulnerable, least able people.
  5. The false 'Church' saying they are men of God, but are really small, pathetic evil people. They turn people away from the light by lying about God.
  6. Anyone who wants to blow themselves up with other people in the name of God - This is not what God wants: you will not get your 7, 70, 77 or 777 virgins.

Maybe I should forget this last wish and just wish for a happy world without suffering.

OF COURSE - I would not make any wishes at all.. They always come with a catch. Try prayer instead.

Thanks alot for the interview - feel free to use the rest of the file for whatever you like!

I would like to send warm regards to the following people (alphabetical order):

The Australian infosec "scene" - Going on, feeling strong.

Virus Writers I have had recent contact with: Herm1t, hh86, SPTH.

Life Long AV'ers: Vesselin Bontchev, Igor Daniloff, Paul Ducklin, Peter Ferrie, Mikko 'Hermanni' Hypponen, Eugene Kaspersky, Stefan Kurtzhals, Fridrik Skulason, Peter Szor. You are more than worthy adversaries - you are my superiors.

Ilfak Guilfanov - Creator of Interactive Disassembler (IDA) Pro.

Groups I have been a member of: IR/G, NOP, Team MiSSiON.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka