# Source code of computer viruses

## YeLeT 0.9 - Virus for MS-DOS by Spooky

*Virus for MS-DOS*

**Spooky**

Show all viruses by this author

Comments Download yelet.zip (9462 bytes) or

browse online This is YeLeT version 0.9, it is not the final version, i wanted to
add some more stuff but didn't get it done until we released CB #4.
Also this is NOT for educational purposes :) because its HIGHLY
unoptimized (... well, but it werx!)
I know that this virus is getting detected by AVP as 'Suspicion
Type_ComExeTsr' (don't know about other scanners) but i don't care about
that yet as its just a beta version, a final version (with many
improvments) will sometimes be available from the CB webpage.

Anyway, YeLeT stays resident and hooks Int 21h (func: 4Bh) and infects
MZ/ZM EXE and COM files both in plain DOS and after loading Winblows.
It uses 2 encryption layers, the second one uses just simple XOR (with
some bruteforce cracking so the key doesn't have to be stored in the
code) and the first layer uses my own Unoptimized-Viral-RC4 routine
(this routine doesn't use any bruteforce cracking routines as it would
make the user a bit suspicious if files would take billions of years to
load ;-)). Also it uses simple DTA-size stealth, direct infection of
win.com, and it avoids infection of some AV programs and archivers.

... and before the interesting stuff beginns, here is a description of
RC4 (from 'Applied Cryptography'):

- The algorithm works in OFB: The keystream is independent of the
plaintext. It has a 8 * 8 S-box: S[0], S[1], ... S[255]. The entries
are a permutation of the numbers 0 through 255, and the permutation is
a function of the variable-length key. It has two counters, i and j,
initialized at zero.

i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap S[i] and S[j]
t = (S[i] + S[j]) mod 256
K = S[t]

The byte K is XORed with the plaintext to produce ciphertext or XORed
with the ciphertext to produce plaintext.

Initializing the S-box is also easy. First fill it linearly:
S[0] = 0, S[1] = 1,... , S[255] = 255
Then fill another 256-byte array with the key, repeating the key as
often as necessary to fill the entire array: K[0], K[1],... K[255]. Set
the index j to zero, then:
for i = 0 to 255:
j = (j + S[i] + K[i]) mod 256
swap S[i] and S[j]