Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 017 ------------------------------------------------------------ Byte-to-byte-match dissassembly of PR (AV) by Anders Gavare ------------------------------------------------------------ How this program works: This will go resident ('the-int27h-way'), hooking interrupt 16h (keyb i/o) and int21h (dos). Programs that are infected with one of the below listened viruses, will in the execution proccess be aborted.. Furthermore, *any* program that tries to unload vsafe via int16h will not be able to do so when this is resident... -------------------------------------------------------------------------------- ‘ PR wathes out for this viruses: ‘ Girafe, Creeper (Creeping Tormentor), Grune, Hitchcock, 1701 (Cascace, Falling Letters, BlackJack), X-Fungus, Taipan (Whisper), Nina, FileHider, Yankee Doodle (The TP-family), Cybercide, Junkie, and some others... for example, the one's which unloads VSAFE (as instance: Bad Attitude, and most of the other IR-viruses)... -------------------------------------------------------------------------------- Bad-Purposes: This is a dissassembly of a small anti-virus program, written by Anders Gavare 'the AV-wanna-be', that is.. even though it's a lame piece of code, it can be helpful for virus development, i.e. if you are writing a memory resident infector, just alter the virus-database, compile it, and load it first from autoexec.. Limitation: If you are writing a bsv, a sys-infector, or a virus that are capable to tunnel through this program, nevermind.. this program is not for you... Comments: The whole idea behind this program was stolen from Aeon, but Anders wanna prove hiself as the worst AV-wanna-be out there, making detection for viruses that never has been, arent, and never will be (unless he spread them himself, which one ofcos not knows..) out in the wild. .model tiny .code org 100h ; -- Dissassembly done by The Unforgiven & Raver of Immortal Riot, ; for Insane Reality issue #6. start: db 0e9h,67h,0h ; jmp make_res int_21h_entry: push ax push bx push si push ds push cs push ax pop bx pop ds mov si,offset chk_virus ; adress to viruses' 'are-you ; -there' values load_database_to_memory: ; copy 'virus-database' from si into ax (two bytes each time..), util ; we get the value zero (0) in ax (end-marker for database..) lodsw ; string [si] to ax cmp ax,0 ; all bytes loaded? je end_21h ; yeh! db 39h, 0c3h ; = cmp bx,ax jne load_database_to_memory ; nope, load more! mov ah,9 mov dx,offset vir_exec ; print string "PR: virus found" int 21h ; and... ; exit_proc: mov ax,4C00h ; int 21h ; exit! end_21h: pop ds pop si pop bx pop ax do_oldint21h db 0EAh oldint21h: db 00h, 00h, 00h, 00h ; jump to orignal int21h chk_VSAFE: cmp ax,0FA01h ; ax=0fa01h jne do_oldint16h ; nope! cmp dx,5945h ; ax=5945h? je exit_proc ; -> terminate program! do_oldint16h: db 0EAh ; oldint16h: db 00h, 00h, 00h, 00h ; else jmp original vector int_16h_entry: jmp short chk_vsafe vir_exec db 'PR: Virus found', 7, '$' ; 'beep-print!' ; ------------------------------------------------------------------------------ ; This chk_virus is a database of 'are-we-here' signatures that specific ; viruses uses - for example: ; cybercide (installtion-check..) ; mov ax,0dd22h ;are we already in memory? ; int 21h ; therefor: this virus checks for "0ddh,22h" (reverse order of 0dd22h) ; this collection includes: (from the authors documentation..) ; ' Girafe, Creeper (Creeping Tormentor), Grune, Hitchcock, 1701 ; (Cascace, Falling Letters, BlackJack), X-Fungus, Taipan (Whisper), ; Nina, FileHider, Yankee Doodle (TP-familjen), Cybercide (ett kasst ; "Immortal Riot"-virus), Junkie, och vissa andra... t ex de som ; unloadar VSAFE (exempel: Bad Attitude, och de flesta andra ; IR-virusen)...' ; My comments/complaints! ; ----------------------- ; 1) He says that Cybercide is an Immortal Riot virus, and that it ; sucks bigtime. Hrm? Yeh rite? first it's a virus written by ; A.N.O.I and (ii) a full stealth dir-infector doesnt sucks! ; Anders being mainly a pascal programmer, are probably just ; a bit jelouss... ; ; 2) By hooking int16h and checking a few values in dx/ax (the vsafe unload ; values..), he think one cannot unload it? Dead wrong. The same routine ; can be made with the same values, but with int21h! (dont tell him that!) ; ; 3) He claim to detects most of IRs viruses by hooking int16h. Dead ; wrong again. Just _some_ ir5 viruses knocked down vsafe with int16h, ; and they were all detected by f-prot before this program was released. chk_virus: db 0DAh db 33h,0FFh, 43h,0CCh, 4Bh,0FEh db 4Bh,0FFh, 4Bh, 32h, 54h,0CEh db 7Bh, 53h, 97h,0D5h,0A1h,0CDh db 0ABh, 03h,0C6h,22h,0DDh,00h ;^^^^^^^^ cybercide! make_res: db 0 ;end-of-database-maker! mem_res_ends: mov ah,49h ; release memory block mov es,word ptr ds:[2Ch] ; es=segment int 21h ; ; mov ax,3521h ; get interrupt vector for int 21h ; int 21h from es:bx ; mov word ptr ds:[oldint21h],bx mov word ptr ds:[oldint21h+2],es mov ah,25h ; set int-vector for int21h to mov dx,offset int_21h_entry ; int_21h_entry int 21h ; ; mov ax,3516h ; get interrupt vector for int 21h ; interrupt 16h (keyb i/o) ; from es:bx (ofcos..) mov word ptr ds:[oldint16h],bx mov word ptr ds:[oldint16h+2],es mov ah,25h ; mov dx,offset int_16h_entry ; and set new-interrupt int 21h ; in ds:dx mov dx,offset mem_res_ends ; int 27h ; Terminate & stay resident end start -------------------------------------------------------------------------------- N pr.com E 100 E9 67 00 50 53 56 1E 0E 50 5B 1F BE 50 01 AD 3D E 110 00 00 74 10 39 C3 75 F6 B4 09 BA 3F 01 CD 21 B8 E 120 00 4C CD 21 1F 5E 5B 58 EA 00 00 00 00 3D 01 FA E 130 75 06 81 FA 45 59 74 E7 EA 00 00 00 00 EB EE 50 E 140 52 3A 20 56 69 72 75 73 20 66 6F 75 6E 64 07 24 E 150 DA 33 FF 43 CC 4B FE 4B FF 4B 32 54 CE 7B 53 97 E 160 D5 A1 CD AB 03 C6 22 DD 00 00 B4 49 8E 06 2C 00 E 170 CD 21 B8 21 35 CD 21 89 1E 29 01 8C 06 2B 01 B4 E 180 25 BA 03 01 CD 21 B8 16 35 CD 21 89 1E 39 01 8C E 190 06 3B 01 B4 25 BA 3D 01 CD 21 BA 6A 01 CD 27 RCX 9f W Q