Senseless creation of programs which are of no use for anyone - Anyone? Except for viruses which should infect these files (called baits or goats).
The generated sample files are suitable for all viruses floating around,
if you are an expert you'll know that there are:
VBS, JS, HTML viruses -> /VBS, /HTML
Batch file viruses -> /Bat
*.COM infectors -> /COM
Header viruses (Pure) -> will infect standard EXE files /EXE
Zerohunter -> use /Filler=0 to generate suitable files
COM viruses expecting
a JUMP or a CALL
statement -> /JMP or /CALL
Same, but NO JUMP or
CALL -> /Trash
Length Retro viruses -> use /Dec=13 or /Dec=17
Anti bait viruses -> /HEX, /ROM and /ASC
Tremor/N8fall, Junkie -> /start=60000 /end=12000
N8Fall/Neuroquila -> touch rose*.* /T:1.2.1988 or "Updater" /Vir
Anti Zerohunting -> /RANDOM
Checking ZM/MZ bug -> /ZM
Infection bug in IVP -> for this reason ROSEGOAT generates only files
with a filename length 7.3 in the "standard way"
Anti bait viruses -> option /trash
etc...
To get quickly infected samples ROSEGOAT generates a batch file called
TESTIT.BAT which executes all sample files...
With version 2.10 there's a Win32 port of ROSEGOAT available. This Win32 console version has the benefit of a better CPU detection library as well as it can create larger bait files (61000 -> 65000 bytes for COMs and 61000 -> 500 kb for EXE files).
If you got the file ROSEGOAT.EXE - it is selfchecking (infection/hacking). TBScan and F-Prot limited heuristic approach may flag a false positive - but who cares about that? ROSEGOAT/32.EXE is an UPX packed Win32 console application - no virus scanner should trigger a false positive!
This product is released as FREEWARE - if you want to support me you can
do the following:
- send me suggestions and improvements for ROSEGOAT
- send me new viruses VirScan Plus (VSP) can not detect
- write a documentation for ROSEGOAT (ask first if you are the
first one)
- register my virus scanner VirScan Plus
- send me postcards, infected samples, letter bombs, money
or flames....
Options are NOT case sensitive. You can use the slash "/" or the hyphen "-" to start an option. Options can be set using the environment variable ROSEGOAT (set ROSEGOAT=...). To unset an option set by setting ROSEGOAT=... you can use the a "-" at the end of the option (for example: set ROSEGOAT=/JMP -> ROSEGOAT /JMP-).
Usage: ROSEGOAT [Basename] [(-|/)option(s)[(:|=)Value]]
ROSEGOAT [SingleGoatFileSize] [-|/option(s)]
Set ROSEGOAT=[/Options]
Basename Base for the filenames. Default ROSE. See below comments
about max. length of filenames.
Size Generates only one single goat file with that size
/? /H Show this short help.
/ASC Use ASCII chars for goat file numbering.
/BAT Creates batch goat files.
/CALL Write a call at the beginning of the code (COM and EXE).
/COM Generate only COM files. Default: /COM and /EXE
/EXE Generate only EXE files.
/FILLER=x Fill the file with the pattern `x`. Default: $90 = NOP
/HEX Use hexadecimal goat file numbering.
/HTML Creates HTML goat files
/INFO Add CPU type, CPU speed and FPU type into the goat file
/JMP Write a jump at the beginning of the code (COM and EXE).
/RANDOM Fill the file with random patterns.
/ROM Use Roman style goat file numbering.
/NOBAT Do not generate TESTIT.BAT file. This switch is set when
using the "single goat file creation" option
/NODATE Don't add the goat file creation time into the goat files.
/TRASH Write random trash instructions at the beginning of the code.
For this purpose ROSEGOAT has a simple mutating engine
included. Only the first 5 bytes are altered with each
goat file. Overwrites the options /JMP & /CALL.
/VBS Creates VBS (Visual Basic Script) goat files.
/WAVE Fills the goats with a mod 256 pattern.
/ZM Use ZM instead of MZ in EXE headers.
/START=x Start with filesize `x`. Default: 10000, Max=61000/500000
61000 - DOS 16 bit version (rosegoat.exe)
500000 - Win 32 bit version (rosegoat32.exe)
If /Start= is greater than 61000 ROSEGOAT32 disables the
creation of COM files (program to big to fit into memory)
/END=x Stop goat file creation if filesize is less than `x`.
Default=1000 bytes. Smallest possible size COM=160, EXE=672
/DEC=x Decrement the filesize by `x` bytes. Default=350, Min=1
Numeric values are accepted in decimal and hex notation. For hex values
use the Dollar sign, e.g. /Filler=$90 or -start:$ed00
Hit a key to stop the goat file generation at any time! If there's not enough free disk space left, ROSEGOAT will stop to create further goat files.
Some viruses like CriCri won't infect
files including the character 'V' or
digits. For this reason you can use the options /ROM, /HEX and
/ASC. You
can not mix these options!
/ROM - numbers the goat files in Roman counting style (I can't
translate
it correctly). E.g. I, II, III, IV, V, VI etc. Because the
created numbers
quickly grow, the basename is truncated to 2 characters.
/HEX - hexadecimal numbering. Use this for generating up to 65000
sample
files! Counting is done from 0000 to FFFFh. 4 characters base
name.
/ASC - Numbering using ASCII letters starting at 'B' up to 'U'.
You can
use the full basename of 7 characters. E.g. ROSEGOAT mygoats /ASC
will
generate mygoatt.com, mygoatu.exe, mygoasb.com etc.
If ROSEGOAT finds the file ROSEGOAT.MSG in the PATH=..., current directory or in the directory where ROSEGOAT resides, the contents of this file is added to each generated goat file. Edit or delete this file to your needs.
Refer to the file ROSEBBS.TXT for PGP key, address, email etc. If not included delete the whole package and request the original one. The newest version of ROSEGOAT you should find on our home page: http://come.to/rose_swe
2.15 09-Jan-2002 CS:IP of EXE files changed to CS:101h to fool antivirus scanner like AVP claiming that this is a COM2EXE file. Recompiled with updated CPU detection unit.
2.14 Dec. 2002 Changed the icon for RoseGoat, provided by SnakeMan. Added also his SnakeGoat
2.13 09-June-2001 Recomplied with better and enhanced CPU and other units. Added rosegoat.pif. Changed some of the text files.
2.12 29-March-2001 Recompiled with better and enhanced CPU and CommandLine units. Added a Icon to the executable :-))
2.11 17-Feb-2001 Released as a dual bound executable. RoseGoat.DOC converted to HTML format.
2.10 06-Jan-2001
Win32 port. Can now create DOS EXE files up to 500 KB. Small internal check added.
2.02 30-July-2000
Added a better CPU detection for the /INFO switch.
2.01 18-July-2000
Added option /WAVE. Now /WAVE, /RANDOM etc. also works for Batch,
HTML and VBS goats. Added a PE goat to the package.
VBS baits now print their size and creation date.
2.00 03-July-2000
Removed CPU/FPU detection (TMi0SDGL) and replaced it by an older
version, that do not crash some hosts. Added VBS, Batch and HTML
goat file creation. Changed from ROSEGOAT.COM to ROSEGOAT.EXE.
Added ROSEGOAT.PIF, updated SelfChk and RHRG.
1.42 15-Nov-98 (AVML)
Small bugfixes and enhancements. Enhanced utilities added.
1.41 08-Aug-98 (AVML)
Some bugfixes and small features, like better (and random) stack
creation. Added the Mini-Goat generator and the self checking
files to the package.
1.40 17-May-1998 (VNet), 20-May-1998 (SAC)
Added the handling of ROSEGOAT.MSG file.
Added better CPU detection for the /INFO switch
/JMP, /CALL and /TRASH can now be mixed
Added option /NOBAT.
Added enhanced error handling unit.
Option /TRASH now generates 5 random instructions (was: 3)
1.30 28-April-1998
Added the option /Info and /Nodate
Changed /START, /END and /DEC default settings, see ROSEGOAT /?
/* end */