DECOM - a generic COM file decryptor ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Written and (C)opyright 1990-96 by ROSE Softwareentwicklung, Dipl-Ing. (FH) Ralph Roth, Finkenweg 24, D 78658 Zimmern ÄÍÍ[ 1 SYNOPSIS ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ This is a simple utility that will step through an polymorph (MtE, TPE, SPE, G2, PS_MPC...) decryptor and decrypt the virus it is attached to, then terminate before executing the virus. ÄÍÍ[ 2 ABOUT THE PROGRAM ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ It is useful if you have a (polymorph) encrypted virus and you want to find out what virus has infected it - just decrypt it using DECOM, then check the resulting file, looking after the decryptor. This is a proto-type version, and is NOT IN ANY WAY GUARANTEED! I had only released this program because to this date nothing else seems to be able to do this (apart from TBCLEAN, which removes the virus!). This will allow anyone who needs to be able to disinfect or to evaluate (polymorph) encrypted viruses. Afterwards you can modify the code to - instead of saving the result to disk- search it for the storage bytes, original SS:SP and CS:IP, or whatever is needed for the disinfection routine. A generic disinfector (RVK) based on DECOM is also available... When used, DECOM will attempt to follow the execution of the program until the end of the decryptor. It will not execute dangerous INT calls, and will terminate them if one is encountered. It also terminates if DS and ES change, or if a far call or something else is encountered that will cause the lost of control over the programs execution. THIS DOES NOT ABSOLUTELY GUARANTEE SAFETY WHEN RUN! While I have not encountered an polymorph encrypted file that it did not safely decrypt, it is quite possible to program such. The 'true' polymorph viruses I have tested DECOM on are: Alive:SPE Argyle Bosnia:TPE.1_2 Byway (Dir-2.TheHndV) CoffeShop:MtE.0_90 CoffeShop:TPE.1_0 CoffeShop:TPE.1_3 Connie:DSME Crazy_Chemist:SPE Dedicated.A:MtE.0_90 Dedicated.B:MtE.0_90 Dedicated.CryptLab:MtE.0_90 Demo:DSCE Demo:DSME Demo:GCE Demo:PME Demo:SPE Demo:TPE.1_4 EbbelWoi.QUX Encroacher.A:MtE.0_90 Encroacher.B:MtE.0_90 Fear:MtE.0_90 Flip.2153.A Flip.2153.B Flip.2153.D Flip.2153.E Flip.2343 Flip.2365 Gotcha.Pogue:MtE.0_90 Groove:MtE.0_90 Insufficient.A:MtE.0_90 Insufficient.B:MtE.0_90 Insufficient.C:MtE.0_90 King:SPE Lame:DAME.0_91 Lame:HPE.0_90 Lame:HPE.0_91 Little:TPE.1_3 Ludwig.A:MtE.0_90 Ludwig.B:MtE.0_90 Ludwig.C:MtE.0_90 Natas.4730 Natas.4738 Natas.4744 Natas.4746 Natas.4748 Natas.4988 N8fall (the 4xxx versions, as well "Won't last", 57xx versions) - com files only... One_Half.3744 (fails sometimes) One_Half.3755 (fails sometimes) Ontario.1024 PC_Weevil:MtE.0_90 Phoenix.1226 Phoenix.2000 Phoenix.Evil Phoenix.Phoenix.A Phoenix.Phoenix.B Phoenix.Proud SMEG:Pathogen (too complex for DECOM!) SMEG:Trivial (Windows?) (too complex for DECOM!) Teacher:DSME Tester:NED.1_00 Testfiles:TPE.1_0 Testfiles:TPE.1_4 Tremor (COM-Variant) Trigger:DAME.0_90 Uruguay Family V2P6 V2PX.1260 WordSwap.1503 As well as a collection of my own MtE & TPE test files (15000!) and over 400 different encrypted viruses (Cascade, G2, PS-MPC, VCL, etc.). One possibility when DECOM is not able to decrypt the code is: þ the decryptor does not actually encrypt the code þ the code is not encrypted in any way þ the decryptor uses anti-debugging tricks, which DECOM is not yet aware of þ if there are "do nothing" loops like sometimes found in the TPE 1.3/1.4 viruses. In this case use RVK! This generally results in DECOM printing that it can not safely decrypt it. If you got the hands on such a file please send me it in order to improve DECOM. ÄÍÍ[ 3 LEGAL TERMS AND DISCLAIMER ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ DECOM basically has no legal guarantee or warranty because I do not want to get sued over it, and should be used "as is." Here is the official disclaimer: DECOM alters executable files and DESTROYS them (that is why YOU should keep a backup file). Under no circumstances may Ralph Roth ("author") be held liable or accountable for any damage to system files, executable files, data files, or any other system or data damage due to use or misuse of his program. The author also may not be held accountable for loss of profits or for any other damages incurred by the use or misuse of his program. The author has forewarned any users that damage to files may occur with use or misuse of his program, and in executing the program, the user fully understands these risks and this disclaimer. Greetings (and virus free time) Ralph Roth You can obtain the newest DECOM & RVK version from: (Please add some money for disc and shipping!) ROSE Softwareentwicklung Dipl.-Ing. (FH) Ralph Roth, Finkenweg 24, D 78658 Zimmern FAX +49.741-32347 E-Mail until ?: rar@fh-albsig.de Fido: 2:246/2101.2 Please check the file "address.txt" for more information! ÄÍÍ[ 4 HISTORY ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄ 4.1 Version 0.00-0.92 (somewhere in 1990) Added routines to handle VCL, SPE, G2, PS_MPC, DAME, TPE and other encrypted COM files. Tested with VCL, PS_MPC, G2, MtE, EbbelWoi & SPE viruses! Added check for EXE files, which are (yet) not supported (EXE-header). Added a simple check for anti-debugging tricks. DECOM now checks first if the input file exists before prompting for the target file. 4.2 Version 0.93 I have received a few new MMIR viruses, which use the 'popular' VSAFE killing routine in front of the decrypting routine to throw TBSCAN's heuristic scanner off the track. Well, this routine throws DECOM although off the track, so I have added a routine to find and to SIMULATE this VSAFE killing routine! Was not easy! ;-) Additionally some MS-DOS Interrupt functions (SET DTA...) are now emulated, therefore DECOM __MAY__ clean an infected file! 4.3 Version 0.94 Now DECOM prompts you only for a filename __IF__ the file has been safely decrypted! This means although, that you can now overwrite the old file... DECOM no longer will make attempts to clean a file, because a separate program for this purpose is now available: RVK.COM 4.4 Version 0.95-1.00 More "Anti Debugger Code Handling", more code simulation. DECOM can now be invoked via commandline else you will be prompted for a source file! 4.5 Version 1.01 (Nov. 1994) Added a check for a trick to disable DECOM, which I found in the Hexametricx.Eumel_3.x viruses. 4.6 Version 1.03 (Feb. 1995) Added some minor anti-debugger tricks. Tested with over 50 new viruses. 4.7 Version 1.10 (March 95) Added a software emulator that is able to emulate INT calls and most anti debugger tricks without loosing control over the program! DECOM can now handle almost all encrypted files, except some special anti debugging code. Furthermore the handling of infected files is now safer, more reliable and more successful than ever before! 4.7 Version 1.11 (May 95) My FAX number has changed (new). Minor improvements to decrypt more viruses! 4.8 Version 1.12 (June 95) The program is now able to by-pass some IN/OUT commands. The package now includes an alpha version of the heuristic scanner "RPCATCH". 4.9 Version 1.13 (August 95) Internal version. Not available in the public! 4.10 Version 1.14 (December 95) Fixed a bug found when decrypting the Byway (Dir-2.TheHndV) virus. Credits goes to Tarkan Yetiser, VDS Advanced Research Group for pointing out this bug, as well as supplying me a Byway sample. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Please excuse my English, it is not my native language! ALL IMPROVEMENTS ALL WELCOMED!