Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 016 ---------------------------------------------------- Byte-to-Byte-match dissassembly of SVP (AV) by Aeon ---------------------------------------------------- How this program works: This will go resident ('the-virus-way'), hooking interrupt 16h (keyb i/o) and int21h (dos). Programs that are infected with one of the below listened viruses, will in the execution proccess be aborted.. Furthermore, *any* program that tries to unload vsafe via int16h will not be able to do so when this is resident... -------------------------------------------------------------------------------- ‘ SVP wathes out for this swedish viruses: ‘ Virus-name: Virus-Writer: Breif Description: Scitzo Red A Polymorphic resident com/exe infector Tai-Pan Whisper Resident non-encrypted exe-infector Desperado Dr.White Full polymorphic resident com/exe infector + all viruses that tries to unload vsafe via int16h, the author named for example these swedish 'in the wild' viruses. Junkie Dr.White Encrypted Multipartite HD/Floppy+COM infector Red Mercury The Unforgiven Run-time encrypted com-infector Bad Attitude The Unforgiven Rum-time encrypted com-infector -------------------------------------------------------------------------------- .model tiny .code org 100h ; -- Dissassembly of SVP by The Unforgiven & Raver of Immortal Riot, ; for Insane Reality issue #6. svp proc far start: push cs pop ds print: mov ah,9 ; print creators note mov dx,offset firstmsg ; int 21h ; ; resize_mcb: mov ah,4Ah ; resize mcb to mov bx,0FFFFh ; 65536 bytes int 21h ; ; resize_mcb_for_svp: ; sub bx,0Eh ; substract 0eh*16= 224 bytes mov ah,4Ah ; and resize it from the int 21h ; segment earlier resized ; ; allocate_mcb_for_svp: mov ah,48h ; allocate enough program mov bx,6 ; space int 21h ; jc not_enough_mem ; out of memory dec ax ; ax-1 = mcb mov es,ax ; mov word ptr es:[1],8 ; dos = mcb owner inc ax push ax hook_interrupts: mov ax,3516h ; get original interrupt int 21h ; vector for int16h from ; bx:es mov word ptr ds:[oldint16h],bx mov word ptr ds:[oldint16h+2],es mov ax,3521h ; and also for int21h int 21h begin_residency: mov word ptr ds:[oldint21h],bx mov word ptr ds:[oldint21h+2],es pop es ; es = allocated segment mov si,offset newint16h xor di,di mov cx,(endofprogram-begin_residency)/2 rep movsb ; move program to memory push es pop ds set_newint16h: mov dx,0000h ; redirect int16h to newint16h mov ax,2516h ; at offset 0 in new segment int 21h set_newint21h: mov dx,0013h ; redirect int21h to newint21h mov ax,2521h ; at offset 13h in new segment int 21h push cs pop ds not_enough_mem: jmp_exit: jmp exit firstmsg db 'SVP v1.1 - ' ; System Virus Protection? db '(c) Markus Aronsson 1994',13,10,36 ; nick: Aeon newint16h: ; start of resident code cmp ax,0fa01h ; compare the vsafe unload jne do_oldint16h ; values in ax/dx, i.e. cmp dx,5945h ; ax=0fa01h dx=5945h jne do_oldint16h ; not equal! jmp unload_vsafe ; program disabeling vsafe! do_oldint16h: db 0EAh ; jmp to origal vector oldint16h dw 0000h dw 0000h newint21h: cmp ax,7bceh ; These values belongs je infected_prg_executed ; to: tai-pan, desperado cmp ax,4bffh ; and scitzo. i.e. it's je infected_prg_executed ; their's 'are-you-here' cmp ax,0abcdh ; check-values... je infected_prg_executed do_oldint21h db 0EAh ; Jump to original int21h oldint21h: dw 0000h dw 0000h infected_prg_executed: unload_vsafe: push cs ; print message if a pop ds ; infected program is mov ah,9 ; run, or, any program mov dx,35h ; tries to unload vsafe int 21h ; with int16h exit: mov ax,4C00h ; terminate process int 21h report db 'SVP -> File is infected!', 0Dh, 0Ah db '$' endofprogram: svp endp end start -------------------------------------------------------------------------------- N svp.com E 100 0E 1F B4 09 BA 68 01 CD 21 B4 4A BB FF FF CD 21 E 110 83 EB 0E B4 4A CD 21 B4 48 BB 06 00 CD 21 72 45 E 120 48 8E C0 26 C7 06 01 00 08 00 40 50 B8 16 35 CD E 130 21 89 1E 9D 01 8C 06 9F 01 B8 21 35 CD 21 89 1E E 140 B1 01 8C 06 B3 01 07 BE 8E 01 33 FF B9 50 00 F3 E 150 A4 06 1F BA 00 00 B8 16 25 CD 21 BA 13 00 B8 21 E 160 25 CD 21 0E 1F EB 57 90 53 56 50 20 76 31 2E 31 E 170 20 2D 20 28 63 29 20 4D 61 72 6B 75 73 20 41 72 E 180 6F 6E 73 73 6F 6E 20 31 39 39 34 0D 0A 24 3D 01 E 190 FA 75 09 81 FA 45 59 75 03 EB 1A 90 EA 00 00 00 E 1a0 00 3D CE 7B 74 0F 3D FF 4B 74 0A 3D CD AB 74 05 E 1b0 EA 00 00 00 00 0E 1F B4 09 BA 35 00 CD 21 B8 00 E 1c0 4C CD 21 53 56 50 20 2D 3E 20 46 69 6C 65 20 69 E 1d0 73 20 69 6E 66 65 63 74 65 64 21 0D 0A 24 RCX de W Q