54 lines
3.1 KiB
Plaintext
54 lines
3.1 KiB
Plaintext
Ontario III - Written by Death Angel
|
|
|
|
By the way - SBC virus should be known as the Ontario-II virus...
|
|
|
|
This is my third attempt at a virus, and has several new and improved
|
|
features over previous versions. This version has a much improved encryption
|
|
mechanism (only two constant bytes). The random header generator seems to
|
|
work satisfactory and I have designated considerable code toward it (although
|
|
I wouldn't mind getting a copy of that mutating engine, it's probably alot
|
|
better).
|
|
It also uses another technique in an effort to get the original
|
|
Int 13 location in order to avoid any hard disk write protection software
|
|
programs.
|
|
The virus takes exactly 5K of memory, and is located at the top of memory
|
|
using the usual methods. From its first initiation it is resident in memory
|
|
at all times and monitors Int 21 (Of course).
|
|
When the virus is first ran, it will place itself in high memory and
|
|
then infect your COMMAND.COM. In case you have your COMMAND.COM on a drive
|
|
other then C:\ it will use the COMSPEC variable in the environment to find
|
|
the exact location of the COMMAND.COM that is being used. When COMMAND.COM
|
|
is infected it will overwrite the stack portion so the absolute file size
|
|
is not changed.
|
|
The virus itself is 2048 bytes and appends exactly 2048 bytes onto all
|
|
infected files. It will infect COM, EXE, OVL, and SYS files. File sizes
|
|
are not changed on infected files when you do a DIR (and no chkdsk errors!).
|
|
Files are infected when they are either executed or opened for any reason.
|
|
SYS files are only infected when they are opened.
|
|
There are two main sources used by the virus to avoid detecting the
|
|
virus in memory. First, the recognizition code used by the virus - whether
|
|
it is in memory or not, can only be successfully called by the virus itself.
|
|
Next, whenever anyone debugs an infected file, the virus will detect this
|
|
and remove the virus from the infected file (in memory) before passing
|
|
control back to DEBUG. The file will still be infected and the person
|
|
debugging won't notice the entry point has been altered.
|
|
The virus intercepts INT 24 and INT 13 on all infections to avoid the
|
|
most common method of detecting file viruses: "Write protect error". It will
|
|
also turn off the READ-ONLY attributes on files it wants to infect. It will
|
|
not infect system files such as IBMBIO.SYS and IO.SYS as they would cause
|
|
the system to instantly crash upon boot-up. The file date is not altered
|
|
on infected files. The file length of files are increased by exactly 2,048
|
|
bytes on all infects (not multiples of 16, etc).
|
|
That's basically all there is to the virus. The virus also contains a
|
|
boot sector within its code (although it is infectous - It's never placed on
|
|
the boot sector - kinda like the 4096). The virus does not do any dangerous
|
|
damage but can become a pest by taking up disk space.
|
|
Also, I included a small trojan program that will write over every
|
|
sector on your hard disk with trash... I don't suggest you run it on your
|
|
system! The trojan is disguised as a FLI to MOD converter.
|
|
|
|
PLEASE DO NOT MODIFY THIS FILE.
|
|
|
|
THE POWER HOUSE BBS
|
|
[416] 692-4993
|