L E P R O S Y 1 . 0 0 A Virus for MS-DOS Systems. Copy-ya-right (c) June 29, 1990 by PCM2 GENERAL SUMMARY ~~~~~~~~~~~~~~~ LEPROSY is a virus which can influence PC and PC clone systems running MS-DOS or PC-DOS version 2.0 or later. It may be characterized as an overwriting, non-resident .COM and .EXE infecting virus, similar in operation to the AIDS Virus by Doctor Dissector and CPI; in fact, the AIDS Virus was actually the inspiration for this program, though Leprosy is in no way a re-write or mod of the AIDS Virus, it is an entirely new program. The way both Leprosy and the AIDS Virus (and Number One, the ancestor of AIDS) work is fairly simple. Upon executing the virus program, the virus runs a search for executable files which it can affect. It does this by doing a general scan for all files with a .COM or .EXE extension, then, having found such a file, it loads in part of that file's code to compare it with the virus' own code, to make sure the file found hasn't already been infected. If it hasn't, the virus proceeds to write itself OVER the code of the executable file found. The executable file now ceases to perform its original function. When the unsuspecing user runs the file, he will instead be running another copy of the virus, which will seek out another executable file to infect, and so on. The executable files which are infected by the virus in this manner are permanently destroyed. While this is a primitive way to spread a virus, it is actually pretty effective, if you consider that by the time the user discovers a file which has been infected by the virus, it has already gone and zapped one or more other files, and by the time the user finds those files, they will have infected a few more, and on until the user figures out some way to detect and eradicate all the infected files. While Leprosy is similar in operation to the AIDS Virus, it presents several important advantages over AIDS: 1. CARRIERS: The AIDS Virus will only infect .COM files. Leprosy is not limited in this way; it will infect both .COM files and the more common .EXE files, going for .EXE files first. 2. FILE SIZE: The AIDS Virus is written in Pascal, and is about 13K in size. Considering that any file that is infected which was originally smaller than the virus itself will expand to the - 1 - size of the virus when it is infected, and that many .COM files will be smaller than 13K, quite often a file will show a noticeable change in size when infected by the AIDS Virus. Leprosy is only a mere 666 bytes in size; therefore, changes in file size will be much less frequent, and the disk access time it takes to infect a new file will be considerably shorter than when using the AIDS Virus. 3. DUMBSHIT FACTOR: When the AIDS Virus infects a file or fails to find any non-infected files, it just sits there or hangs up the system. Leprosy takes a more subtle approach, however. When Leprosy has infected some files successfully, it prints out the message "Program too big to fit in memory". This way, dumbshits might think there is something screwy with their RAMs or TSRs, and may end up running the same virus-infected file one or more times before they get a clue. 4. CONCEALMENT: To find out if a file has been infected by the AIDS Virus, all you need to do is run a hex editor on the file and look for the full screen reading "AIDS" in the code. Once again, Leprosy makes it more difficult on the dumbshit user. All the strings Leprosy outputs to the screen are encrypted in a simple way, enough to make it impossible to quickly spot suspicious phrases when running a hex editor on an infected file. What is more, Leprosy will not change the time/date stamp on the file when it infects it, unlike AIDS. 5. COMMUNICABILITY: When the AIDS Virus fails to locate any non-infected .COM file in the current directory, it can no longer spread itself. The only way an AIDS Virus can spread from one directory to another is to somehow make it into one of the directories in the current PATH, and be called by the user from a different directory. Leprosy gives itself one more shot. When it fails to find any more non-infected files in the current directory, it will step back into the parent directory, and try to find some files again there. While when the virus exits the current directory will have changed when Leprosy does this, hopefully the dumbshit won't catch on. The payback is that Leprosy might eventually creep up to the root directory and infect COMMAND.COM, and then the user will be fucked over. 6. RATE OF TRANSMISSION: The AIDS Virus will only infect one file at a time. Leprosy will infect up to four files each time it is run. SETTING UP LEPROSY ON A SYSTEM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To install Leprosy onto an un-infected system, all you need do is run the provided file, LEPROSY.COM, somewhere on that system, preferably somewhere where it will have access to a lot of commonly used executables. Alternately, you could infect some program with an impressive-looking file length and - 2 - documentation and send it to someone as a Trojan Horse type program. Just make sure it gets run. COMPILING LEPROSY ~~~~~~~~~~~~~~~~~ To assemble the Leprosy .COM file, you will need Turbo C 2.0 and Turbo Assembler. MASM might work, just as long as the executable file turns out the appropriate length. If the .COM file doesn't come out to exactly 666 bytes long, then it might not work properly. C compilers other than Turbo C will probably not work, since the program makes extensive use of inline assembler, but versions other than 2.0 will probably be okay. Just remember -- watch the file length. The easiest way to re-create Leprosy is to just run MAKE, and the provided makefile will handle the rest. If you are compiling it by hand, you should use this makefile as your guidelines. An important note is that you should not link the program with the standard Turbo C startup code for the Tiny memory model; instead, always link it with the provided alternate startup code. This file, C0T.ASM, is a startup sequence which gets rid of code to gather command line arguments and the like, allowing for programs which are essentially as small as their assembly language counterparts. Just remember, keep an eye on the executable file size. WAYS TO SPOT THE VIRUS ~~~~~~~~~~~~~~~~~~~~~~ There are several ways to notice the Leprosy virus on your system. If small .COM files are increasing in length to 666 bytes, that's your first hint. 666 bytes isn't a very likely file length, but it's funny, so I'm keeping it that way. Also, if the current directory changes when you run a program, or you notice strange "Program too big to fit in memory" errors, that should tip you off too. Leprosy can also be detected by CRC checking programs, because it directly modifies the contents of the files it infects. What is more, Leprosy causes a distinctive drive noise, sort of a "blickablickablickablicka" on my hard drive, because it is opening, reading from, writing to, and closing a number of files very quickly. ACKNOWLEDGEMENTS ~~~~~~~~~~~~~~~~ I'd like to thank some of the pirate boards in the (415) area code -- they know who they are. What is more, I'd like to say that I used the December 26, 1989 issue of PC Magazine, and the book "The NEW Peter Norton Programmer's Guide to the IBM PC and PS/2" in the process of - 3 - writing the Leprosy program. I just thought I'd mention that, since it kind of makes me laugh to wonder what Peter Norton and PC Magazine would think if they knew they were partly responsible for the creation of a virus. HAHA! Yours truly, PCM2 P.S. BTW, if Leprosy fails to find any .EXE or .COM files that aren't infected, but it locates more than 6 executable files that are already infected with Leprosy, it displays a message indicating that the system has been infected with Leprosy, and wishes the user luck. If it can't find any new files to infect, and only finds 6 or less infected files during its entire run, it just prints out the fake "Program too big to fit in memory" message again. - 4 -