home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
live_viruses
/
virus_collections
/
leprosy.doc
< prev
next >
Wrap
Text File
|
1990-06-23
|
10KB
|
238 lines
L E P R O S Y 1 . 0 0
A Virus for MS-DOS Systems.
Copy-ya-right (c) June 29, 1990 by PCM2
GENERAL SUMMARY
~~~~~~~~~~~~~~~
LEPROSY is a virus which can influence PC and PC clone
systems running MS-DOS or PC-DOS version 2.0 or later. It may
be characterized as an overwriting, non-resident .COM and .EXE
infecting virus, similar in operation to the AIDS Virus by
Doctor Dissector and CPI; in fact, the AIDS Virus was actually
the inspiration for this program, though Leprosy is in no way a
re-write or mod of the AIDS Virus, it is an entirely new
program.
The way both Leprosy and the AIDS Virus (and Number One,
the ancestor of AIDS) work is fairly simple. Upon executing the
virus program, the virus runs a search for executable files
which it can affect. It does this by doing a general scan for
all files with a .COM or .EXE extension, then, having found such
a file, it loads in part of that file's code to compare it with
the virus' own code, to make sure the file found hasn't already
been infected. If it hasn't, the virus proceeds to write itself
OVER the code of the executable file found. The executable file
now ceases to perform its original function. When the
unsuspecing user runs the file, he will instead be running
another copy of the virus, which will seek out another
executable file to infect, and so on. The executable files
which are infected by the virus in this manner are permanently
destroyed. While this is a primitive way to spread a virus, it
is actually pretty effective, if you consider that by the time
the user discovers a file which has been infected by the virus,
it has already gone and zapped one or more other files, and by
the time the user finds those files, they will have infected a
few more, and on until the user figures out some way to detect
and eradicate all the infected files.
While Leprosy is similar in operation to the AIDS Virus, it
presents several important advantages over AIDS:
1. CARRIERS: The AIDS Virus will only infect .COM files.
Leprosy is not limited in this way; it will infect both .COM
files and the more common .EXE files, going for .EXE files first.
2. FILE SIZE: The AIDS Virus is written in Pascal, and is about
13K in size. Considering that any file that is infected which
was originally smaller than the virus itself will expand to the
- 1 -
size of the virus when it is infected, and that many .COM files
will be smaller than 13K, quite often a file will show a
noticeable change in size when infected by the AIDS Virus.
Leprosy is only a mere 666 bytes in size; therefore, changes in
file size will be much less frequent, and the disk access time
it takes to infect a new file will be considerably shorter than
when using the AIDS Virus.
3. DUMBSHIT FACTOR: When the AIDS Virus infects a file or fails
to find any non-infected files, it just sits there or hangs up
the system. Leprosy takes a more subtle approach, however.
When Leprosy has infected some files successfully, it prints out
the message "Program too big to fit in memory". This way,
dumbshits might think there is something screwy with their RAMs
or TSRs, and may end up running the same virus-infected file one
or more times before they get a clue.
4. CONCEALMENT: To find out if a file has been infected by the
AIDS Virus, all you need to do is run a hex editor on the file
and look for the full screen reading "AIDS" in the code. Once
again, Leprosy makes it more difficult on the dumbshit user.
All the strings Leprosy outputs to the screen are encrypted in a
simple way, enough to make it impossible to quickly spot
suspicious phrases when running a hex editor on an infected
file. What is more, Leprosy will not change the time/date stamp
on the file when it infects it, unlike AIDS.
5. COMMUNICABILITY: When the AIDS Virus fails to locate any
non-infected .COM file in the current directory, it can no
longer spread itself. The only way an AIDS Virus can spread
from one directory to another is to somehow make it into one of
the directories in the current PATH, and be called by the user
from a different directory. Leprosy gives itself one more
shot. When it fails to find any more non-infected files in the
current directory, it will step back into the parent directory,
and try to find some files again there. While when the virus
exits the current directory will have changed when Leprosy does
this, hopefully the dumbshit won't catch on. The payback is
that Leprosy might eventually creep up to the root directory and
infect COMMAND.COM, and then the user will be fucked over.
6. RATE OF TRANSMISSION: The AIDS Virus will only infect one
file at a time. Leprosy will infect up to four files each time
it is run.
SETTING UP LEPROSY ON A SYSTEM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To install Leprosy onto an un-infected system, all you need
do is run the provided file, LEPROSY.COM, somewhere on that
system, preferably somewhere where it will have access to a lot
of commonly used executables. Alternately, you could infect
some program with an impressive-looking file length and
- 2 -
documentation and send it to someone as a Trojan Horse type
program. Just make sure it gets run.
COMPILING LEPROSY
~~~~~~~~~~~~~~~~~
To assemble the Leprosy .COM file, you will need Turbo C
2.0 and Turbo Assembler. MASM might work, just as long as the
executable file turns out the appropriate length. If the .COM
file doesn't come out to exactly 666 bytes long, then it might
not work properly. C compilers other than Turbo C will probably
not work, since the program makes extensive use of inline
assembler, but versions other than 2.0 will probably be okay.
Just remember -- watch the file length.
The easiest way to re-create Leprosy is to just run MAKE,
and the provided makefile will handle the rest. If you are
compiling it by hand, you should use this makefile as your
guidelines. An important note is that you should not link the
program with the standard Turbo C startup code for the Tiny
memory model; instead, always link it with the provided
alternate startup code. This file, C0T.ASM, is a startup
sequence which gets rid of code to gather command line arguments
and the like, allowing for programs which are essentially as
small as their assembly language counterparts. Just remember,
keep an eye on the executable file size.
WAYS TO SPOT THE VIRUS
~~~~~~~~~~~~~~~~~~~~~~
There are several ways to notice the Leprosy virus on your
system. If small .COM files are increasing in length to 666
bytes, that's your first hint. 666 bytes isn't a very likely
file length, but it's funny, so I'm keeping it that way. Also,
if the current directory changes when you run a program, or you
notice strange "Program too big to fit in memory" errors, that
should tip you off too. Leprosy can also be detected by CRC
checking programs, because it directly modifies the contents of
the files it infects. What is more, Leprosy causes a
distinctive drive noise, sort of a "blickablickablickablicka" on
my hard drive, because it is opening, reading from, writing to,
and closing a number of files very quickly.
ACKNOWLEDGEMENTS
~~~~~~~~~~~~~~~~
I'd like to thank some of the pirate boards in the (415)
area code -- they know who they are.
What is more, I'd like to say that I used the December 26,
1989 issue of PC Magazine, and the book "The NEW Peter Norton
Programmer's Guide to the IBM PC and PS/2" in the process of
- 3 -
writing the Leprosy program. I just thought I'd mention that,
since it kind of makes me laugh to wonder what Peter Norton and
PC Magazine would think if they knew they were partly
responsible for the creation of a virus. HAHA!
Yours truly,
PCM2
P.S. BTW, if Leprosy fails to find any .EXE or .COM files that
aren't infected, but it locates more than 6 executable
files that are already infected with Leprosy, it displays a
message indicating that the system has been infected with
Leprosy, and wishes the user luck. If it can't find any
new files to infect, and only finds 6 or less infected
files during its entire run, it just prints out the fake
"Program too big to fit in memory" message again.
- 4 -